Managing users

A user configuration associates personas, user groups, computer management groups, and roles with a user. You can create user accounts locally on the Tanium Server or import them from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server. If your deployment requires both local and imported users, configure the imports first (see Integrating with LDAP servers).

The following figure illustrates the relationship between users and other Tanium RBAC components:

Figure  1:  Tanium users

For the user role permissions required to manage users, see Manage users.

User authentication

In a Tanium as a Service (TaaS) deployment, all users authenticate through a Security Assertion Markup Language (SAML) identity provider (IdP). Contact Tanium Support for details.

In a deployment where users authenticate to the Tanium Console from domains in a Salesforce Information Technology Service Management (ITSM) instance, you must update the Trusted Auth Origins setting in the console if the domains change.

You can configure the following methods to authenticate users when they access the Tanium Console or API:

If you use an external service for authentication, maintain at least one user account that relies on local authentication and assign the Administrator reserved role to that account. If the external service ever becomes unavailable (for example, the connection to the LDAP server or SAML IdP goes down), this local user can still access the Tanium Console and reconfigure the connection to the external service as necessary. Optionally, you can use the default user that is created during Tanium Server installation for this purpose.

Default user

During the setup of your Tanium as a Service (TaaS) deployment, an administrator account is created that you can use to sign in to the Tanium Console for the first time. This user is based on an IdP account that your organization selects as the primary administrator for your TaaS deployment. The user has unrestricted computer group management rights. The user also has the Admin reserved role, which enables access to all the features that are available in TaaS, including the ability to configure role-based access control (RBAC) for all other TaaS users.

The Tanium Server installation process creates a Tanium Console user account that has permissions similar to the root or admin superuser in some operating systems. This initial user is assigned the All Computers computer group and the Administrator reserved role, enabling this user to do anything in the Tanium Core Platform. However, this user is not a built-in user like root or admin, so you can modify or delete the account.

View user settings

  1. From the Main menu, go to Administration > Permissions > UsersAdministration > Management > Users.

    The Users grid displays the basic attributes of each user, such as the user Name and the number of assigned computer groups. However, to see the specific user groups, computer groups, personas, or roles (and permissions) that are assigned, you must display the configuration of a particular user.

    To display deleted users, set the Users toggle to All (default is Active users only). The Status column indicates which users are active Active or deleted Deleted.

  2. (Optional) Use the filters to find specific users:
    • Filter by text: To filter the grid by user name, display name, or domain name, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the number of assigned Computer Groups. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. (Optional) To see the user groups, computer groups, personas, roles, and permissions that are assigned to a user, click the user Nameselect the user and click View User.

Create a user

When you create a user configuration, by default it has no computer management groups, alternative personas, user groups, or roles until you assign them. A user with no roles can sign in to the Tanium Console but cannot access anything. Do not create configurations for user accounts that you import from an LDAP server (see Integrating with LDAP servers).

For the methods to authenticate users, see User authentication.

  1. From the Main menu, go to Administration > Permissions > Users and click New User.
  2. Specify a User Name that matches an account in your IdP. one of the following:
    • A user account that is defined locally on the Tanium Server.
    • (Windows deployment only) An AD account name. Specify just the user name, not the domain name. The Tanium Server uses Windows Authentication, and does not store or manage sign-in credentials for the user.
  3. Configure the user details and RBAC assignments:
  4. Click Save to create the user.
  5. (Tanium Appliance deployment only) Configure the local authentication service and user account on the Appliance as described in Tanium Appliance Deployment Guide: Configure the local authentication service.
  1. From the Main menu, go to Administration > Management > Users and click New User.
  2. Specify a User Name that matches an account in your IdP. one of the following:
    • A user account that is defined locally on the Tanium Server.
    • (Windows deployment only) An AD account name. Specify just the user name, not the domain name. The Tanium Server uses Windows Authentication, and does not store or manage sign-in credentials for the user.
  3. Click Save to create the user.
  4. Add user properties and assign computer groups, user groups, roles, and personas to the user, as described in the following sections.
  5. (Tanium Appliance deployment only) Configure the local authentication service and user account on the Appliance as described in Tanium Appliance Deployment Guide: Configure the local authentication service.

Edit user details

For each user, you can configure an optional display name that appears as the label for the user drop-down list in the Main menu:

Display name

You can also configure user properties, which are name-value pairs that record optional user details such as full name, organization, email address, and phone number.

For each user, you can configure name-value pairs that record optional user details such as full name, organization, email address, and phone number.

