Managing users

A user configuration associates personas, user groups, computer management groups, and roles with a user. You can create user accounts locally on the Tanium Server or import them from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server. If your deployment requires both local and imported users, configure the imports first (see Integrating with LDAP servers).

The following figure illustrates the relationship between users and other Tanium RBAC components:

Figure  1:  Tanium users

For the user role permissions required to manage users, see RBAC management permissions.

User authentication

In a Tanium as a Service (TaaS) deployment, all users authenticate through a Security Assertion Markup Language (SAML) identity provider (IdP). For details, consult your Technical Account Manager (TAM).

You can configure the following methods to authenticate users when they access the Tanium Console or API:

  • LDAP server: see Integrating with LDAP servers.
  • Security Assertion Markup Language (SAML) identity provider (IdP): see Integrating with a SAML IdP.
  • AD server for the domain to which the Tanium Server is joined. This option is available only for Tanium Servers installed on a Windows system.
  • Windows authentication for accounts defined locally on a Tanium Server installed on a Windows system.
  • Local authentication service for accounts defined locally on a Tanium Appliance: see Tanium Appliance Deployment Guide: Configure the local authentication service.
  • Pluggable authentication module (Tanium Appliance only); consult your Technical Account Manager (TAM) for details.

If you use an external service for authentication, the best practice is to maintain at least one user account that relies on local authentication, and assign the Administrator reserved role to that account. If the external service ever becomes unavailable (for example, the connection to the LDAP server or SAML IdP goes down), this local user can still access the Tanium Console and reconfigure the connection to the external service as necessary. Optionally, you can use the default user that is created during Tanium Server installation for this purpose.

Default user

During the setup of your Tanium as a Service (TaaS) deployment, an administrator account is created that you can use to log into the Tanium Console for the first time. This user is based on an IdP account that your organization selects as the primary administrator for your TaaS deployment. The user has unrestricted computer group management rights. The user also has the Admin reserved role, which enables access to all the features that are available in TaaS, including the ability to configure role-based access control (RBAC) for all other TaaS users. For details, see Admin reserved role.

The Tanium Server installation process creates a Tanium Console user account that has permissions similar to the root or admin superuser in some operating systems. This initial user has the All Groups computer group permission and the Administrator reserved role, enabling this user to do anything in the Tanium Core Platform. However, this user is not a built-in user like root or admin, so you can modify or delete the account.

View user settings

From the Main menu, select Console > Administration > Users to see information about user accounts. You can use the Filter By Text field above the grid to filter by user name, display name, or domain name. You can use the Filter Results options to filter the list by User Group and Computer Group (management group) assignments. If you select Show deleted users in the filter options, the grid displays an Active column that indicates which users are active (Yes) or deleted (No). To see the computer management group, user group, persona, and role assignments, along with the associated permissions, click a user name to open the user configuration page.

Selecting a Computer Group filters the user grid based only on the computer management groups that are explicitly assigned to users. For example, a user configuration might have a role that specifies unrestricted management rights to all computer groups but does not have a Windows-only computer group assigned. If you filter by the Windows-only computer group, the list excludes that user even though the Windows-only computer group is a subset of all the computers to which the user has management rights.

Create a user

When you create a user configuration, by default it has no computer management groups, alternative personas, user groups, or roles until you assign them. A user with no roles can log into the Tanium Console but cannot access anything. Do not create configurations for user accounts that you import from an LDAP server (for details, see Integrating with LDAP servers).

  1. From the Main menu, select Console > Administration > Users.
  2. Click New User.
  3. Specify a user name that matches an account in your IdP. one of the following:
    • A user account that is defined locally on the Tanium Server.
    • A user account that is defined in your IdP.
    • (Windows only) An AD account name. Specify just the user name, not the domain name. The Tanium Server uses Windows Authentication, and does not store or manage login credentials for the user.
  4. Save the configuration.

For the supported authentication methods, see User authentication.

Edit user properties

You can add name-value pairs to document user details such as full name, organization, email address, and phone number.

