Tanium Console and Interact requirements

Web browser requirements

Use one of the following supported browsers to access the Tanium Console:

Google Chrome (recent)
Microsoft Internet Explorer 11 and later
Microsoft Edge (recent)
Mozilla Firefox (recent)
Safari (recent)

The Tanium Console is designed for a display resolution of at least 1280 pixels wide and at least 720 pixels high. The Tanium Console might not appear as designed in browser windows smaller than these dimensions.

Update the following Internet Explorer settings if their current configuration interferes with the Tanium Console display:

Add the Tanium as a Service (TaaS) instance Tanium Server to the Trusted Sites list in the browser.
Ensure the browser is not configured to ignore fonts that the Tanium Console specifies.

Tanium dependencies

The Tanium Console and Interact depend on other Tanium Core Platform components.

You can update the Tanium Console and Interact versions independently from the Tanium Core Platform. For details, see Managing Tanium solutions.

Component	Requirement
Tanium Console	Console 2.0 or later requires Tanium Core Platform 7.4.4 or later. Console 1.4.3 requires Tanium Core Platform 7.4.3 or later. Console 1.4.2 requires Tanium Core Platform 7.4.2 or later. Console 1.4.1 requires Tanium Core Platform 7.4.1 or later. Console 1.3.3 requires Tanium Core Platform 7.3.3 or later. Console 1.3.2 requires Tanium Core Platform 7.3.2 or later. Console 1.3.1 requires Tanium Core Platform 7.3.1 or later. Console 1.2.2 requires Tanium Core Platform 7.2 or later.
Tanium Interact	Interact 2.3 or later requires Tanium Core Platform 7.3.314.4250 or later. Interact 2.1 and Interact 2.2 require Tanium Core Platform 7.4 or later. Interact 2.0 requires Tanium Core Platform 7.2 or later.
Tanium content	The Interact module does not include content. However, Interact functionality depends on sensors, saved questions, dashboards, and categories that derive from you import when installing Tanium content packs and other Tanium modules.
License	The license entitlement for the Tanium Core Platform includes the Tanium Console and Interact. For details, see Managing the Tanium license.

Tanium Server computer resource and network requirements

Unlike other modules, Interact is installed on the Tanium Server, not the Tanium Module Server. The Tanium Console is also installed on the Tanium Server. The resource specifications for the Tanium Server include the host computer resource and network requirements for the Tanium Console and Interact. See Tanium as a Service User Guide: Requirements the guide for your deployment for details.

Endpoints

Supported operating systems

The Tanium Console and Interact support the same operating systems (OSs) for endpoints that the Tanium Client supports:

Windows
MacOS
Linux
AIX
Solaris

For details about support for specific OS versions, see Tanium Client User Guide: Host system requirements.

Disk space requirements

On managed endpoints, the Tanium Console and Interact require at least 100 MB of disk space and another 100 MB of cache space for data files. The cache space includes the Tanium Client shard cache and objects such as sensors and logs.

Processor requirements

On managed endpoints, the Tanium Console and Interact require at least 10 MB of RAM and account for less than 0.5% of idle CPU usage.

Host and network security requirements

Host and network security requirements for the Tanium Core Platform apply to the Tanium Console and Interact. For details, see:

User role requirements

Before using the Tanium Console or Interact to perform tasks, verify that your user account has the necessary roles and permissions, as listed in the following sections. To configure and assign roles, see Managing roles.

Tanium Core Platform configuration permissions

The following table summarizes the roles and micro admin permissions that are required to import or upgrade Tanium solutions, customize the Tanium Console, and configure Tanium Core Platform settings.

