Managing user groups

A user group configuration associates personas, users, computer management groups, and roles with a user group. You can create user groups locally on the Tanium Server or import them from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server. After you create or import user groups, you must assign roles, computer groups, and personas to them. For user groups that you create locally, you must also assign users.

If your deployment requires both local and imported groups, configure the imports first. See Integrating with LDAP servers.

The following figure illustrates the relationship between user groups and other Tanium role-based access control (RBAC) components:

For the user role permissions required to manage user groups, see RBAC management permissions.

If the Tanium Console displays permission errors (such as RBACInsufficientPrivilege) for permissions that you expected your user account to inherit from a user group, see Troubleshoot permission issues.

View user group details

From the Main menu, go to Administration > Permissions > User Groups.
The User Groups grid displays the basic attributes of each user group, such as the group Name and the number of assigned Computer Groups and Users.
A star beside the name indicates the default user group. See Set the default user group.
(Optional) Use the filters to find specific user groups:
- Filter by text: To filter the grid by user group name, enter a text string in the Filter items field.
- Filter by attribute: Filter the grid by one or more attributes, such as the number of assigned Computer Groups. Expand the Filters section, click Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
To see the users, computer groups, personas, roles, and permissions that are assigned to a user group, click the user group Name. For details about the permissions, see View effective role permissions for a user group.

Create a user group

Perform the following steps to configure a user group that is local to the Tanium Server. Do not create configurations for groups that you import from an LDAP server. See Integrating with LDAP servers.

To automatically add users and user groups from a Security Assertion Markup Language (SAML) identity provider (IdP) to Tanium Cloud, configure System for Cross-Domain Identity Management (SCIM). The synchronization between the IdP and Tanium Cloud includes attributes such as user-to-group assignments that are configured in the IdP. See Tanium Cloud Deployment Guide: Configure SCIM provisioning.

From the Main menu, go to Administration > Permissions > User Groups.
Click New User Group and enter a User Group Name.
Assign roles, users, computer groups, and personas to the user group:
Review the assignments and click Save.

Edit a user group

From the Main menu, go to Administration > Permissions > User Groups.
Click the user group Name and click Edit Mode.
(Optional) Enter a new User Group Name.
Edit the RBAC assignments:
Review your changes and click Save.

Manage role assignments for a user group

For an overview of how effective permissions are derived for a user group, and to view the roles and associated content sets that are assigned to a user group, see View effective role permissions for a user group.

To assign or unassign roles and associated content sets for a user group, see Configure role assignments for a user group.

View effective role permissions for a user group

The effective permissions of a user group are based on the cumulative effect of all the assigned roles, including:

Permissions specified in allow roles minus permissions specified in deny roles
Implicitly provided permissions in allow roles

Perform the following steps to see the effective permissions for a user group:

From the Main menu, go to Administration > Permissions > User Groups and click the user group Name.
Review the assigned and inherited roles, permissions, and content sets. The page displays icons to indicate:

Allow roles or permissions

Deny roles or permissions

The role configuration pages indicate whether permissions are explicitly assigned or implicitly provided. See View effective role permissions.
If you assign the Admin reserved role, it appearsreserved roles (such as Administrator), they appear under Global Permissions with a single Special permission .
(Optional) Expand an individual permission to review the content sets that are assigned to it. Only solution content permission (such as Trends Administrator permission) and platform content permissions (such as Sensor read permission) are associated with content sets. The page displays icons to indicate the type of permission to which the content sets are assigned:

Allow permission

Deny permission

Configure role assignments for a user group

Perform the following steps to update role assignments for the default persona of a user group. To configure roles through an alternative persona, edit the persona configuration (see Manage role assignments for a persona) and assign the persona to the user group (see Manage persona assignments for a user group).

From the Main menu, go to Administration > Permissions > User Groups.
Click the user group Name and click Edit Mode.
In the Roles section, click Manage Roles, select or deselect roles, and click Apply.
(Optional) Review the Permissions and Content Sets that are associated with the selected roles. See View effective role permissions for a user group.
Click Save.

Manage user assignments for a user group

From the Main menu, go to Administration > Permissions > User Groups.
Click the user group Name and click Edit Mode.
Expand the Users section and click Manage Users.
Select or deselect users, and click Select.
Review the assigned Users and click Save.

