Managing user groups

A user group configuration associates personas, users, computer management groups, and roles with a user group. You can create user groups locally on the Tanium Server or import them from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server. If your deployment requires both local and imported groups, configure the imports first (see Integrating with LDAP servers).

The following figure illustrates the relationship between user groups and other Tanium RBAC components:

Figure  1:  Tanium user groups

For the user role permissions required to manage user groups, see RBAC management permissions.

View user group configurations

  1. From the Main menu, go to Administration > Permissions > User GroupsAdministration > Management > User Groups.

    The User Groups grid displays the basic attributes of each user group, such as the group Name and the number of assigned Computer Groups and Users.

  2. (Optional) Use the filters to find specific user groups:
    • Filter by text: To filter the grid by user group name, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the number of assigned Computer Groups. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. To see the users, computer groups, personas, roles, and permissions that are assigned to a user group, click the user group Nameselect the user group and click View User Group.

Create a user group

Perform the following steps to configure a user group that is local to the Tanium Server. Do not create configurations for groups that you import from an LDAP server (for details, see Integrating with LDAP servers).

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click New User Group and specify a User Group Name.
  3. Assign computer groups, users, roles, and personas to the user group as described in the following sections, and then click Save.
  1. From the Main menu, go to Administration > Management > User Groups.
  2. Click New User Group, specify a User Group Name, and click Save.
  3. Assign computer groups, users, roles, and personas to the user group, as described in the following sections.

Manage role assignments for a user group

Perform the following steps to update role assignments for the default persona of a user group. To configure roles through an alternative persona, edit the persona configuration (see Manage role assignments for a persona) and assign the persona to the user group (see Manage persona assignments for a user group).

  1. From the Main menu, go to Administration > Permissions > User Groups and click the user group Name.
  2. In the Roles section, click Manage Roles, select or deselect roles, and click Apply.
  3. Review the Permissions and Content Sets that are associated with the selected roles, and then click Save.
  1. From the Main menu, go to Administration > Management > User Groups.
  2. Select the user group and click View User Group.
  3. Click Edit Roles.
  4. In the Grant Roles section, click Edit, select or deselect roles, and click Save.
  5. In the Deny Roles section, click Edit, select or deselect roles, and click Save.
  6. Click Show Preview to Continue, review the impact of your changes, and click Save.

Manage user assignments for a user group

  1. From the Main menu, go to Administration > Permissions > User Groups and click the user group Name.
  2. Expand Expand the Users section and click Manage Users.
  3. Select or deselect users, and click Select.
  4. Review the assigned Users and click Save.
  1. From the Main menu, go to Administration > Management > User Groups.
  2. Select the user group and click View User Group.
  3. Click Manage Users and Edit, select or deselect users, and click Save.
  4. Click Show Preview to Continue, review the impact of your changes, and click Save.

Manage computer management group assignments for a user group

Perform the following steps to configure computer management group assignments for the default persona of a user group. To configure the assignments through alternative personas, configure the personas (see Create a persona) and assign the persona to the user group (see Manage persona assignments for a user group).

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click the user group Name and expand Expand the Computer Groups section.

    By default, No Management Rights Assigned is selected.

  3. If you do not want users to inherit computer groups from this user group, leave No Management Rights Assigned selected and click Save (skip the remaining steps).
  4. Deselect No Management Rights Assigned, click Manage Computer Groups, select or deselect computer management groups, and click Select.

    Selections are logically combined. For example, the union of All Computers and No Computers is effectively All Computers.

  5. Review the assigned computer groups and click Save.
  1. From the Main menu, go to Administration > Management > User Groups.
  2. Select the user group and click View User Group.
  3. In the Computer Groups section, click Manage and Edit.
  4. Select or deselect items and click Save.

    Specify No Management Rights Assigned if you do not want users to inherit computer groups from this configuration. Otherwise, specify Selected Management Rights and then select the computer groups that you want users to inherit from this configuration.

  5. Click Show Preview to Continue, review the impact of your changes, and click Save.

Manage persona assignments for a user group

TaaS The Tanium Server automatically assigns a default persona to new user groups and, if you upgrade to Tanium Server 7.4 or later, to existing pre-upgrade groups. A user who has a role with Permission Administrator, Write Persona, and Write User Group permissions with the Administrator reserved role must manually update the assignment of alternative personas as follows. The Admin reserved role has these permissions.

Alternative personas do not inherit permissions from the user groups to which they are assigned. For details, see Personas overview.

  1. From the Main menu, go to Administration > Permissions > User Groups and click the user group Name.
  2. Expand Expand the Personas section and click Manage Personas.
  3. Select or deselect personas, and click Select.
  4. Review the assigned Personas and click Save.
  1. From the Main menu, go to Administration > Management > User Groups.
  2. Select the user group and click View User Group.
  3. Click Alternative Personas and Manage.
  4. Select or deselect personas and click Save.

Delete a user group

When you delete a user group configuration, users stop inheriting personas, computer management groups, and roles from it.

Before deleting a user group:
  1. Delete the persona and user assignments from the user group. For the steps, see Manage user assignments for a user group and Manage persona assignments for a user group.
  2. Review the impact that deleting persona and user assignments from the user group has on the effective permissions of users. For the steps, see View effective permissions for user groups.

Delete a user group as follows:

  1. From the Main menu, go to Administration > Permissions > User GroupsAdministration > Management > User Groups.
  2. Select the group, click Delete Selected Delete Selected, and click Confirm.

View effective permissions for user groups

  1. From the Main menu, go to Administration > Permissions > User GroupsAdministration > Management > User Groups.
  2. Click the user group Name Select the user group and click View User Group .
  3. Review the roles, permissions, and content sets. For details, see Effective role permissions.

Export or import user group configurations

The following procedures describe how to export and import the configurations of specific user groups or all user groups.

Develop and test content in your lab environment before importing that content into your production environment.

Export user group configurations

Export user group configurations as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export user group configurations as a JSON file to import them into another Tanium Server.

  1. From the Main menu, go to Administration > Permissions > User GroupsAdministration > Management > User Groups.
  2. Select rows in the grid to export only specific user group configurations. If you want to export all user group configurations, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All user group configurations in the grid or just the Selected user group configurations.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import user group configurations

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Copy the user group configuration details

Copy configuration details from the grid in the User Groups page to your clipboard for pasting into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > User GroupsAdministration > Management > User Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.