Managing user groups

A user group configuration associates personas, users, computer management groups, and roles with a user group. You can create user groups locally on the Tanium Server or import them from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server. After you create or import user groups, you must assign roles, computer groups, and personas to them. For user groups that you create locally, you must also assign users.

If your deployment requires both local and imported groups, configure the imports first. See Integrating with LDAP servers.

The following figure illustrates the relationship between user groups and other Tanium role-based access control (RBAC) components:

Figure  1:  Tanium user groups
For the user role permissions required to manage user groups, see RBAC management permissions.

If the Tanium Console displays permission errors (such as RBACInsufficientPrivilege) for permissions that you expected your user account to inherit from a user group, see Troubleshoot permission issues.

View user group details

  1. From the Main menu, go to Administration > Permissions > User Groups.

    The User Groups grid displays the basic attributes of each user group, such as the group Name and the number of assigned Computer Groups and Users.

    A star Default user group beside the name indicates the default user group. See Set the default user group.

  2. (Optional) Use the filters to find specific user groups:
    • Filter by text: To filter the grid by user group name, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the number of assigned Computer Groups. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. To see the users, computer groups, personas, roles, and permissions that are assigned to a user group, click the user group Name. For details about the permissions, see View effective role permissions for a user group.

Create a user group

Perform the following steps to configure a user group that is local to the Tanium Server. Do not create configurations for groups that you import from an LDAP server (for details, see Integrating with LDAP servers).

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click New User Group and enter a User Group Name.
  3. Assign roles, users, computer groups, and personas to the user group:
  4. Review the assignments and click Save.

Edit a user group

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click the user group Name and click Edit Mode.
  3. (Optional) Enter a new User Group Name.
  4. Edit the RBAC assignments:
  5. Review your changes and click Save.

Manage role assignments for a user group

For an overview of how effective permissions are derived for a user group, and to view the roles and associated content sets that are assigned to a user group, see View effective role permissions for a user group.

To assign or unassign roles and associated content sets for a user group, see Configure role assignments for a user group.

View effective role permissions for a user group

The effective permissions of a user group are based on the cumulative effect of all the assigned roles, including:

  • Permissions specified in allow roles minus permissions specified in deny roles
  • Implicitly provided permissions in allow roles

Perform the following steps to see the effective permissions for a user group:

  1. From the Main menu, go to Administration > Permissions > User Groups and click the user group Name.
  2. Review the assigned and inherited roles, permissions, and content sets. The page displays icons to indicate:

    Explicit permission Allow roles or permissions

    Super explicit permission Deny roles or permissions

    The role configuration pages indicate whether permissions are explicitly assigned or implicitly provided. See View effective role permissions.

    If you assign the Admin reserved role, it appearsreserved roles (such as Administrator), they appear under Global Permissions with a single Special permission Explicit permission.

  3. (Optional) Expand Expand an individual permission to review the content sets that are assigned to it. Only solution content permission (such as Trends Administrator permission) and platform content permissions (such as Sensor read permission) are associated with content sets. The page displays icons to indicate the type of permission to which the content sets are assigned:

    Explicit permission Allow permission

    Deny permission Deny permission

Figure  2:  Effective permissions

Configure role assignments for a user group

Perform the following steps to update role assignments for the default persona of a user group. To configure roles through an alternative persona, edit the persona configuration (see Manage role assignments for a persona) and assign the persona to the user group (see Manage persona assignments for a user group).

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click the user group Name and click Edit Mode.
  3. In the Roles section, click Manage Roles, select or deselect roles, and click Apply.
  4. (Optional) Review the Permissions and Content Sets that are associated with the selected roles. See View effective role permissions for a user group.

  5. Click Save.

Manage user assignments for a user group

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click the user group Name and click Edit Mode.
  3. Expand Expand the Users section and click Manage Users.
  4. Select or deselect users, and click Select.
  5. Review the assigned Users and click Save.

Manage computer group assignments for a user group

Perform the following steps to configure computer management group assignments for the default persona of a user group. To configure the assignments through alternative personas, configure the personas (see Create a persona) and assign the persona to the user group (see Manage persona assignments for a user group).

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click the user group Name and click Edit Mode.
  3. Expand Expand the Computer Groups section.

    By default, No Management Rights Assigned is selected.