  1. From the Main menu, select Console > Administration > Users.
  2. Click the User Name of the user configuration that you want to edit.
  3. Click Properties .
  4. Click Add Property.
  5. Use the controls to add name-value pairs.
  6. Save the configuration.

Assign computer management groups to a user

Perform the following steps to assign computer management groups to the default persona of a user. To configure computer group assignments through an alternative persona, edit the persona configuration (see Assign computer groups to a persona) and assign the persona to the user (see Assign personas to a user).
  1. From the Main menu, select Console > Administration > Users.
  2. Click the User Name of the user configuration that you want to edit.
  3. In the Computer Groups section, click Manage and Edit.
  4. Specify Selected Management Rights, select the computer management groups that you want the user to manage, and click Save.

    Selections are logically combined. The union of All Computers and No Computers is effectively All Computers. Tanium strongly recommends that you do not select Unrestricted Management Rights, unless you want the user to be able to ask questions of all endpoints across all computer groups regardless of security considerations.

  5. Click Show Preview to Continue to review the impact of your changes.
  6. Save the configuration.

Assign user groups to a user

  1. From the Main menu, select Console > Administration > Users.
  2. Click the User Name of the user configuration that you want to edit.
  3. In the User Groups section, click Manage and Edit.
  4. Select user groups and click Save.
  5. Click Show Preview to Continue to review the impact of your changes.
  6. Save the configuration.

Assign roles to a user

Perform the following steps to assign roles to the default persona of a user. To configure roles through an alternative persona, edit the persona configuration (see Assign roles to a persona) and assign the persona to the user (see Assign personas to a user).

  1. From the Main menu, select Console > Administration > Users.
  2. Click the User Name of the user configuration that you want to edit.
  3. In the Roles and Effective Permissions section, click Manage.
  4. In the Grant Roles section, click Edit, select roles, and click Save.
  5. In the Deny Roles section, , select roles, and click Save.
  6. Click Show Preview to Continue to review the impact of your changes.
  7. Save the configuration.

Assign personas to a user

TaaS The Tanium Server automatically assigns a default persona to new user accounts and, after you upgrade to Tanium Core Platform 7.4 or later, to existing pre-upgrade accounts. A user with the Admin Administrator reserved role must manually assign alternative personas as follows. For details on personas, see Managing personas.

  1. From the Main menu, select Console > Administration > Users.
  2. Click the User Name of the user.
  3. Click Alternative Personas and Manage.
  4. Select personas and click Save.

View effective permissions

  1. From the Main menu, select Console > Administration > Users to open the users summary page.
  2. Click the User Name of the user configuration that you want to review.
  3. Select the type of persona for which you want to see permissions:
    • Default Persona: This is the default selection, and shows permissions for the roles that are assigned to the default persona of the user or of user groups that the user belongs to.
    • Alternative Personas: Select an alternative persona to see the permissions for the roles that are assigned to it.
  4. Review the role assignments, inherited roles, and the lists of the resulting global, micro admin, and content set permissions.
  5. Click Back to all Users to return to the Users page.

Delete, undelete, or lock out a user

When employees leave your organization, you have the following options for locking down their access to the Tanium system:

  • Assign the Deny All role to the user. The user can still log into the Tanium Console, but cannot access any console functionality. The Console > Administration > Users page displays grayed-out user names for users with the Deny All role.
  • Delete the Tanium Console configuration for a manually created user.
  • Disable the AD or LDAP user account that is associated with the Tanium Console user configuration, or change the password if it is an administrator alias account. If the Tanium Server imported the user through an LDAP server, it is important to modify the user details on the LDAP server so that the Tanium Server does not import the user again at the next synchronization.

Considerations when deleting users

Deleting a user has the following consequences for scheduled activities:

  • Plugin schedules associated with the user continue to run.
  • Saved question schedules associated with the user continue to run.
  • Scheduled actions associated with the user stop running.

After you delete the user, you can delete the content that the user owns or transfer ownership to an active user: see Delete, disable, or transfer ownership for the content of a non-active user.

