Other versions

Managing users

The user configuration associates user groups, computer groups, and roles with a user.

Role requirements

The users configuration is a complex configuration. You must have the following permissions to manage the users configuration:

  • Write User permission to create a new configuration, add properties, or save changes to a configuration.
  • Write Computer Group permission to change computer group assignment from the user configuration page. To change the computer group assignment, you also need the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions.
  • Write User Group permission to change the user group assignment.
  • Administrator or Content Set Administrator reserved role to change the role assignment. However, a Content Set Administrator cannot manage the assignment of reserved roles. Also, a user cannot manage their own roles from the user configuration page.

Only the Administrator reserved role has all of these permissions.

Users cannot modify their own computer group or role assignment.

Create a user

  1. Go to Administration > Users.
  2. Click New User.
  3. Specify a user name. User name must correspond with:
    • (most common) An Active Directory (AD) account name. Specify just the user name, not the domain name.
    • A local Windows user account that is defined on the server.

    With both options, the Tanium Console uses Windows Authentication. The Tanium platform does not store or manage its own set of user credentials.

  4. Save the configuration.

Edit user properties

  1. Go to Administration > Users.
  2. Select the user configuration you want to edit and click View User.
  3. Click the icon.
  4. Click Add Property.
  5. Use the controls to add name-value pairs. For example, you can add name-value pairs to document the user's full name, organization, email address, phone number, or other properties.
  6. Save the configuration.

Assign computer groups to a user

  1. Go to Administration > Users.
  2. Select the user configuration you want to edit and click View User.
  3. Click Manage Computer Groups.
  4. Click Edit to display the Computer Group Assignments selection box.
  5. Select items and click Save to close the selection box.

    Specify Unrestricted Management Rights if you want the user to be able to ask questions of any and all endpoints. Otherwise, specify Selected Management Rights and then select the computer groups that you want the user to be able to manage. Selections are logically combined. The union of All Computers and No Computers is effectively All Computers.

  6. Click Show Preview to Continue to review the impact of your changes.
  7. Save the configuration.

Assign user groups to a user

  1. Go to Administration > Users.
  2. Select the user configuration you want to edit and click View User.
  3. Click Manage Users Groups.
  4. Click Edit to display the User Group Assignments selection box.
  5. Select items and click Save to close the selection box.
  6. Click Show Preview to Continue to review the impact of your changes.
  7. Save the configuration.

Assign roles to a user

  1. Go to Administration > Users.
  2. Select the user configuration you want to edit and click View User.
  3. Click Edit Roles.
  4. Next to Grant Roles, click Edit to display the Grant Roles selection box.
  5. Select items and click Save to close the selection box.
  6. Next to Deny Roles, click Edit to display the Deny Roles selection box.
  7. Select items and click Save to close the selection box.
  8. Click Show Preview to Continue to review the impact of your changes.
  9. Save the configuration.

View effective permissions

  1. Go to Administration > Users.
  2. Select the user configuration you want to edit and click View Effective Permissions.
  3. Review the role assignment, inherited roles, and the lists of the resulting Global, Micro Admin, and Content Set permissions.
  4. Click Back to return to the Users summary page.

Delete a user

When employees depart your organization, you have a few options to lock down access to Tanium:

  • Assign the Deny All role to the user. The user can still log into the Tanium Console, but cannot access any console functionality.
  • Delete the Tanium Console configuration for a manually created user.
  • Disable the Active Directory or LDAP user account that is associated with the Tanium Console user configuration or change the password if it is an administrator alias account. If the user was imported via an LDAP sync connection, it is important to manage the user details in your LDAP server so that the user is no longer imported when the Tanium Server initiates a sync.

Considerations

When you delete a user:

  • Plugin schedules associated with the user continue to run.
  • Saved question schedules associated with the user continue to run.
  • Scheduled actions associated with the user stop running.

After you delete the user, you can go to the Transfer Content page to delete the user's content or to complete a workflow to associate the content with an active user.

Locked-out users

Users that were created by LDAP sync connectors are designated as "locked out" when the LDAP sync data indicates that the user's LDAP account is disabled or when the LDAP sync data for the user account is missing. While the user has "locked out" status, the user cannot log in, but scheduled content that is associated with the user continues to run.

The status of locked out users is shown on the Users grid:

  • Locked out - disabled

    The data returned in the latest sync indicates the account is disabled. When off-boarding employees, it is a best practice to disable the user's LDAP account rather than delete it so that associated records are not deleted.

  • Locked out - missing

    There was no data for the user in the latest sync. Data might be missing if the user was deleted from the LDAP server or otherwise no longer matches the filter expression used by the LDAP sync connector.

Typically, you should check with your organization on how to handle locked out users. You can delete them, and you can transfer content associated with them to another user.

Delete a user

  1. Go to Administration > Users.
  2. Select the row for the user and click the Delete icon.

Transfer content from a deleted user to an active user

The Manage Non-Active User Content page lists users that are deleted or "locked out" and have content associated with their user accounts. Complete the workflow to delete the content or transfer it to a matching active user.

You can use the Manage Non-Active User Content page to delete some of the deleted user's content and to assign some of it to one or more matching users. You must perform delete or transfer actions one at a time. Complete the workflow multiple times until all of the deleted user's content has been disposed.

  1. Go to Content Alignment > Manage Non-Active User Content.
  2. Select the row for the user and click Manage Content.
  3. Select an option to manage the content associated with the user:
    • Delete Selected Content. Use this option to clean up objects that were created by the user and are no longer needed.
    • Disable Selected Scheduled Content. Use this option to disable activities that repeat on a schedule, such as saved questions with reissue intervals, scheduled actions, or plugin schedules that run in the context of the deleted user.
    • Transfer Selected Content to Matching User. Use this option to transfer ownership of content that is still needed.
  4. If you select the transfer option, select a matching user. The matching user list is populated by users that have exactly the same computer group management rights and RBAC permissions.
  5. Select content.
  6. Click Confirm.

To transfer content from a deleted user to an active user, the active user's computer group management rights and RBAC permissions must exactly match the deleted user's. This ensures your RBAC restrictions continue to be enforced. It is a best practice to have users inherit rights and permissions from user groups. This makes it easy to find a matching user when it comes time to transfer a deleted user's content.

When you delete a user, it is possible that a solution module feature associated with the user, such as a scheduled Taniumâ„¢ Connect job that was created by the user, stops running. If this is the case, go to the solution module and update the configuration. For example, in Connect, you can go to the Connections page and click the Take Ownership link to give the logged in user ownership of the scheduled connection.

Copy the users configuration summary

You can copy the details of the users configuration page to a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

Copy a single row

  1. Go to Administration > Users.
  2. Select the row for a user.

    When you select a row, tools appear above the grid.

  3. Click the copy icon to copy the row details to the clipboard.

Copy all rows

  1. Go to Administration > Users.
  2. Click Copy all.

Export the users configuration

You can export the users configuration to a JSON file that can be examined during troubleshooting.

  1. Go to Administration > Users.
  2. Click Export all.

Last updated: 9/18/2018 5:29 PM | Feedback