Table 1: User roles and permissions for configuring your Tanium deployment
Tasks	Tanium Console Administration pages	Roles and permissions
Import, export, upgrade, or uninstall Tanium modules and content packs Export and import content Upgrade the Tanium Console	Tanium Solutions	The Administrator reserved role can perform all these tasks. Import Signed Content permission also enables importing digitally signed content files.
Customize the Tanium Console Main menu (color, logo, custom text, and help URL) and the confirmation prompt for configuration changes	Configuration > Miscellaneous	Administrator reserved role only
Manage allowed URLs	Management > Allowed URLs	Write Allowed Urls permission is required to create, modify, or delete the allowed URLs configurations. Read Allowed Urls permission is required to export the allowed URLs configurations. The Administrator reserved role has these permissions. The Administrator and Content Administrator reserved roles can also import the allowed URLs configurations.
Manage proxy server settings	Configuration > Common > Proxy Settings	Administrator reserved role only
Configure Tanium Client subnets	Configuration > Subnets	Write Isolated Subnets permission is required to create, modify, or delete the isolated subnets configuration. Read Isolated Subnets permission is required to view the isolated subnets configuration. Write Separated Subnets permission is required to create, modify, or delete the separated subnets configuration. Read Separated Subnets permission is required to view the separated subnets configuration. The Admin Administrator reserved role has all these permissions.
Manage bandwidth throttling	Configuration > Bandwidth Throttles	Write Global Bandwidth Throttles permission is required to create, modify, or delete global bandwidth throttles. Read Global Bandwidth Throttles permission is required to view the global bandwidth throttles configuration. Write Subnet Bandwidth Throttles permission is required to create, modify, or delete site (subnet-specific) bandwidth throttles. Read Subnet Bandwidth Throttles permission is required to view the site (subnet-specific) bandwidth throttles configurations. The Admin Administrator reserved role has all these permissions.
Manage Tanium licenses	Configuration > Tanium Server > Tanium License	Administrator reserved role only
Manage Tanium keys	Configuration > Tanium Server > Tanium Public Key Configuration > Tanium Server > Root Key Management	Administrator reserved role only
Manage trust approval and revocation among Tanium Core Platform servers	Configuration > Tanium Server > Active-Active Server Trusts Configuration > Tanium Server > Zone Server Hub Trusts	Administrator reserved role only
Configure server logging levels	Configuration > Common > Log Level	Administrator reserved role only
Configure global settings	Management > Global Settings	Write Global Settings permission is required to create, modify, or delete global settings configurations. The Administrator reserved role has this permission.

Tanium Interact permissions

Tanium has roles and permissions for both the Interact module and the associated Tanium Data Service.

Interact module permissions

The Interact module has the following predefined module roles and associated module permissions.

Table 2: Interact user roles and permissions
Permission	Interact Power User role	Interact Basic User role
Show Interact View the Interact workbench.
Interact Module Read View Interact content. This module permission provides these advanced permissions: Read Filter Group, Read Sensor, Read Saved Question, Read Dashboard, and Read Dashboard Group.	¹	¹
Interact Module Write Add, edit, or delete Interact content. This module permission provides the Interact Module Read permission. It also provides these advanced permissions: Read Filter Group, Read Sensor, Read Saved Question, Read Dashboard, Read Dashboard Group, Write Saved Question, Write Dashboard, Write Dashboard Group.	¹
Interact Execute Action Deploy actions in the Interact module. This module permission provides the Interact Module Read and Interact Module Write permissions. It also provides these advanced permissions: Read Filter Group, Read Sensor, Read Saved Question, Read Dashboard, Read Dashboard Group, Read Package, Read Action, Write Saved Question, Write Dashboard, Write Dashboard Group, and Write Action.
¹ Denotes a provided permission.

The following table lists the provided advanced permissions and associated content sets (see the table footnotes) for the Interact module permissions in Table 2.