Locked-out users

The Tanium Server designates users that it imported from an LDAP server as locked out when the LDAP synchronization data indicates that the associated LDAP account is disabled or when the data is missing. While the user has locked-out status, the user cannot log in, but scheduled content that the user owns continues to run.

The Console > Administration  > Users page shows the Locked out status of users:

  • Locked out - disabled: The data that the latest LDAP synchronization returns indicates the user account is disabled. When off-boarding employees, the best practice is to disable LDAP accounts rather than delete them to avoid deleting associated records.
  • Locked out - missing: The latest LDAP synchronization returned no data for the user. Data might be missing if the user was deleted from the LDAP server or otherwise no longer matches the filter expression that the LDAP server uses.

Check the policy of your organization for managing locked-out users. One option is to delete them and transfer the content that they own to another user see Delete, disable, or transfer ownership for the content of a non-active user.

Delete a user

  1. From the Main menu, select Console > Administration > Users.
  2. Select the row for the user and click Delete Delete.

    To display deleted users in the Users page, click Filter Results Expand and select Show deleted users. The page displays an Active column that indicates which users are active (Yes) or inactive (No).

  3. (Optional) If the user owns content to transfer, disable, or delete, click Complete Now in the message at the top of the page and perform the steps under Delete, disable, or transfer ownership for the content of a non-active user.

Undelete a user

By default, the persona that a user selects for a Tanium session is the owner of any content that the user creates during the session. When you undelete users who own content, you can delete, reactivate, or transfer ownership of that content.

When you transfer content ownership, the new owner does not have to match the deleted user with respect to role permissions and computer management group assignments. However, transferring ownership of scheduled actions and saved questions to a non-matching user might have unintended consequences. For example, all scheduled actions that you transfer to a non-matching user are disabled after the transfer. Before performing a transfer, compare the computer management group assignments of the deleted user and the new owner to understand which endpoints will receive the actions and questions after the transfer. To see computer group assignments for a user, select Console > Administration > Users, select the user, and click View User.

Undelete one user at a time:

  1. From the Main menu, select Console > Administration > Users.
  2. Click Filter Results Expand and select Show deleted users.

    The page displays an Active column that indicates which users are active (Yes) or inactive (No).

  3. Select the row for the deleted user and click Undelete User.
  4. Confirm the operation when prompted.
  5. If the user owns content, a dialog prompts you to select an option for processing the content:

    Reactivation Options

    • Purge content: Remove content that no users need.
    • Migrate content: Transfer ownership to a different user. The transfer workflow starts after you click Reactivate.
    • Reactivate as is: Keep the user whom you are undeleting as the content owner.
  6. Click Reactivate.

    If you selected Purge content or Reactivate as is, the Tanium Server performs the action automatically, so skip the remaining steps.

    If you selected Migrate content, the Manage Content dialog opens and prompts you to perform the remaining steps.

  7. Select an option for processing the content of the undeleted user:

    Select Action

    • Delete Selected Content: Remove content that no users need.
    • Transfer Selected Content to Matching User: Transfer ownership of content that is still needed to a user (persona) that has the same role and computer management group assignments as the user that you undeleted. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a matching persona of the new owner.
    • Transfer Selected Content to Administrator: Transfer ownership of content that is still needed to any user who has the Administrator reserved role, regardless of whether the computer group and role assignments of that user match the user that you undeleted. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a persona of the new owner.
    • Transfer Selected Content to Any User: Transfer ownership of content that is still needed to any user, regardless of whether the computer group and role assignments of that user match the user that you undeleted. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a persona of the new owner.
  8. In the Select Content section, review and select the content that you want to transfer or delete.

    Select Content

  9. Click Confirm.

Delete, disable, or transfer ownership for the content of a non-active user

The Manage Non-Active User Content page lists users who are deleted or locked out and who own content. You can use the page to delete, disable, or transfer ownership of that content. By default, the persona that a user selects for a Tanium session is the owner of any content that the user creates during the session. You can transfer ownership from the personas of a non-active user to the personas of one or more active users. You must perform one delete, disable, or transfer operation at a time. Repeat the operations as many times as necessary to process all the content for the non-active user.

