Tanium Console and Interact requirements

Web browsers

Use one of the following supported browsers to access the Tanium Console:

  • Google Chrome (recent)
  • Microsoft Edge (recent)
  • Mozilla Firefox (recent)
  • Safari (recent)

The Tanium Console is designed for a display resolution of at least 1280 pixels wide and at least 720 pixels high. The Tanium Console might not appear as designed in browser windows smaller than these dimensions.

Core platform dependencies

The license entitlement for the Tanium Core Platform includes the Tanium Console, Tanium™ API Gateway, and Interact.

The Tanium Console and Interact depend on other Tanium Core Platform components:

  • Tanium license: The license entitlement for the Tanium Core Platform includes the Tanium Console, Tanium™ API Gateway, and Interact. For details, see Managing the Tanium license.

  • Tanium Core Platform servers: The Tanium Console and Interact require the following minimum versions of Tanium Core Platform servers, which include the Tanium Server, Tanium Module Server, and Tanium Zone Server:

    Solution Version Minimum Tanium Core Platform Servers Version
    Console 3.2 7.5.4
    Console 3.1 7.5.3
    Console 3.0 7.5.2
    Console 2.1 7.4.6
    Console 2.0 7.4.4
    Interact 2.8.105 7.5
    Interact 2.3 7.3.314.4250

You can update Tanium Console and Interact versions independently from the Tanium Core Platform. For details, see Managing Tanium solutions.

Interact dependencies

If you select Tanium Recommended Installation when you import Interact, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Interact to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Interact, the server automatically updates those dependencies to the latest available versions.

If you select only Interact to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Interact has the following required dependencies at the specified minimum versions:

  • Tanium™ Core Content 1.3.100
  • Tanium™ Default Computer Groups 1.0.6 or later
  • Tanium™ Default Content 8.1.95

Solution dependencies

All versions of Tanium modules and shared services support Tanium Console 3.0 or later and Tanium Core Platform 7.5.2 or later except the following solutions, which require a minimum version. Before updating to Console 3.0 or later, update all solutions to the required versions (see Import or update specific solutions) and uninstall any solutions that you do not plan to upgrade (see Managing Tanium solutions).

  • Asset 1.17.155

  • Client Management 1.7.191

  • Comply 2.10.900

  • Connect 5.2.6

  • End-User Notifications 1.8.38.0000

  • Enforce 1.8.197

  • Deploy 2.8.174

  • Discover 4.4.126

  • Health Check 1.12.18

  • Integrity Monitor 2.9.542

  • Map 3.5.32

  • Patch 3.1.66

  • Performance 1.10.57

  • Reputation 6.1.32

  • Reveal 1.4.0.0029

  • Threat Response 3.4.357

  • Trends 3.7.303

Tanium Console 3.0 or later does not support Tanium Protect or Tanium Network Quarantine. Remove these solutions before updating to Console 3.0 or later.

Core Platform resources

The Tanium Console and Interact workbenches are installed on the Tanium Server. The Tanium Data Service installs and runs as a service on the Tanium Module Server. The resource specifications for the Tanium Server include the host computer resource and network requirements for the Tanium Console and Interact. See Tanium Cloud Deployment Guide: Requirements the guide for your deployment for details.

Endpoints

Supported operating systems

The Tanium Console and Interact support the same operating systems (OSs) for endpoints that the Tanium Client supports:

  • Windows
  • MacOS 
  • Linux
  • AIX
  • Solaris

For details about support for specific OS versions, see Tanium Client Management User Guide: Client version and host system requirements.

Disk space requirements

On managed endpoints, the Tanium Console and Interact require at least 100 MB of disk space and another 100 MB of cache space for data files. The cache space includes the Tanium Client chunk cache and objects such as sensors and logs.

Processor requirements

On managed endpoints, the Tanium Console and Interact require at least 10 MB of RAM and account for less than 0.5% of idle CPU usage.

Host and network security

Host and network security requirements for the Tanium Core Platform apply to the Tanium Console and Interact. For details, see:

User role requirements

Before using the Tanium Console or Interact to perform tasks, verify that your user account has the necessary roles and permissions, as listed in the following sections.

Tanium provides several predefined roles that provide Interact module permissions and Reserved roles that you use for Tanium Console activities.