Table 3: Provided Interact advanced role permissions
Permission	Interact Power User role	Interact Basic User role	Interact Read-Only User role	Interact Show role
Read Sensor^¹ View and use sensors in the Interact Explore Data field, Question Builder, and similar user interfaces throughout the Tanium Console.
Read Saved Question^¹ View saved questions in the Interact workbench.
Read Dashboard^¹ View dashboards in the Interact workbench.
Read Dashboard Group¹ View categories in the Interact workbench.
Read Filter Group² View and use computer filter groups in questions and question results within the Interact workbench.
Ask Dynamic Questions Issue questions through the Interact Explore Data field and Question Builder. This is a global advanced permission: it applies to all content sets.
Write Saved Question³ Create, edit, or delete saved questions, and assign them to content sets for which the user has permission.
Write Dashboard³ Create, modify, or delete dashboard configurations. Read Saved Question content set permissions determine which saved questions are available in dashboards.
Write Dashboard Group^³ Create, modify, or delete category configurations. Read Dashboard content set permissions determine which dashboards are available in categories.
Read Package^¹ Select packages for actions in the Deploy Action page.
Read Action¹ View the Actions pages. The visibility of rows in the grid depends on the Read Action permission on the content sets for the associated packages.
Write Action^¹ See and use the Deploy Action button on the Question Results grid for dynamic questions and saved questions. View the Administration > Actions > Scheduled Actions page. Users can see rows for actions they issued. If a user has the Read Action permission on the content set for the underlying package, that user can see rows for actions that other users issued. Implies the Read Own Action, Read Package, and Show Preview permissions.
^¹ These permissions apply to the following content sets: AD, Base, Client Management, Core Content, Core MSSQL Content, Default, File System, Hardware, Interact, MSSQL, Network, OS, Python, Registry, Reserved, Security, Software, Tagging. ² This permission applies to the Default Filter Groups content set. ^³ These permissions apply to the Interact content set.

The following table summarizes the permissions required to perform specific tasks in the Tanium Interact module. The module workbench includes the Interact Overview page and Question Builder page. The Admin Administrator reserved role has all the listed permissions. The table also indicates whether other reserved roles have permissions for the features.

Table 4: Required permissions to perform Interact tasks
Tasks	Roles and permissions
Install or uninstall Interact	Administrator reserved role only
All tasks in Interact	Show Interact (module) permission is required for all Interact features, so be sure to assign a role with that permission to all Interact users.
View Interact content	Interact Module Read (module) permission is required to view content in the Interact content set.
Manage Interact content	Interact Module Write (module) permission is required to add, edit, or delete content in the Interact content set.
Deploy actions in Interact	Interact Execute Action (module) permission enables users to deploy actions in the Interact module. It implies the advanced permissions Read Package, Read Action, and Write Action.
Issue questions through the Explore Data field and Question Builder	Ask Dynamic Questions permission is required to issue questions through the Explore Data field and Question Builder. You can assign the permission to any advanced role. Read Sensor content set permissions determine which sensors are available for you to select for questions. Read Filter Group content set permissions determine which computer filter groups are available for you to view and select for questions and question results. The Tanium™ Asset module stores endpoint information that is visible in the Question Results grid to users who have the Asset Report Read permission. The Admin reserved role has Administrator and Content Administrator reserved roles have all these permissions.
Save a question	Write Saved Question permission is required to assign a saved question to content sets for which you have permission. Write Saved Question is also required to create, edit, or delete saved questions. The Read Sensor content set permissions determine the available sensors. Read Filter Group content set permissions determine the available filter groups. In addition to the Write Saved Question permission, users require the Write Action and Write Package permissions to add associated actions to a new saved question configuration. In addition to these three permissions, users require owner permissions for the question if they want to modify or delete the associated actions. The Admin reserved role has Administrator and Content Administrator reserved roles have all these permissions.
Use Interact Saved Questions	Read Saved Question content set permissions determine the saved questions that you can see in the Tanium Console, such as on the Interact Overview page, Question Builder page, and Question Results grid drill-down. Read Sensor permission is required for the sensors specified in a saved question that you want to issue. Read Filter Group content set permission is required for the filter groups specified in the saved question. Ask Dynamic Questions permission is required to use the drill down feature in the saved question results grid.
Use Interact Categories	Read Dashboard Group content set permissions determine the categories that you can see in the Tanium Console, such as on the Interact Overview page. Write Dashboard Group permission is required to create, modify, or delete category configurations. Read Dashboard content set permissions determine which dashboards are available in categories. The Admin reserved role Administrator and Content Administrator reserved roles can export and import categories.
Use Interact Dashboards	Read Dashboard content set permissions determine the dashboards that you can see in the Tanium Console, such as on the Interact Overview page. Write Dashboard permission is required to create, modify, or delete dashboard configurations. Read Saved Question content set permissions determine which saved questions are available in dashboards. The Admin Administrator or Content Administrator reserved role can export and import dashboards. Note: By default, new dashboards are added to the Other Dashboards category, which is visible only to users with the Admin Administrator or Content Administrator reserved role. Therefore, only users with that role one of those roles, or the user who created the dashboard, can see the new dashboard. To make the dashboard visible to other users, you must move it to another category.
Deploy an action	Write Action permission is required to see the Deploy Action button on the Question Results grid. Read Package content set permissions determine which packages are available for you to select for actions. Read Sensor and Read Saved Question permissions on the Reserved content set are required to complete the deploy action workflow. During the workflow, these permissions allow special saved questions that TaaS the Tanium Server uses to track and report action status. The Admin Administrator reserved role has all these permissions.
Use the Interact Overview page	To see the following sections of the Interact Overview page, users require the specified permissions: Overview: Read Dashboard Group, Read Dashboard, and Read Saved Question permissions control the summary counts. Favorite Categories: Read Dashboard Group permission Favorite Dashboards: Read Dashboard permission Favorite Saved Questions: Read Saved Question permission The Admin Administrator reserved role has all these permissions.