When you transfer content ownership, the new owner does not have to match the non-active user with respect to role permissions and computer management group assignments. However, transferring ownership of scheduled actions and saved questions to a non-matching user might have unintended consequences. For example, all scheduled actions that you transfer to a non-matching user are disabled after the transfer. Before performing the transfer, compare the computer management group assignments of the non-active user and the new owner to understand which endpoints will receive the actions and questions after the transfer. To see computer group assignments for a user, select Console > Administration > Users, select the user, and click View User.

Perform the following steps to delete, disable, or transfer ownership of the content that a non-active user owns:

  1. From the Main menu, select Console > Content > Content Alignment and click Manage Non-Active User Content.
  2. Select the row for the user (persona) and click Manage Content.
  3. Select an option to manage the content.

    • Delete Selected Content: Remove content that the non-active user owns and that no other users need.
    • Disable Selected Scheduled Content: Disable activities that repeat on a schedule, such as saved questions with reissue intervals, scheduled actions, or plugin schedules that run in the context of the non-active user.
    • Transfer Selected Content to Matching User: Transfer ownership of content that is still needed to a user that has the same role and computer management group assignments as the non-active user. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a matching persona of the new owner.
    • Transfer Selected Content to Administrator: Transfer ownership of content that is still needed to any user who has the Administrator reserved role, regardless of whether the computer group and role assignments of that user match the non-active user. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a persona of the new owner.
    • Transfer Selected Content to Any User: Transfer ownership of content that is still needed to any user, regardless of whether the computer group and role assignments of that user match the non-active user. Select the user name of the new owner. If you are transferring content that belongs to an alternative persona, also select a persona of the new owner.
  4. In the Select Content section, review and select the content that you want to delete, disable, or transfer.Select Content
  5. Click Confirm.

After you delete a user, Tanium module features associated with the user, such as a scheduled Tanium Connect job that the user created, might stop running. If this is the case, go to the module workbench and update the configuration. For example, in Connect, you can go to the Connections page and click the Take Ownership link to give ownership of the scheduled connection to the user account that you used to log in.

Enable or disable access for local users

By default, users whose accounts are local to the Tanium Server can access the Tanium Console. However, if you transition to an external authentication service such as an LDAP server or SAML IdP and you want to ensure all user access is through that service, disable local authentication.

Local users on a Tanium Appliance

To disable or re-enable Tanium Console access for user accounts that are local to a Tanium Appliance, see Tanium Appliance Deployment Guide: Configure the local authentication service.

Local users on a Windows server

Perform the following steps to disable or re-enable Tanium Console access for user accounts that are local to a Tanium Server installed on a Windows server.

If you disable local account logins and the remote authentication service later stops working (for example, the connection to the LDAP server or SAML IdP goes down), no users can access the Tanium Console, including the default user. In such cases, you must re-enable local authentication through the CLI by running the following command from the Tanium Server installation directory:
TaniumReceiver global-settings set soap_enable_local_auth 1

  1. From the Main menu, select Console > Administration > Global Settings and select soap_enable_local_auth in the grid.
  2. In the Selected System Setting pane, click Edit.
  3. In the Setting Value, enter 0 to disable or 1 to enable local authentication.
  4. Click Save.

Copy the users configuration summary

You can copy the details of the users configuration page to a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

Copy a single row

  1. From the Main menu, select Console > Administration > Users.
  2. Select the row for a user.

    When you select a row, tools appear above the grid.

  3. Click Copy above the grid to copy the row details to the clipboard.

Copy all rows

  1. From the Main menu, select Console > Administration > Users.
  2. Click Copy All in the grid header.

Export the users configuration

You can export the users configuration to a JSON file that can be examined during troubleshooting.

  1. From the Main menu, select Console > Administration > Users.
  2. Click Export All in the grid header.