To configure custom roles and review the descriptions of individual permissions, see Configure a custom role.

To assign roles, see:

The following table summarizes the roles and administration permissions that are required to import or upgrade Tanium solutions, customize the Tanium Console, and configure Tanium Core Platform settings. For administration permissions that are related to troubleshooting, see Troubleshooting permissions.

 Table 1: User roles and permissions for configuring your Tanium deployment
Tasks Tanium Console Administration pages Roles and permissions
Export, import, update, or uninstall Tanium solutions and content

Automatic deployment of solution-specific tools

Not applicableSolutions Export Content: This permission is required to export the following content types in JSON format:
  • Allowed URLs
  • Computer management groups
  • Filter groups
  • Packages
  • Saved questions
  • Scheduled actions
  • Sensors

Only the Administrator reserved role can export categories and dashboards.

Import Signed Content: This permission is required to import digitally signed content files.

Global Settings: Write permission is required to enable or disable the restricted_targeting_recommended_configs platform setting, which controls the default action group to which certain Tanium solutions deploy tools. See Dependencies, default settings, and tools deployment.

The Administrator reserved role can export, import, update, or uninstall all Tanium solutions and content.

The Admin reserved role has this permission and can also export categories and dashboards.
Customize the Tanium Console Main menu (color, logo, custom text, and help URL) and the confirmation prompt for configuration changes Configuration > Appearance Administrator reserved role only
Manage allowed URLs Permissions > Allowed URLs Allowed URLs:

  • Write permission is required to create, modify, or delete the allowed URLs configurations.

  • Read permission is required to export the allowed URLs list in CSV format.

Export Content: This permission is required to export allowed URLs configurations in JSON format.

Import Signed Content: This permission is required to import allowed URL configurations.

The Administrator reserved role has these permissions and can import allowed URLs configurations.
Manage proxy server settings Configuration > Proxy Settings Administrator reserved role only
Download infrastructure configuration files (TLS keys) Configuration > Infrastructure Public Key: Read permission is required for Tanium REST API users to download the Tanium public key (tanium.pub) or initialization file (tanium-init.dat).

Only the Administrator reserved role can access the Infrastructure page to download those files through the Tanium Console.
Configure Tanium Client subnets Configuration > Subnets Isolated Subnets:

  • Write permission is required to create, modify, or delete the isolated subnets configuration.

  • Read permission is required to view the isolated subnets configuration.

Separated Subnets:

  • Write permission is required to create, modify, or delete the separated subnets configuration.

  • Read permission is required to view the separated subnets configuration.

Intentional Subnets:

  • Write permission is required to create, modify, or delete the intentional subnets configuration.

  • Read permission is required to view the intentional subnets configuration.

The Administrator reserved role has all these permissions.
Manage bandwidth throttling Configuration > Bandwidth Throttles Global Bandwidth Throttles:

  • Write permission is required to create, modify, or delete global bandwidth throttles.

  • Read permission is required to view the global bandwidth throttles configuration.

Subnet Bandwidth Throttles:

  • Write permission is required to create, modify, or delete site (subnet-specific) bandwidth throttles.

  • Read permission is required to view the site (subnet-specific) bandwidth throttles configurations.

The Administrator reserved role has all these permissions.
Manage Tanium licenses Configuration > Tanium License Administrator reserved role only
Manage Tanium keys Configuration > Key & Trust Management > Current Server

Configuration > Key & Trust Management > Activity Log

Administrator reserved role only
Manage trust approval and revocation among Tanium Core Platform servers Configuration > Key & Trust Management > Trusted Servers

Configuration > Key & Trust Management > Activity Log

Configuration > Zone Servers

Administrator reserved role only
Configure server logging levels Configuration > Logging Administrator reserved role only
Configure platform settings Configuration > Settings Global Settings:

  • Read permission is required to view platformglobal settings for the Tanium Core Platform servers and Tanium Clients.

  • Write permission is required to create, modify, or delete platformglobal settings.

The Administrator reserved role has this permission.

Tanium has roles and permissions for both the Interact module and the associated Tanium Data Service.

Interact module permissions

Interact has the following predefined module roles and associated module permissions.

