Managing user groups

A user group configuration associates personas, users, computer management groups, and roles with a user group. You can create user groups locally on the Tanium Server or import them from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server. If your deployment requires both local and imported groups, configure the imports first (see Integrating with LDAP servers).

The following figure illustrates the relationship between user groups and other Tanium RBAC components:

Figure  1:  Tanium user groups

For the user role permissions required to manage user groups, see RBAC management permissions.

View user group details

  1. From the Main menu, go to Administration > Permissions > User Groups.

    The User Groups grid displays the basic attributes of each user group, such as the group Name and the number of assigned Computer Groups and Users.

    A star Default user group beside the name indicates the default user group. See Set the default user group.

  2. (Optional) Use the filters to find specific user groups:
    • Filter by text: To filter the grid by user group name, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the number of assigned Computer Groups. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. To see the users, computer groups, personas, roles, and permissions that are assigned to a user group, click the user group Name.

Create a user group

Perform the following steps to configure a user group that is local to the Tanium Server. Do not create configurations for groups that you import from an LDAP server (for details, see Integrating with LDAP servers).

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click New User Group and enter a User Group Name.
  3. Assign roles, users, computer groups, and personas to the user group:
  4. Review the assignments and click Save.

Edit a user group

  1. From the Main menu, go to Administration > Permissions > User Groups and click the user group Name.
  2. (Optional) Enter a new User Group Name.
  3. Edit the RBAC assignments:
  4. Review your changes and click Save.

Manage role assignments for a user group

Perform the following steps to update role assignments for the default persona of a user group. To configure roles through an alternative persona, edit the persona configuration (see Manage role assignments for a persona) and assign the persona to the user group (see Manage persona assignments for a user group).

  1. From the Main menu, go to Administration > Permissions > User Groups and click the user group Name.
  2. In the Roles section, click Manage Roles, select or deselect roles, and click Apply.
  3. Review the Permissions and Content Sets that are associated with the selected roles, and then click Save.

Manage user assignments for a user group

  1. From the Main menu, go to Administration > Permissions > User Groups and click the user group Name.
  2. Expand Expand the Users section and click Manage Users.
  3. Select or deselect users, and click Select.
  4. Review the assigned Users and click Save.

Manage computer group assignments for a user group

Perform the following steps to configure computer management group assignments for the default persona of a user group. To configure the assignments through alternative personas, configure the personas (see Create a persona) and assign the persona to the user group (see Manage persona assignments for a user group).

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click the user group Name and expand Expand the Computer Groups section.

    By default, No Management Rights Assigned is selected.

  3. If you do not want users to inherit computer groups from this user group, leave No Management Rights Assigned selected and click Save (skip the remaining steps).
  4. Deselect No Management Rights Assigned, click Manage Computer Groups, select or deselect computer management groups, and click Select.

    Selections are logically combined. For example, the union of All Computers and No Computers is effectively All Computers.

  5. Review the assigned computer groups and click Save.

Manage persona assignments for a user group

TaaS The Tanium Server automatically assigns a default persona to new user groups and, if you upgrade to Tanium Server 7.4 or later, to existing pre-upgrade groups. A user who has a role with Permission Administrator permission, Persona write permission, and User Group write permission with the Administrator reserved role must manually update the assignment of alternative personas as follows. The Admin reserved role has these permissions.

Alternative personas do not inherit permissions from the user groups to which they are assigned. For details, see Personas overview.

  1. From the Main menu, go to Administration > Permissions > User Groups and click the user group Name.
  2. Expand Expand the Personas section and click Manage Personas.
  3. Select or deselect personas, and click Select.
  4. Review the assigned Personas and click Save.

Delete a user group

When you delete a user group configuration, users stop inheriting personas, computer management groups, and roles from it.

Before deleting a user group:
  1. Delete the persona and user assignments from the user group. For the steps, see Manage user assignments for a user group and Manage persona assignments for a user group.
  2. Review the impact that deleting persona and user assignments from the user group has on the effective permissions of users. For the steps, see View effective permissions for a user group.

Delete a user group as follows:

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Select the group, click Delete Selected Delete Selected, and click Confirm.

Set the default user group

Configuring a default user group is useful in deployments where you expect many new users to belong to the same group. After you set a user group as the default, TaaSthe Tanium Server automatically assigns it to user accounts that are subsequently added to your remote identity store. The group that is the default has a star Default user group beside its name in the User Groups grid.

Default user group indicator

Write permissions for User Group and Platform Settings are required to set the default user group.

Select the No Default Selected option if you do not want any default user group.

The default user group applies only to users who authenticate through Security Assertion Markup Language (SAML) and are not synchronized with an LDAP server. See Integrating with a SAML IdP.

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click Settings Settings, select a Default User Group, and click Save.Default user group selection

View effective permissions for a user group

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click the user group Name.
  3. Review the roles, permissions, and content sets. For details, see Effective role permissions.

Export or import user group configurations

The following procedures describe how to export and import the configurations of specific user groups or all user groups.

Develop and test content in your lab environment before importing that content into your production environment.

Export user group configurations

Export user group configurations as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export user group configurations as a JSON file to import them into another Tanium Server.

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Select rows in the grid to export only specific user group configurations. If you want to export all user group configurations, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All user group configurations in the grid or just the Selected user group configurations.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import user group configurations

You can import content files that are in JSON or XML format.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.

    You do not have to generate keys or signatures for Tanium-provided solutions, such as the Default Computer Groups content pack. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy user group configuration details

Copy configuration details from the grid in the User Groups page to your clipboard for pasting into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.