  1. From the Main menu, go to Administration > Permissions > Users and click the user NameAdministration > Management > Users, select the user, and click View User.
  2. Enter a Display Name. Click Properties .
  3. Update properties as follows and then click Save: Click Add Property, use the controls to add name-value pairs, and click Save.
    • Add: Click Add properties or, if the user already has some properties, click Add Add, and then enter a name-value pair in the text fields.
    • Edit: Overwrite the entries of existing name-value pairs.
    • Delete: Click Delete Delete beside a name-value pair.

Manage role assignments for a user

Perform the following steps to update the role assignments for the default persona of a user. To configure roles through an alternative persona, edit the persona configuration (see Manage role assignments for a persona) and assign the persona to the user (see Manage persona assignments for a user).

  1. From the Main menu, go to Administration > Permissions > Users and click the user Name.
  2. In the Roles section, click Manage Roles.
  3. Select or deselect roles and click Apply.
  4. Review the Permissions and Content Sets that are associated with the selected roles (see Effective role permissions), and then click Save.
  1. From the Main menu, go to Administration > Management > Users, select the user, and click View User.
  2. In the Roles and Effective Permissions section, click Manage.
  3. In the Grant Roles and Deny Roles sections, click Edit, select or deselect roles, and click Save.
  4. Click Show Preview to Continue, review the impact of your changes, and click Save.

Manage user group assignments for a user

  1. From the Main menu, go to Administration > Permissions > Users and click the user Name.
  2. Expand Expand the User Groups section and click Manage User Groups.
  3. Select or deselect user groups and click Select.
  4. Review the inherited Roles, Permissions, Content Sets, and Computer Groups, and then click Save.
  1. From the Main menu, go to Administration > Management > Users, select the user, and click View User.
  2. In the User Groups section, click Manage and Edit.
  3. Select or deselect user groups and click Save.
  4. Click Show Preview to Continue, review the impact of your changes, and click Save.

Manage computer group assignments for a user

Perform the following steps to update the computer management group assignments for the default persona of a user. To configure the assignments through alternative personas, configure the personas (see Create a persona) and assign the persona to the user (see Manage persona assignments for a user).

  1. From the Main menu, go to Administration > Permissions > Users and click the user Name.
  2. Expand Expand the Computer Groups section.
  3. If you want the user to have management rights for all endpoints, select Unrestricted Management Rights and click Save (you can skip the remaining steps).

    Tanium strongly recommends that you do not assign Unrestricted Management Rights, unless you want the user to be able to issue questions to all endpoints across all computer groups regardless of security considerations.

  4. Click Manage Computer Groups, select or deselect computer management groups, and click Select.

    Selections are logically combined. For example, the union of All Computers and No Computers is effectively All Computers.

  5. Review the list of computer groups that you assigned or that the user inherits from user groups, and then click Save.
  1. From the Main menu, go to Administration > Management > Users.
  2. Select the user and click View User.
  3. In the Computer Groups section, click Manage and Edit.
  4. Specify Selected Management Rights, select or deselect computer management groups, and click Save.

    Selections are logically combined. The union of All Computers and No Computers is effectively All Computers. Tanium strongly recommends that you do not select Unrestricted Management Rights, unless you want the user to be able to ask questions of all endpoints across all computer groups regardless of security considerations.

  5. Click Show Preview to Continue, review the impact of your changes, and click Save.

Manage persona assignments for a user

TaaS The Tanium Server automatically assigns a default persona to new user accounts and, after you upgrade to Tanium Core Platform 7.4 or later, to existing pre-upgrade accounts. A user who has a role with Permission Administrator, Write Persona, and Write User permissions with the Administrator reserved role must manually update the assignment of alternative personas as follows. The Admin reserved role has these permissions. For details on personas, see Managing personas.

  1. From the Main menu, go to Administration > Permissions > Users and click the user Name.
  2. Expand Expand the Personas section and click Manage Personas.
  3. Select or deselect personas, and click Select.
  4. Review the assigned Personas and click Save.
  1. From the Main menu, go to Administration > Management > Users.
  2. Select the user and click View User Group.
  3. Click Alternative Personas and Manage.
  4. Select or deselect personas and click Save.

View effective permissions for a user

  1. From the Main menu, go to Administration > Permissions > Users and click the user NameAdministration > Management > Users, select the user, and click View User.
  2. Review the assigned and inherited roles, permissions, and content sets. For details, see Effective role permissions.