Tanium Data Service permissions

The Tanium Data Service has the following predefined module roles and associated module permissions.

Table 5: Tanium Data Service user roles and permissions
Permission	Data Collection Administrator role	Data Collection Operator role	Data Collection Service Account role
Data Collection Administrator Unrestricted access to configure data collection.
Data Collection Registration Read View the Interact Settings > Registration & Collection page to see which sensors are registered for results collection.
Data Collection Registration Write Register or unregister sensors for results collection, pause (disable) or resume (enable) collection, and purge results.
Data Collection Start Manually start an unscheduled query to collect sensor results.
Data Collection Status Read View the Data Service Status chart in the Interact Info page.
Data Collection Metrics Read View the Data Service Sensor Metrics and Data Service Database Metrics charts in the Interact Info page.
Data Collection Operator Access to configure data collection settings.
Data Collection Service Account Collect sensor results.
Data Collection Service Account Read View the Interact Settings > Service Account page, which displays information about the service account that the Tanium Data Service uses to collect sensor results.
Data Collection Service Account Write Change the service account that the Tanium Data Service uses to collect sensor results.
Show Interact View the Interact workbench.

The Tanium Data Service roles also have the following micro admin and advanced permissions:

Table 6: Provided Tanium Data Service user role permissions
Permission	Data Collection Administrator role	Data Collection Operator role	Data Collection Service Account role
Read Computer Group A micro admin permission that enables viewing and using computer management groups and filter groups in questions and question results within the Interact workbench.
Ask Dynamic Questions A global advanced permission that applies to all content sets. It enables issuing questions through the Interact Explore Data field and Question Builder.
Read Sensor An advanced permission that enables viewing and using sensors in the Interact Explore Data field, Question Builder, and similar user interfaces throughout the Tanium Console. All Tanium Data Service roles have this permission on the following content sets: Base, Client Management, Core Content, Default, Interact, and Reserved. The Data Collection Service Account role also has this permission on the Tanium Data Service content set.
Write Saved Question An advanced permission that enables creating, editing, or deleting saved questions, and assigning them to content sets for which the user has permission. This permission applies to the Interact and Tanium Data Service content sets.

Action management permissions

The following table summarizes the roles and permissions that are required to manage actions. When you configure roles, apply the permissions to the content sets that include the packages associated with the actions. The listed permissions are advanced role permissions except where otherwise noted.