 Table 2: Interact user role permissions
Permission Interact Power User Interact Basic User Interact Read-Only User Interact Show

Ask Dynamic Questions1

Issue questions through the Interact Ask a QuestionExplore Data field and Question Builder.
SPECIAL
SPECIAL

Interact

View the Interact workbench.
SHOW
SHOW
SHOW
SHOW

Interact Execute2

Deploy actions in Interact.
ACTION


Interact Module3,4

View, create, edit, or delete Interact content.
READ
WRITE
READ
WRITE
READ

1 This permission applies to the following content sets: Reserved.

2 The Interact Execute permission provides these platform content permissions: Filter Group read, Sensor read, Saved Question read, Dashboard read, Dashboard Group read, Package read, Action read, Saved Question write, Dashboard write, Dashboard Group write, and Action write.

3 The Interact Module read permission provides these platform content permissions: Filter Group read, Sensor read, Saved Question read, Dashboard read, and Dashboard Group read.

4 The Interact Module write permission provides these platform content permissions: Filter Group read, Sensor read, Saved Question read, Dashboard read, Dashboard Group read, Saved Question write, Dashboard write, Dashboard Group write.

The following table lists the provided platform content permissions and associated content sets (see the table footnotes) for the Interact permissions in Table 2.

 Table 3: Provided Interact platform content permissions
Permission Permission Type Interact Power User Interact Basic User Interact Read-Only User Interact Show
Action Platform Content
READ
WRITE


Dashboard Platform Content
READ
WRITE
READ
WRITE
READ
Dashboard Group Platform Content
READ
WRITE
READ
WRITE
READ
Filter Group Platform Content
READ
READ
READ
Own Action Platform Content
READ


Package Platform Content
READ


Plugin Platform Content
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
Saved Question Platform Content
READ
WRITE
READ
WRITE
READ
Sensor Platform Content
READ
READ
READ

You can view which content sets are granted to any role in the Tanium Console.

The following table summarizes the permissions required to perform specific tasks in Interact. Interact includes the Interact Overview page and Question Builder page. The Administrator reserved role has all the listed permissions. The table also indicates whether other reserved roles have permissions for the features.

 Table 4: Required permissions to perform Interact tasks
Tasks Roles and permissions
Install or uninstall Interact Administrator reserved role only
All tasks in Interact Interact show (module) permission is required for all Interact features, so be sure to assign a role with that permission to all Interact users.
View Interact content Interact Module read (module) permission is required to view content in the Interact content set.
Manage Interact content Interact Module write (module) permission is required to add, edit, or delete content in the Interact content set.
Deploy actions in Interact Interact Execute (module) permission enables users to deploy actions in Interact. It implies the platform content permissions Package read, Action read, and Action write.
Issue questions through the Ask a QuestionExplore Data field and Question Builder Ask Dynamic Questions (module) permission is required to issue questions through the Ask a QuestionExplore Data field and Question Builder. You can assign the permission to any custom role.

Sensor read content set permissions determine which sensors are available for you to select for questions. Filter Group read content set permissions determine which computer filter groups are available for you to view and select for questions and question results.

Depending on whether Tanium™ Reporting, Tanium™ Asset, or both are installed, you require additional permissions to see endpoint details through the Search Endpoints field or the Question Results page. For more information, see View details for a single endpoint.

The Tanium™ Asset module stores endpoint information that is visible in the Question Results page to users who have the Asset Report read permission.

The Admin reserved role has Administrator and Content Administrator reserved roles have all these permissions.
Save a question Saved Question write permission is required to assign a saved question to content sets for which you have permission. Saved Question write is also required to create, edit, or delete saved questions. The Sensor read content set permissions determine the available sensors. Filter Group read content set permissions determine the available filter groups.

In addition to the Saved Question write permission, users require the Action write and Package write permissions to add associated packages to a new saved question configuration. In addition to these three permissions, users require owner permissions for the question if they want to modify or delete the associated packages.

The Admin reserved role has Administrator and Content Administrator reserved roles have all these permissions.
Use Interact Saved Questions Saved Question read content set permissions determine the saved questions that you can see in the Tanium Console, such as on the Interact Overview page, Question Builder page, and Question Results grid drill-down.