Delete, un-delete, or lock out a user

When employees leave your organization, you have the following options for locking down their access to the Tanium system:

  • Assign the Deny All role to the user. The user can still sign in to the Tanium Console, but cannot access any console functionality. The Administration > Management > Users page displays grayed-out user names for users with the Deny All role.
  • Delete the Tanium Console configuration for a manually created user.
  • Disable the AD or LDAP user account that is associated with the Tanium Console user configuration, or change the password if it is an administrator alias account. If the Tanium Server imported the user through an LDAP server, it is important to modify the user details on the LDAP server so that the Tanium Server does not import the user again at the next synchronization.

Considerations when deleting users

Deleting a user has the following consequences for scheduled activities:

  • Plugin schedules associated with the user continue to run.
  • Saved question schedules associated with the user continue to run.
  • Scheduled actions associated with the user stop running.

After you delete the user, you can delete the content that the user owns or transfer ownership to an active user: see Delete, disable, or transfer ownership for the content of a non-active user.

Locked-out users

The Tanium Server designates users that it imported from an LDAP server as locked out when the LDAP synchronization data indicates that the associated LDAP account is disabled or when the data is missing. While the user has locked-out status, the user cannot sign in, but scheduled content that the user owns continues to run.

The Administration > Management  > Users page shows the Locked out status of users:

  • Locked out - disabled: The data that the latest LDAP synchronization returns indicates the user account is disabled. When off-boarding employees, the best practice is to disable LDAP accounts rather than delete them to avoid deleting associated records.
  • Locked out - missing: The latest LDAP synchronization returned no data for the user. Data might be missing if the user was deleted from the LDAP server or otherwise no longer matches the filter expression that the LDAP server uses.

Check the policy of your organization for managing locked-out users. One option is to delete them and transfer the content that they own to another user see Delete, disable, or transfer ownership for the content of a non-active user.

Delete a user

  1. From the Main menu, go to Administration > Permissions > UsersAdministration > Management > Users and select the user.
  2. Click Delete Delete and Confirm.

    To display deleted users, set the Users toggle to All (default is Active users only). The Status column indicates which users are active Active or deleted Deleted.

To transfer, disable, or delete content that the deleted user owned, see Delete or transfer ownership for the content of a non-active user.

Undelete a user

By default, the persona that a user selects for a Tanium session is the owner of any content that the user creates during the session. When you undelete users who own content, you can delete, reactivate, or transfer ownership of that content.

When you transfer content ownership, the new owner does not have to match the deleted user with respect to role permissions and computer management group assignments. However, transferring ownership of scheduled actions and saved questions to a non-matching user might have unintended consequences. For example, all scheduled actions that you transfer to a non-matching user are disabled after the transfer. Before performing a transfer, compare the computer management group assignments of the deleted user and the new owner to understand which endpoints will receive the actions and questions after the transfer. To see computer group assignments for a user, from the Main menu go to Administration > Management > Users, select the user, and click View User.

Undelete one user at a time:

  1. From the Main menu, go to Administration > Permissions > Users.
  2. Set the Users toggle to All (default is Active users only).

    The Status column indicates which users are active Active or deleted Deleted.

  3. Select the row for the deleted user, click Undelete User Undelete User, and click Confirm.
  1. From the Main menu, go to Administration > Management > Users.
  2. Set the Users toggle to All (default is Active users only).

    The Status column indicates which users are active Active or deleted Deleted.

  3. Select the row for the deleted user, click Undelete User Undelete User, and confirm the operation.
  4. If the user owns content, a dialog prompts you to select an option for processing the content:

    Reactivation Options

    • Purge content: Remove content that no users need.
    • Migrate content: Transfer ownership to a different user. The transfer workflow starts after you click Reactivate.
    • Reactivate as is: Keep the user whom you are undeleting as the content owner.
  5. Click Reactivate.

    If you selected Purge content or Reactivate as is, the Tanium Server performs the action automatically, so skip the remaining steps.

    If you selected Migrate content, the Manage Content dialog opens and prompts you to perform the remaining steps.

  6. Select an option for processing the content of the undeleted user:

    Select Action

    • Delete Selected Content: Remove content that no users need.
    • Transfer Selected Content to Matching User: Transfer ownership of content that is still needed to a user (persona) that has the same role and computer management group assignments as the user that you undeleted. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a matching persona of the new owner.
    • Transfer Selected Content to Administrator: Transfer ownership of content that is still needed to any user who has the Administrator reserved role, regardless of whether the computer group and role assignments of that user match the user that you undeleted. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a persona of the new owner.
    • Transfer Selected Content to Any User: Transfer ownership of content that is still needed to any user, regardless of whether the computer group and role assignments of that user match the user that you undeleted. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a persona of the new owner.
  7. In the Select Content section, review and select the content that you want to transfer or delete, and click Confirm.