Table 7: User role requirements for managing actions
Tasks	Tanium Console Administration pages	Roles and permissions
Deploy actions, including action locks	Question Results Saved question results	Write Action permission is required to see the Deploy Action button on the Question Results grid. Read Package content set permissions determine which packages are available for selection in actions. Read Sensor and Read Saved Question permissions are required on the Reserved content set. TaaS The Tanium Server uses special saved questions to track action status and report action status within the deploy action workflow. Therefore, these permissions are required to complete the workflow. The Admin reserved role has Administrator and Content Administrator reserved roles have all these permissions.
Manage scheduled actions	Actions > Scheduled Actions	Read Action permission is required to view the Scheduled Actions page. Read Action permission on the content sets for the underlying packages determines the specific actions (grid rows) that you can view, export, and copy (to your clipboard) and the package files that you can re-download. Write Action permission: Enables users to see rows for actions that they issued. Users can see rows for actions that others issued if the users have Read Action permission on the content set for the underlying package. Enables users to see and use the Deploy Action button on the Question Results grid for dynamic questions and saved questions. Enables users to export specific scheduled actions for which they have Write Action permission. Implies the Read Own Action, Read Package, and Show Preview permissions. Write Action for Saved Question permission: Enables users to see the Scheduled Actions page, but the only rows are for the actions that the user has deployed. Enables users to see and use the Deploy Action button on the Question Results grid, but only for saved questions that are configured with an associated package. The Read Package permission is not required for the associated package. If the saved question is not configured with an associated package, the Deploy Action button does not appear. Tip: Use the Write Action for Saved Question permission instead of the Write Action permission to limit use by action users who use Tanium to execute standard operating procedures that someone else created. Read Sensor and Read Saved Question permissions are required on the Reserved content set for users to deploy, edit, or check the status of actions. The Reserved content set includes content used to ask preview and polling questions. The Admin reserved role has Administrator and Content Administrator reserved roles have all these permissions, and can export or import the complete scheduled actions configuration.
Manage action groups	Actions > Scheduled Actions	Read Action Group (micro admin) permission is required to view and export action groups in the Actions > Scheduled Actions page. Write Action Group (micro admin) permission is required to create, edit, and delete action groups. The Admin Administrator reserved role has these permissions.
Manage action history	Actions > Action History	Read Action permission is required to view the Action History page. Read Action permission on the content sets for the underlying packages determines the specific actions (grid rows) that you can view, export, and copy (to your clipboard) The Admin reserved role has Administrator and Content Administrator reserved roles have these permission.
View action summary (status)	Action Summary	The following permissions are required to view and use the Action Summary page. This page appears when you deploy an unscheduled action. You can access it from the Action History page also. Read Saved Question permission (regardless of content sets) is required to view the Action Summary page of an action in the Action History grid. Read Package permission on the content set for the underlying package is required to view files in the Action Summary page. Read Sensor and Read Saved Question permissions on the Reserved content set are required to view and use the Show Client Status Details button in the Action Summary page. Read Sensor permission on the Client Management content set is required to view and use the Get action log for selected machines button in the Action Summary page. The Admin reserved role has Administrator and Content Administrator reserved roles have all these permissions.
Review and approve pending actions, or bypass action approval	Actions > All Pending Approval Actions > Actions I Can Approve	Approve Action permission: Users require this permission to view the All Pending Approval page. Users require this permission on the content set for the underlying package to approve actions that another user created. Users cannot approve their own actions. Read Action permission on the content set for the underlying packages determines which actions (grid rows) you can see and export on the All Pending Approval page. Read Own Action permission is required for users to see their own actions on the All Pending Approval page. Bypass Action Approval permission enables users to bypass approval for their own actions. The permission does not apply retroactively. The Admin reserved role has Administrator and Content Administrator reserved roles have all these permissions except Bypass Action Approval.

