Managing users

The user configuration associates user groups, computer groups, and roles with a user. Use the Administration > Users page to view, add, edit, or delete user configurations. You can use the text field above the grid to filter by user name, display name, or domain name. You can also use the Filter Results options to filter the list by User Group and Computer Group assignments.

Selecting a Computer Group filters the list based only on the computer groups that are explicitly assigned to users. For example, say a user configuration has a role that specifies unrestricted management rights to all computer groups but does not have a Windows-only computer group assigned. If you filter by the Windows-only computer group, the list will exclude that user even though the Windows-only computer group is a subset of all the computers to which the user has management rights.

For the user role permissions required to manage users, see RBAC management permissions.

To import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, see Integrating with LDAP servers.

Default user

The Tanium Server installation process creates a Tanium Console user account that has permissions like a superuser (like the root or admin user in operating systems). This initial user has the All Groups computer group permission and the Administrator reserved role, enabling this user to do anything in the Tanium Core Platform. However, unlike root and admin, this user is not a built-in user. You can modify or delete this user.

Create a user

When you create a new user configuration, by default it has no computer groups, user groups, or roles until you assign them. A user with no roles can log into the Tanium Console but cannot access anything.

  1. Go to Administration > Users.
  2. Click New User.
  3. Specify a user name that corresponds with:
    • (Most common) An Active Directory (AD) account name. Specify just the user name, not the domain name.
    • A local Windows user account that is defined on the Tanium Server.

    With both options, the Tanium Console uses Windows Authentication. The Tanium Core Platform does not store or manage its own set of user credentials.

  4. Save the configuration.

Edit user properties

You can add name-value pairs to document user details such as full name, organization, email address, and phone number.

  1. Go to Administration > Users.
  2. Click the User Name of the user configuration that you want to edit.
  3. Click Properties .
  4. Click Add Property.
  5. Use the controls to add name-value pairs.
  6. Save the configuration.

Assign computer groups to a user

  1. Go to Administration > Users.
  2. Click the User Name of the user configuration that you want to edit.
  3. Click Manage Computer Groups and Edit.
  4. Specify Selected Management Rights, select the computer groups that you want the user to manage, and click Save.

    Selections are logically combined. The union of All Computers and No Computers is effectively All Computers. Tanium strongly recommends that you do not select Unrestricted Management Rights, unless you want the user to be able to ask questions of all endpoints across all computer groups regardless of security considerations.

  5. Click Show Preview to Continue to review the impact of your changes.
  6. Save the configuration.

Assign user groups to a user

  1. Go to Administration > Users.
  2. Click the User Name of the user configuration that you want to edit.
  3. Click Manage Users Groups and Edit.
  4. Select user groups and click Save.
  5. Click Show Preview to Continue to review the impact of your changes.
  6. Save the configuration.

Assign roles to a user

  1. Go to Administration > Users.
  2. Click the User Name of the user configuration that you want to edit.
  3. Click Edit Roles.
  4. In the Grant Roles section, click Edit, select roles, and click Save.
  5. In the Deny Roles section, , select roles, and click Save.
  6. Click Show Preview to Continue to review the impact of your changes.
  7. Save the configuration.

View effective permissions

  1. Go to Administration > Users to open the users summary page.
  2. Click the User Name of the user configuration that you want to review.
  3. Review the role assignment, inherited roles, and the lists of the resulting global, micro admin, and content set permissions.
  4. Click Back to all Users to return to the users summary page.

Delete or lock out a user

When employees depart your organization, you have a few options to lock down access to Tanium:

  • Assign the Deny All role to the user. The user can still log into the Tanium Console, but cannot access any console functionality. Usernames are grayed out in the Administration > Users page for users with the Deny All role.
  • Delete the Tanium Console configuration for a manually created user.
  • Disable the Active Directory or LDAP user account that is associated with the Tanium Console user configuration or change the password if it is an administrator alias account. If the user was imported via an LDAP sync connection, it is important to manage the user details in your LDAP server so that the user is no longer imported when the Tanium Server initiates a sync.

Considerations when deleting users

When you delete a user:

  • Plugin schedules associated with the user continue to run.
  • Saved question schedules associated with the user continue to run.
  • Scheduled actions associated with the user stop running.

After you delete the user, you can go to the Transfer Content page to delete the user's content or to complete a workflow to associate the content with an active user.

Locked-out users

Users that were created by LDAP sync connectors are designated as "locked out" when the LDAP sync data indicates that the user's LDAP account is disabled or when the LDAP sync data for the user account is missing. While the user has "locked out" status, the user cannot log in, but scheduled content that is associated with the user continues to run.

The status of locked out users is shown on the Users grid:

  • Locked out - disabled

    The data returned in the latest sync indicates the account is disabled. When off-boarding employees, it is a best practice to disable the user's LDAP account rather than delete it so that associated records are not deleted.

  • Locked out - missing

    There was no data for the user in the latest sync. Data might be missing if the user was deleted from the LDAP server or otherwise no longer matches the filter expression used by the LDAP sync connector.

Typically, you should check with your organization on how to handle locked out users. You can delete them, and you can transfer content associated with them to another user.

Delete a user

  1. Go to Administration > Users.
  2. Select the row for the user and click Delete .

Transfer content from a deleted user to an active user

The Manage Non-Active User Content page lists users that are deleted or "locked out" and have content associated with their user accounts. Complete the workflow to delete the content or transfer it to a matching active user.

You can use the Manage Non-Active User Content page to delete some of the deleted user's content and to assign some of it to one or more matching users. You must perform delete or transfer actions one at a time. Complete the workflow multiple times until all of the deleted user's content has been disposed.

  1. Go to Content Alignment > Manage Non-Active User Content.
  2. Select the row for the user and click Manage Content.
  3. Select an option to manage the content associated with the user:
    • Delete Selected Content. Use this option to clean up objects that were created by the user and are no longer needed.
    • Disable Selected Scheduled Content. Use this option to disable activities that repeat on a schedule, such as saved questions with reissue intervals, scheduled actions, or plugin schedules that run in the context of the deleted user.
    • Transfer Selected Content to Matching User. Use this option to transfer ownership of content that is still needed.
  4. If you select the transfer option, select a matching user. The matching user list is populated by users that have exactly the same computer group management rights and RBAC permissions.
  5. Select content.
  6. Click Confirm.

To transfer content from a deleted user to an active user, the active user's computer group management rights and RBAC permissions must exactly match the deleted user's. This ensures your RBAC restrictions continue to be enforced. It is a best practice to have users inherit rights and permissions from user groups. This makes it easy to find a matching user when it comes time to transfer a deleted user's content.

When you delete a user, it is possible that a solution module feature associated with the user, such as a scheduled Taniumâ„¢ Connect job that was created by the user, stops running. If this is the case, go to the solution module and update the configuration. For example, in Connect, you can go to the Connections page and click the Take Ownership link to give the logged in user ownership of the scheduled connection.

Copy the users configuration summary

You can copy the details of the users configuration page to a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

Copy a single row

  1. Go to Administration > Users.
  2. Select the row for a user.

    When you select a row, tools appear above the grid.

  3. Click Copy above the grid to copy the row details to the clipboard.

Copy all rows

  1. Go to Administration > Users.
  2. Click Copy All in the grid header.

Export the users configuration

You can export the users configuration to a JSON file that can be examined during troubleshooting.

  1. Go to Administration > Users.
  2. Click Export All in the grid header.

Last updated: 10/15/2019 2:34 PM | Feedback