Other versions

Managing users

The user configuration associates user groups, computer groups, and roles with a user.

Role requirements

The users configuration is a complex configuration. You must have the following permissions to manage the users configuration:

  • Write User permission to create a new configuration, add properties, or save changes to a configuration.
  • Write Computer Group permission to change computer group assignment from the user configuration page. To change the computer group assignment, you also need the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions.
  • Write User Group permission to change the user group assignment.
  • Administrator or Content Set Administrator reserved role to change the role assignment. However, a Content Set Administrator cannot manage the assignment of reserved roles. Also, a user cannot manage their own roles from the user configuration page.

Only the Administrator reserved role has all of these permissions.

Users cannot modify their own computer group or role assignment.

Create a user

  1. Go to Administration > Users.
  2. Click New User.
  3. Specify a user name. User name must correspond with:
    • (most common) An Active Directory (AD) account name. Specify just the user name, not the domain name.
    • A local Windows user account that is defined on the server.

    With both options, the Tanium Console uses Windows Authentication. The Tanium platform does not store or manage its own set of user credentials.

  4. Save the configuration.

Edit user properties

  1. Go to Administration > Users.
  2. Click the user configuration you want to edit to display the user configuration summary page.
  3. Click the icon.
  4. Click Add Property.
  5. Use the controls to add name-value pairs. For example, you can add name-value pairs to document the user's full name, organization, email address, phone number, or other properties.
  6. Save the configuration.

Assign computer groups to a user

  1. Go to Administration > Users.
  2. Click the user configuration you want to edit to display the user configuration summary page.
  3. Click Manage Computer Groups.
  4. Click Edit to display the Computer Group Assignments selection box.
  5. Select items and click Save to close the selection box.

    Specify Unrestricted Management Rights if you want the user to be able to ask questions of any and all endpoints. Otherwise, specify Selected Management Rights and then select the computer groups that you want the user to be able to manage. Selections are logically combined. The union of All Computers and No Computers is effectively All Computers.

  6. Click Show Preview to Continue to review the impact of your changes.
  7. Save the configuration.

Assign user groups to a user

  1. Go to Administration > Users.
  2. Click the user configuration you want to edit to display the user configuration summary page.
  3. Click Manage Users Groups.
  4. Click Edit to display the User Group Assignments selection box.
  5. Select items and click Save to close the selection box.
  6. Click Show Preview to Continue to review the impact of your changes.
  7. Save the configuration.

Assign roles to a user

  1. Go to Administration > Users.
  2. Click the user configuration you want to edit to display the user configuration summary page.
  3. Click Edit Roles.
  4. Next to Grant Roles, click Edit to display the Grant Roles selection box.
  5. Select items and click Save to close the selection box.
  6. Next to Deny Roles, click Edit to display the Deny Roles selection box.
  7. Select items and click Save to close the selection box.
  8. Click Show Preview to Continue to review the impact of your changes.
  9. Save the configuration.

View effective permissions

  1. Go to Administration > Users.
  2. In the row for the user configuration you want to review, click View Effective Permissions.
  3. Review the role assignment, inherited roles, and the lists of the resulting Global, Micro Admin, and Content Set permissions.
  4. Click Back to return to the Users summary page.

Delete a user

When employees depart your organization, you have a few options to lock down access to Tanium:

  • Assign the Deny All role to the user. The user can still log into the Tanium Console, but cannot access any console functionality.
  • Disable the Active Directory or LDAP user account that is associated with the Tanium Console user configuration or change the password if it is an administrator alias account. If the user was imported via an LDAP sync connection, it is important to manage the user details in your LDAP server so that the user is no longer imported when the Tanium Server initiates a sync.
  • Delete the Tanium Console configuration for a manually created user.

Considerations

Deleting the user configuration might impact some Tanium operations. Assess the following before you delete a user:

  • Are there scheduled actions configured to be issued by the user?

    When a user configuration is deleted, its associated scheduled actions are disabled. If you want the scheduled actions to run, you must re-create them.

  • Are there saved questions owned by the user?

    After a user is deleted, that user continues to be the "owner" listed for the saved questions they had imported or created. However, the saved questions that the deleted user had configured to be reissued are no longer reissued. If you want these saved questions to resume being issued on schedule, you must resave the respective saved question configuration objects. To change ownership so that a new owner user name is displayed on the grid, a new owner must re-create it.

  • Are there packages last modified by the user?

    A package that is configured to check for file updates continues to do so after the user configuration is deleted. Package file update checking and download does not depend on configured users. You might want to review the deleted user's package configurations nonetheless to ensure appropriate settings.

  • Are there solution module services configured to run in the context of the user account associated with the deleted user?

    If so, reconfigure the solution module to use a valid account. Tanium Connect, for example, has a Make me owner prompt in place of the deleted user name.

Delete a user

  1. Go to Administration > Users.
  2. Select the row for the user and click Delete.

Copy the users configuration summary

You can copy the details of the users configuration page to a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string: Username, computer group count, user group count, grant role count, deny role count.

Copy a single row

  1. Go to Administration > Users.
  2. Select the row for a user.

    When you select a row, tools appear above the grid.

  3. Click the copy icon to copy the row details to the clipboard.

Copy all rows

  1. Go to Administration > Users.
  2. Click Copy all.

Export the users configuration

You can export the users configuration to a JSON file that can be examined during troubleshooting.

  1. Go to Administration > Users.
  2. Click Export all.

Last updated: 5/16/2018 1:13 PM | Feedback