Content management permissions

The following table summarizes the roles and permissions that are required to manage content such as sensors, packages, saved questions, and filter groups. The listed permissions are advanced role permissions, except where otherwise noted. You apply the permissions to one or more content sets to manage the content that is assigned to those sets.

Table 8: User role requirements for managing content
Tasks	Tanium Console Administration pages	Roles and permissions
Manage sensors	Content > Sensors Content > Quarantined Sensors	Read Sensor permission on content sets is required to view the sensors that are assigned to those content sets, or to export those sensors in CSV format. The Admin reserved role has this permission. Write Sensor permission is required to create, edit, or delete sensors. The Administrator and Content Administrator reserved roles have Write Sensor and Read Sensor permissions. Only the Administrator reserved role can import sensors or export them in JSON format. Write Global Setting (global admin) permission is required to enable or disable sensor quarantine enforcement. The Administrator reserved role has this permission. Read Sensor or Ask Dynamic Question permission is required to view quarantined sensors. Computer management group assignments determine on which endpoints users can manually quarantine or unquarantine sensors.
Manage packages	Content > Packages	Read Package permission on content sets is required to view the packages that are assigned to those content sets, or to export those packages in CSV format. Write Package permission is required to create, edit, or delete packages. The Administrator and Content Administrator reserved roles have these permissions. Only the Administrator reserved role can import packages or export them in JSON format. The Admin reserved role has these permissions, and can export all packages.
Manage saved questions	Content > Saved Questions	Read Saved Question permission on content sets is required to view the saved questions that are assigned to those content sets, or to export those saved questions in CSV format. Write Saved Question permission is required to create, edit, or delete saved questions. In addition to Write Saved Question, the Write Action and Write Package permissions are required to add associated actions to a new saved question. In addition to these three permissions, a user also requires owner permissions for the question to later edit or delete the associated actions: see the Visibility setting in Saved question settings. Read Sensor content set permissions determine which sensors users can select for questions. The Administrator and Content Administrator reserved roles have these permissions. Only the Administrator reserved role can import saved questions or export them in JSON format. The Admin reserved role has these permissions, and can export all saved questions.
Manage filter groups	Content > Filter Groups	Read Filter Group permission is required to view the Filter Groups page. The permissions required to view the configuration (group membership) of specific filter groups are: Read Filter Group permission on the content sets to which the filter groups are assigned Ask Dynamic Questions permission Read Filter Group permission on content sets is also required to export filter groups in CSV format. Write Filter Group and Ask Dynamic Questions permissions are required to create, clone, and edit filter groups. Only Write Filter Group permission is required to delete filter groups. Write Computer Group permission implies the Write Filter Group permission. Read Computer Group permission implies the Read Filter Group permission. The Administrator and Content Administrator reserved roles have these permissions. Only the Administrator reserved role can import filter groups or export them in JSON format. The Admin reserved role has these permissions, and can export all filter groups. All roles that have the Ask Dynamic Question permission in Tanium Core Platform 7.3 or earlier will have the Read Filter Group permission on the Default Filter Groups content set after you upgrade to version 7.4 or later.
Import content files	All Content and Permissions pages Tanium Solutions page	Import Signed Content (micro admin) permission is required to import digitally signed content files. The Administrator reserved role has the Import Signed Content permission.
Question history	Management > Question History	Read Question History (micro admin) permission is required to view and export information in the Question History page. However, a user with only the micro admin permission cannot load a question from the Question History page. Users who have the Admin Administrator reserved role can see the Question History page and load a question from the page.
Manage question and sensor runtime indicator thresholds	Configuration > Common > Sensor Thresholds	Administrator reserved role only
Manage content sets	Permissions > Content Sets Permissions > Content Alignment	Admin Administrator or Content Set Administrator reserved role only

RBAC management permissions

The following table summarizes the roles and permissions that are required to manage role-based access control (RBAC) configurations. The listed permissions are micro admin role permissions except where otherwise noted.