Sensor read permission is required for the sensors specified in a saved question that you want to issue. Filter Group read content set permission is required for the filter groups specified in the saved question.

Ask Dynamic Questions permission is required to use the drill down feature in the saved question results grid.
Use Interact Categories Dashboard Group read content set permissions determine the categories that you can see in the Tanium Console, such as on the Interact Overview page.

Dashboard Group write permission is required to create, modify, or delete category configurations. Read Dashboard content set permissions determine which dashboards are available in categories.

The Admin reserved role Administrator and Content Administrator reserved roles can export and import categories.
Use Interact Dashboards Dashboard read content set permissions determine the dashboards that you can see in the Tanium Console, such as on the Interact Overview page.

Dashboard write permission is required to create, modify, or delete dashboard configurations. Saved Question read content set permissions determine which saved questions are available in dashboards.

The Admin Administrator or Content Administrator reserved role can export and import dashboards.
Deploy an action Action write permission is required to see the Deploy Action button on the Question Results grid.

Package read content set permissions determine which packages are available for you to select for actions.

Sensor read and Saved Question read permissions on the Reserved content set are required to complete the deploy action workflow. During the workflow, these permissions allow special saved questions thatTanium Cloud the Tanium Server uses to track and report action status.

The Administrator reserved role and Interact Power User role have all these permissions.
Use the Interact Overview page To see the following sections of the Interact Overview page, users require the specified permissions:
  • Overview: Dashboard Group read, Dashboard read, and Saved Question read permissions control the summary counts.
  • Favorite Categories: Dashboard Group read permission
  • Favorite DashboardsDashboard read permission
  • Favorite Saved Questions: Saved Question read permission

The Administrator reserved role has all these permissions.

Tanium Data Service permissions

The Tanium Data Service has the following predefined module roles and associated module permissions.

 Table 5: Tanium Data Service user role permissions
Permission Data Collection Administrator Data Collection Operator Data Collection Service Account

Ask Dynamic Questions

A global permission that applies to all content sets. It enables issuing questions through the Interact Ask a QuestionExplore Data field and Question Builder.


Data Collection

OPERATOR: Access to configure data collection settings

START: Manually start an unscheduled query to collect sensor results
START
OPERATOR
START

Data Collection Administrator

Unrestricted access to configure data collection
ADMINISTER

Data Collection API Identify Endpoint

Resolve and allocate endpoint identification (EID) sensors (internal purposes only). Applies to the Tanium Data Service content set.
READ
WRITE

Data Collection Bundle Config

View and edit configuration data for the next support bundle (internal purposes only)
READ
WRITE

Data Collection EID Namespace

Read and write endpoint ID namespaces (internal purposes only)


Data Collection Identify Endpoint

READ: Resolve endpoint identification (EID) sensors (internal purposes only)

WRITE: Allocate endpoint identification sensors (internal purposes only)
READ
WRITE

READ
WRITE

Data Collection Job

Read and cancel pipeline jobs (internal purposes only)


Data Collection Metrics

View the Data Service Sensor Metrics and Data Service Database Metrics charts in the Interact Info page
READ
READ

Data Collection Operator Settings

View and edit Tanium Data Service settings (internal purposes only)
READ
WRITE
READ
WRITE

Data Collection Pipeline

Read pipeline data (internal purposes only)


Data Collection Pipeline Write

Write pipeline data (internal purposes only)


Data Collection Purge

Purge data for specific sensors
SENSOR

Data Collection Registration

READ: View the Interact Settings > Registration & Collection page to see which sensors are registered for results collection

WRITE: Register or unregister sensors for results collection, pause (disable) or resume (enable) collection, and purge results
READ
WRITE
READ
WRITE
READ

Data Collection Sensor

Write virtual sensor data (internal purposes only)


Data Collection Service Account

READ: View the Interact Settings > Service Account page, which contains information about the service account that the Tanium Data Service uses to collect sensor results

WRITE: Change the service account that the Tanium Data Service uses to collect sensor results

EXECUTE: Collect sensor results
READ
WRITE

READ
WRITE
EXECUTE

Data Collection Settings

View and edit Tanium Data Service settings (internal purposes only)
READ
WRITE

Data Collection Status

View the Data Service Status chart in the Interact Info page
READ
READ

Data Collection Virtual Sensor Definition

View and edit virtual sensors (internal purposes only)