  4. If you do not want users to inherit computer groups from this user group, leave No Management Rights Assigned selected and click Save (skip the remaining steps).
  5. Deselect No Management Rights Assigned, click Manage Computer Groups, select or deselect computer management groups, and click Select.

    Selections are logically combined. For example, the union of All Computers and No Computers is effectively All Computers.

  6. Review the assigned computer groups and click Save.

Manage persona assignments for a user group

Tanium Cloud The Tanium Server automatically assigns a default persona to new user groups and, if you upgrade to Tanium Server 7.4 or later, to existing pre-upgrade groups. A user who has a role with Permission Administrator permission, Persona write permission, and User Group write permission with the Administrator reserved role must manually update the assignment of alternative personas as follows. The Admin reserved role has these permissions.

Alternative personas do not inherit permissions from the user groups to which they are assigned. For details, see Personas overview.

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click the user group Name and click Edit Mode.
  3. Expand Expand the Personas section and click Manage Personas.
  4. Select or deselect personas, and click Select.
  5. Review the assigned Personas and click Save.

Clone a user group

To add a user group that has many settings in common with an existing group, cloning the existing group and then modifying the clone is often a quicker method than configuring a new group.

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Select the user group and click Clone.
  3. Enter a new User Group Name.
  4. Edit the RBAC assignments:
  5. Review your changes and click Save.

Delete a user group

When you delete a user group configuration, users stop inheriting personas, computer management groups, and roles from it.

Before deleting a user group:
  1. Delete the persona and user assignments from the user group. For the steps, see Manage user assignments for a user group and Manage persona assignments for a user group.
  2. Review the impact that deleting persona and user assignments from the user group has on the effective permissions of users. For the steps, see View effective role permissions for a user group.

Delete a user group as follows:

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Select the group, click Delete Selected Delete Selected, and click Confirm.

Set the default user group

Configuring a default user group is useful in deployments where you expect many new users to belong to the same group. After you set a user group as the default, Tanium Cloudthe Tanium Server automatically assigns it to user accounts that are subsequently added to your remote identity store. The group that is the default has a star Default user group beside its name in the User Groups grid.

Default user group indicator

Write permissions for User Group and Global Settings are required to set the default user group.

The default user group applies only to users who authenticate through Security Assertion Markup Language (SAML) and are not synchronized with an LDAP server. See Integrating with a SAML IdP.

If no user groups are defined, the User Groups page does not display the Settings Settings for configuring a default group.

You can also see and modify the default user group on the Administration > Configuration > Settings > Advanced Settings page through the user_auto_provision_group_id setting. See Manage advanced settings.

Perform the following steps to set the default user group. Select the No Default Selected option if you do not want any default user group. However, note that a default group is required for automatic user creation if you configured that feature (see Automatically create users).

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Click Settings Settings, select a Default User Group, and click Save.Default user group selection

Export or import user groups

The following procedures describe how to export and import specific user groups or all user groups.

Develop and test content in your lab environment before importing that content into your production environment.

Export user group configurations

Export user groups as a file in one of the following formats:

  • CSV: When you open the file in an application that supports CSV format, it lists the user groups with the same attributes (columns) as the User Groups page displays and (optionally) lists the RBAC assignments of each user group.

  • JSON: If you are assigned the Administrator reserved role, you can export user group configurations as a JSON file to import them into another Tanium Server.

Perform the following steps to export user groups:

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. (Optional, CSV exports only) To add or remove attributes (columns) for the CSV file, click Customize Columns Customize Columns in the grid and select the attributes.
  3. Select rows in the grid to export only specific user groups. If you want to export all user groups, skip this step.
  4. Click Export Export.
  5. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  6. Select an Export Data option: All user groups in the grid or just the Selected user groups.
  7. Select the file Format:

    • List of User Groups - CSV. Optionally, select With RBAC Details to include the names of users, roles, computer groups, and personas that are assigned to the user groups.
    • User Group Definitions - JSON (Administrator reserved role only)

  8. Click Export.

    Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import user group configurations

Users who are assigned a role with Import Signed Content permission can import content files that are in JSON or XML format. The Administrator reserved role has this permission.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.

    You do not have to generate keys or signatures for Tanium-provided solutions, such as the Default Computer Groups content pack. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy user group configuration details

Copy configuration details from the grid in the User Groups page to your clipboard for pasting into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > User Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.