Manage computer group assignments for a user group

Perform the following steps to configure computer management group assignments for the default persona of a user group. To configure the assignments through alternative personas, configure the personas (see Create a persona) and assign the persona to the user group (see Manage persona assignments for a user group).

From the Main menu, go to Administration > Permissions > User Groups.
Click the user group Name and click Edit Mode.
Expand the Computer Groups section.
By default, No Management Rights Assigned is selected.
If you do not want users to inherit computer groups from this user group, leave No Management Rights Assigned selected and click Save (skip the remaining steps).
Deselect No Management Rights Assigned, click Manage Computer Groups, select or deselect computer management groups, and click Select.
Selections are logically combined. For example, the union of All Computers and No Computers is effectively All Computers.
Review the assigned computer groups and click Save.

Manage persona assignments for a user group

Tanium Cloud The Tanium Server automatically assigns a default persona to new user groups and, if you upgrade to Tanium Server 7.4 or later, to existing pre-upgrade groups. A user who has a role with Permission Administrator permission, Persona write permission, and User Group write permission with the Administrator reserved role must manually update the assignment of alternative personas as follows. The Admin reserved role has these permissions.

Alternative personas do not inherit permissions from the user groups to which they are assigned. For details, see Personas overview.

From the Main menu, go to Administration > Permissions > User Groups.
Click the user group Name and click Edit Mode.
Expand the Personas section and click Manage Personas.
Select or deselect personas, and click Select.
Review the assigned Personas and click Save.

Clone a user group

To add a user group that has many settings in common with an existing group, cloning the existing group and then modifying the clone is often a quicker method than configuring a new group.

From the Main menu, go to Administration > Permissions > User Groups.
Select the user group and click Clone.
Enter a new User Group Name.
Edit the RBAC assignments:
Review your changes and click Save.

Set the default user group

Configuring a default user group is useful in deployments where you expect many new users to belong to the same group. After you set a user group as the default, Tanium Cloudthe Tanium Server automatically assigns it to user accounts that are subsequently added to your remote identity store. The group that is the default has a star beside its name in the User Groups grid.

Default user group indicator

Write permissions for User Group and Global Settings are required to set the default user group.

The default user group applies only to users who authenticate through Security Assertion Markup Language (SAML) and are not synchronized with an LDAP server. See Integrating with a SAML IdP.

If no user groups are defined, the User Groups page does not display the Settings for configuring a default group.

You can also see and modify the default user group on the Administration > Configuration > Settings > Platform Settings page through the Default User Group setting. See Manage platform settings.

Perform the following steps to set the default user group. Select the No Default Selected option if you do not want any default user group. However, note that a default group is required for automatic user creation if you configured that feature (see Automatically create users).

From the Main menu, go to Administration > Permissions > User Groups.
Click Settings , select a Default User Group, and click Save.

Export user group details

You can export user group details as a CSV file. When you open the file in an application that supports CSV format, it lists the user groups with the same attributes (columns) as the User Groups page displays and (optionally) lists the RBAC assignments of each user group.

From the Main menu, go to Administration > Permissions > User Groups.
(Optional, CSV exports only) To add or remove attributes (columns) for the CSV file, click Customize Columns in the grid and select the attributes.
Select rows in the grid to export only specific user groups. If you want to export all user groups, skip this step.
Click Export .
(Optional) Edit the default export File Name. Tanium CloudThe Tanium Server automatically appends the file suffix (.csv).
Select an Export Data option: All user groups in the grid or just the Selected user groups.
Set the file Format to List of User Groups - CSV. Optionally, select With RBAC Details to include the names of users, roles, computer groups, and personas that are assigned to the user groups.
Click Export.
Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Copy user group configuration details

Copy configuration details from the grid in the User Groups page to your clipboard for pasting into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

From the Main menu, go to Administration > Permissions > User Groups.
Perform one of the following steps:
- Copy row information: Select one or more rows and click Copy .
- Copy cell information: Hover over the cell, click Options , and click Copy .

Delete a user group

When you delete a user group configuration, users stop inheriting personas, computer management groups, and roles from it.

Before deleting a user group:

Delete the persona and user assignments from the user group. For the steps, see Manage user assignments for a user group and Manage persona assignments for a user group.
Review the impact that deleting persona and user assignments from the user group has on the effective permissions of users. For the steps, see View effective role permissions for a user group.

Delete a user group as follows:

From the Main menu, go to Administration > Permissions > User Groups.
Select the group, click Delete Selected , and click Confirm.