Table 9: Tanium Console user roles and permissions
Tasks	Tanium Console Administration pages	Roles and permissions
Manage content sets	Permissions > Content Sets Permissions > Content Alignment	Write Content Set permission is required to create, edit, and delete content sets; move content between content sets; and export content sets. This is not an explicit permission. The Permission Administrator permission implies the Write Content Set permission. The Admin reserved role has this permission. Administrator or Content Set Administrator reserved role only
Manage roles	Permissions > Roles	Administrator or Content Set Administrator reserved role only. Note that a Content Set Administrator cannot manage the assignment of reserved roles to users and user groups. Write Role permission is required to create, edit, and delete roles. This is not an explicit permission. The Permission Administrator permission implies the Write Role permission. Permission Administrator permission also implies the Read Role permission, which is required to view and export role configurations. Grant Role is one of the permissions that are required to edit role assignments. It is not an explicit permission. The Permission Administrator permission implies the Grant Role permission. The following combined permissions are required to edit role assignments: Permission Administrator and Write User permissions are required to edit the role assignments of users. Permission Administrator and Write User Group permissions are required to edit the role assignments of user groups. Permission Administrator and Write Persona permissions are required to edit the role assignments of personas. The Permission Administrator permission implies the Read Role, Read User, Read User Group, and Read Persona permissions. Therefore, only the Permission Administrator permission is required to view the role assignments of users, user groups, and personas. The Admin reserved role has all these permissions.
Manage computer groups	Management > Computer Groups Content > Filter Groups	Write Computer Group permission is required to create, edit, or delete computer management groups. This permission implies the Write Filter Group (advanced) permission, which is required to create, edit, or delete filter groups. To create a computer management group or filter group in which membership is based on a sensor filter, the following permissions are required in addition Write Computer Group: Read Sensor (advanced) permission on the Reserved content set, which includes content that is used to ask preview questions. Interact Module Write (module) permission. Computer groups with manually defined membership do not require the Read Sensor or Interact Module Write permissions. The following permissions are required to edit the assignments of computer management groups: Permission Administrator and Write User permissions are requiredWrite User permission is required to edit the computer management group assignments of users. Permission Administrator and Write User Group permissions are requiredWrite User Group permission is required to edit the computer management group assignments of user groups. Permission Administrator and Write Persona permissions are requiredWrite Persona permission is required to edit the computer management group assignments of personas. Read Computer Group permission is required to export computer management groups in CSV format. This permission implies the Read Filter Group (advanced) permission, which is required to see filter groups, use them for filtering questions or question results, and export filter groups in CSV format. The following permissions are required to view the assignments of computer management groups: Read User permission is required to view the computer management group assignments of users. Read User Group permission is required to view the computer management group assignments of user groups. Read Persona permission is required to view the computer management group assignments of personas. The Administrator reserved role has all these permissions and can import or export computer groups in JSON format. The Permission Administrator permission implies the Read User, Read User Group, and Read Persona permissions. Therefore only the Permission Administrator permission is required to view the computer management group assignments of users, user groups, and personas. The Admin reserved role has all these permissions.
Manage users	Management > Users	Write User permission is required to add a user, add properties to a user, edit the computer management group assignments of a user, save changes to a user, or delete a user. Write User and Write User Group permissions are required to edit the user group assignments of users. Changing the role, persona, or computer management group assignments of users requires the following permissions: Permission Administrator and Write User permissions are required to edit the computer management group assignments of users. Permission Administrator, Write Persona, and Write User permissions are required to edit the persona assignments of users. Permission Administrator and Write User permissions are required to edit the role assignments of users. Read User permission is required to view user configurations and export them in CSV format. Read User and Read User Group permissions are required to view the user group assignments of users. Read User permission is required to view the computer management group assignments of users. The Permission Administrator permission implies the Read User permission. Therefore, only the Permission Administrator permission is required to view the computer management group assignments of users. The Permission Administrator permission implies the Read Role, Read User, Read User Group, and Read Persona permissions. Therefore, only the Permission Administrator permission is required to view the role, user group, and persona assignments of users. The Admin reserved role has all these permissions. Only the Administrator reserved role has all of these permissions and can export users in JSON format. The Administrator or Content Set Administrator reserved role is required to change the role assignments of users. However, a Content Set Administrator cannot manage the assignment of reserved roles. The Administrator reserved role is required to change persona assignments. Users cannot modify their own persona, computer group, or role assignment.