Result Expansion

Read and write expansions (internal purposes only)
READ
WRITE

The Tanium Data Service roles also have the following administration and platform content permissions:

 Table 6: Provided Tanium Data Service administration and platform content permissions
Permission Permission Type Data Collection Administrator Data Collection Operator Data Collection Service Account
Action Group Administration


READ
Client Status Administration


READ
Computer Group Administration


READ
Persona Administration


READ
User Administration
READ

READ
Action Platform Content


READ
Own Action Platform Content


READ
Plugin Platform Content
READ
EXECUTE
READ
EXECUTE
READ
EXECUTE
Saved Question Platform Content


READ
WRITE
Sensor Platform Content
READ
READ
READ

You can view which content sets are granted to any role in the Tanium Console.

The following table summarizes the roles and permissions that are required to manage actions. When you configure roles, apply the permissions to the content sets that include the packages associated with the actions. The listed permissions are platform content permissions except where otherwise noted.

 Table 7: User role requirements for managing actions
Tasks Tanium Console Administration pages Roles and permissions
Deploy actions, including action locks Question Results

Saved Question Results

The following permissions are required to deploy actions from the Questions Results and Saved Question Results pages:

  • Action write

  • Interact Module read

  • Package read permission on content sets determine which packages are available for selection in actions.

  • Sensor and Saved Question read permissions are required on the Reserved content set. Tanium CloudThe Tanium Server uses special saved questions to track and report action status within the deploy action workflow. Therefore, these permissions are required to complete the action deployment workflow.

The Admin reserved role and Interact Power User roleAdministrator reserved role, Content Administrator reserved role, and Interact Power User role have all these permissions.
Manage scheduled actions Actions > Scheduled Actions

Action read permission is required to perform the following tasks on the Scheduled Actions page:

  • View actions. The visibility of specific actions (grid rows) depends on Action read permission on the content sets for the associated packages.

  • Export actions in CSV format. Export Content (administration) permission is required to export scheduled actions in JSON format.

  • Copy action information to the clipboard.

Own Action read permission enables the same tasks as Action read but only for actions that the user owns.

Action read and write permissions are required to perform the following tasks on the Scheduled Actions page:

  • View the status of, and re-download, packages that are associated with actions.

  • Disable or enable actions.
  • Change the action groups that actions target.
  • Create copies of action configurations.
  • Delete actions.

Sensor read permissions on the Reserved content set, in addition to Action read and write permissions, are required to reissue or edit actions on the Scheduled Actions page. The Reserved content set includes content that is used to ask preview questions.

Action for Saved Question: Write permission enables users to see and use the Deploy Action button on the Question Results page, but only for saved questions that are configured with an associated package. Package read permission is not required for the associated package. If the saved question is not configured with an associated package, the Deploy Action button does not appear.

Use Action for Saved Question write permission instead of Action write permission to limit use by action users who use Tanium to execute standard operating procedures that someone else created.

Import Signed Content: This permission is required to import scheduled actions.

The Administrator reserved role has all these permissions and can import scheduled actions. The Content Administrator reserved role has all these permissions except the ability to export scheduled actions in JSON format or to import them in any format.
Manage action groups Actions > Action Groups

Action Group (administration permission):

  • Read permission is required to view and export action group configurations.

    Action Group read permission overrides the action group Visibility setting. A user who has Action Group read and action deployment permissions can select any action group when deploying an action. A user who has Action Group read and Approve Action permissions can approve actions that target any action group. However, the computer groups that are assigned to a user still control which endpoints run an action that the user deploys to the selected action group.

  • Write permission is required to create, edit, and delete action groups.

The Administrator reserved role has these permissions.
Manage action history Actions > Action History Action read permission is required to perform the following tasks on the Action History page:

  • View action configurations. The visibility of specific actions (grid rows) depends on Action read permission on the content sets for the associated packages.

  • Export actions in CSV format. Export Content (administration) permission is required to export actions in JSON format.

  • Copy action information to the clipboard.

  • View action status, when combined with other content permissions: see View action status.

Own Action read permission enables the same tasks as Action read but only for actions that the user owns.