    Select Content

Delete or transfer ownership for the content of a non-active user

The Manage Non-Active User Content page lists users who are deleted or locked out and who own content. You can use the page to delete, disable, or transfer ownership of that content. The default or alternative persona that a user selects for a Tanium session is the owner of any content that the user creates during the session. You can transfer ownership from the personas of a non-active user to the personas of one or more active users. You must perform one delete, disable, or transfer operation at a time. Repeat the operations as many times as necessary to process all the content for the non-active user.

When you transfer content ownership, the new owner does not have to match the non-active user with respect to role permissions and computer management group assignments. However, transferring ownership of scheduled actions and saved questions to a non-matching user might have unintended consequences. For example, all scheduled actions that you transfer to a non-matching user are disabled after the transfer. Before performing the transfer, compare the computer management group assignments of the non-active user and the new owner to understand which endpoints will receive the actions and questions after the transfer. To see computer group assignments for a user, from the Main menu go to Administration > Management > Users, select the user, and click View User.

Perform the following steps to delete, disable, or transfer ownership of the content that a non-active user owns:

  1. From the Main menu, go to Administration > Content > Content Alignment > Manage Non-Active User Content.
  2. Select the row for the user (persona) and click Manage Content.
  3. Select an option to manage the content.

    • Delete Selected Content: Remove content that the non-active user owns and that no other users need.
    • Disable Selected Scheduled Content: Disable activities that repeat on a schedule, such as saved questions with reissue intervals, scheduled actions, or plugin schedules that run in the context of the non-active user.
    • Transfer Selected Content to Matching User: Transfer ownership of content that is still needed to a user that has the same role and computer management group assignments as the non-active user. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a matching persona of the new owner.
    • Transfer Selected Content to Administrator: Transfer ownership of content that is still needed to any user who has the Administrator reserved role, regardless of whether the computer group and role assignments of that user match the non-active user. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a persona of the new owner.
    • Transfer Selected Content to Any User: Transfer ownership of content that is still needed to any user, regardless of whether the computer group and role assignments of that user match the non-active user. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a persona of the new owner.
  4. In the Select Content section, review and select the content that you want to delete, disable, or transfer.Select Content
  5. Click Confirm.

After you delete a user, Tanium module tasks that are associated with the user, such as a scheduled Tanium Connect job that the user created, might stop running. If this occurs, go to the module workbench and update the configuration. For example, go to the Connect workbench, open a connection, and click Take Ownership to transfer ownership of the scheduled connection to the user account that you used to sign in.

Disable or enable local user access

By default, users whose accounts are local to the Tanium Server can access the Tanium Console. However, if you transition to an external authentication service such as an LDAP server or SAML IdP and you want to ensure all user access is through that service, disable local authentication.

Local users on a Tanium Appliance

To disable or re-enable Tanium Console access for user accounts that are local to a Tanium Appliance, see Tanium Appliance Deployment Guide: Configure the local authentication service.

Local users on a Windows server

Perform the following steps to disable or re-enable Tanium Console access for user accounts that are local to a Tanium Server installed on a Windows server.

If you disable local account sign ins and the remote authentication service later stops working (for example, the connection to the LDAP server or SAML IdP goes down), no users can access the Tanium Console, including the default user. In such cases, you must re-enable local authentication through the CLI by running the following command from the Tanium Server installation folder:
TaniumReceiver global-settings set soap_enable_local_auth 1

  1. From the Main menu, go to Administration > Management > Global Settings.
  2. Select soap_enable_local_auth in the grid and, in the Selected System Setting pane, click Edit.
  3. In the Setting Value, enter 0 to disable or 1 t o enable local authentication, and then click Save.

Export or import user configurations

The following procedures describe how to export and import the configurations of specific users or all users.

Develop and test content in your lab environment before importing that content into your production environment.

Export user configurations

Export user configurations as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export user configurations as a JSON file to import them into another Tanium Server.

  1. From the Main menu, go to Administration > Permissions > UsersAdministration > Management > Users.
  2. Select rows in the grid to export only specific user configurations. If you want to export all user configurations, skip this step.
  3. Click Export ExportExport.
  4. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All user configurations in the grid or just the Selected user configurations.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import user configurations

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Copy user configuration details

Copy configuration details from the grid in the Users page to your clipboard for pasting into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > UsersAdministration > Management > Users.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.