Manage user groups	Management > User Groups	Write User Group permission is required to add a user group, edit a user group, edit the computer management group assignments of a user group, or delete a user group. Write User Group and Write User permissions are required to edit the user assignments of user groups. Changing the role, persona, or computer management group assignments of user groups requires the following permissions: Permission Administrator and Write User Group permissions are required to edit the computer management group assignments of user groups. Permission Administrator, Write Persona, and Write User Group permissions are required to edit the persona assignments of user groups. Permission Administrator and Write User Group permissions are required to edit the role assignments of user groups. Read User Group permission is required to view the computer management group assignments of user groups and to export user group configurations in CSV format. Read User Group and Read User permissions are required to view the user assignments of user groups. The Permission Administrator permission implies the Read User Group permission. Therefore, only the Permission Administrator permission is required to view the computer management group assignments of user groups. The Permission Administrator permission implies the Read Role, Read User, Read User Group, and Read Persona permissions. Therefore, only the Permission Administrator permission is required to view the role, user and persona assignments of user groups. The Admin reserved role has all these permissions. Only the Administrator reserved role has all of these permissions and can export user groups in JSON format. The Administrator or Content Set Administrator reserved role is required to change the role assignments of user groups. However, a Content Set Administrator cannot manage the assignment of reserved roles. The Administrator reserved role is required to change persona assignments.
Manage personas	Permissions > Personas	Administrator reserved role only Permission Administrator and Write Persona permissions are required to add, edit, and delete personas. The following permissions are required to edit the user, user group, computer management group, and role assignments of personas: Permission Administrator, Write Persona, and Write User permissions are required to edit the user assignments of personas. Permission Administrator, Write Persona, and Write User Group permissions are required to edit the user group assignments of personas. Permission Administrator and Write Persona permissions are required to edit the computer management group assignments of personas. Permission Administrator and Write Persona permissions are required to edit the role assignments of personas. Permission Administrator and Read Persona permissions are required to view and export persona configurations. Permission Administrator permission implies the Read Persona, Read User, Read User Group, and Read Role permissions. Therefore, only the Permission Administrator permission is required to view the user, user group, role, and computer management group assignments of personas. The Admin reserved role has all these permissions.
Import users and user groups from an LDAP server	Configuration > Authentication > LDAP Sync	Administrator reserved role only
Configure SAML authentication	Configuration > Authentication > SAML	Administrator reserved role only
Manage API tokens	Configuration > Authentication > API Tokens	View Token permission is required to see the Configuration > Authentication > API Tokens page. Use Token permission is required to send requests to the Tanium Server for new API tokens. Revoke Token permission is required to revoke API tokens that are used to access the Tanium Server.

Troubleshooting permissions

The following table summarizes the roles and permissions that are required to perform troubleshooting tasks in the Tanium Console. The listed permissions are advanced role permissions except where otherwise noted.

Table 10: User roles and permissions for configuring your Tanium deployment
Tasks	Tanium Console Administration pages	Roles and permissions
Monitor Tanium Client registration and communication	Management > Client Status	Read Client Status (micro admin) permission is required to see the Client Status page and filter the table. The Admin Administrator reserved role has this permission.
Configure server logging levels	Configuration > Common > Log Level	Administrator reserved role only
View plugins and plugin schedules	Configuration > Common > Plugins	Administrator reserved role only
View cache usage	Configuration > Tanium Server > Package File Repository	Administrator reserved role only
View the info page	https://<Tanium_Server>/info	Administrator reserved role only