Action read and write permissions are required to stop actions on the Action History page.

Sensor read permissions on the Reserved content set, in addition to Action read and write permissions, are required to reissue actions on the Action History page. The Reserved content set includes content that is used to ask preview questions.

The Admin reserved role has Administrator and Content Administrator reserved roles have these permissions.
View action status Action Status The following permissions are required to view and use the Action Status page (see View action status).
  • Package: Read permission on the content sets for packages that are associated with actions is required to view files in the Action Status page.
  • Sensor and Saved Question: Read permissions on the Reserved content set are required to use the Show Client Status Details button in the Action Status page.
  • Sensor: Read permission on the Client Management content set is required to use the Get action log for selected machines button in the Action Status page.
  • Action: Read permission is required to open the Action Status page from the Action History page. Own Action read permission enables the same ability but only for actions that the user owns.

The Admin reserved role has Administrator and Content Administrator reserved roles have all these permissions.
Manage action approval Actions > All Pending Approvals

Actions > Actions I Can Approve

Action read permission is required to perform the following tasks on the All Pending Approvals page:

  • View actions that require approval. The visibility of specific actions (grid rows) depends on Action read permission on the content set for the associated packages.

  • Export the actions in CSV format. Export Content (administration) permission is required to export actions in JSON format.
  • Copy the actions to the clipboard.

Own Action read permission enables the same tasks as Action read but only for actions that the user owns.

Approve Action permission is required to perform the following tasks on the Actions I Can Approve page.

  • View actions that require approval. Users cannot view their own actions on this page.

  • Approve actions that other users own, when combined with Sensor read permission. Users cannot approve their own actions.
  • Export the actions in CSV format. Export Content (administration) permission is required to export actions in JSON format.
  • Copy the actions to the clipboard.

Bypass Action Approval: This permission enables users to bypass approval for their own actions. The permission does not apply retroactively.

The Admin reserved role has Administrator and Content Administrator reserved roles have all the preceding permissions except Bypass Action Approval.

Global Settings: Write permission is required to enable or disable action approval. The Administrator reserved role has this permission.

The following table summarizes the roles and permissions that are required to manage content such as sensors, packages, saved questions, and filter groups. The listed permissions are platform content permissions, except where otherwise noted. You apply the permissions to one or more content sets to manage the content that is assigned to those sets.

 Table 8: User role requirements for managing content
Tasks Tanium Console Administration pages Roles and permissions
Manage sensors Content > Sensors

Content > Quarantined Sensors

Sensor: Read permission on content sets is required to view the sensors that are assigned to those content sets, or to export those sensors in CSV format.

  • Read permission on content sets is required to view the sensors that are assigned to those content sets, or to export those sensors in CSV format.

  • Write permission is required to create, edit, or delete sensors.

Export Content (administration permission): This permission is required to export sensors in JSON format. The Admin reserved role has this permission.

Import Signed Content: This permission is required to import sensors.

The Administrator and Content Administrator reserved roles have Sensor read and write permissions. The Administrator reserved role can import or export sensors in JSON format.

Global Settings (administration permission): Write permission is required to enable or disable sensor quarantine enforcement. The Administrator reserved role has this permission.

Sensor read permission or Ask Dynamic Questions permission is required to view quarantined sensors. Computer management group assignments determine on which endpoints users can manually quarantine or unquarantine sensors.
Manage packages Content > Packages Package:

  • Read permission on content sets is required to view the packages that are assigned to those content sets, or to export those packages in CSV format.

  • Write permission is required to create, edit, or delete packages.

Export Content (administration permission): This permission is required to export packages in JSON format.

Import Signed Content: This permission is required to import packages.

Action write and Sensor read permissions are required to deploy actions from the Packages page.

The Administrator reserved role has all these permissions and can import packages. The Content Administrator reserved role has Package read and write permissions.
Manage saved questions Content > Saved Questions Saved Question:

  • Read permission on content sets is required to view the saved questions that are assigned to those content sets, or to export those saved questions in CSV format.

  • Write permission is required to create, edit, or delete saved questions.

Export Content (administration permission): This permission is required to export saved questions in JSON format.

Import Signed Content: This permission is required to import saved questions.

Saved Question, Action and Package: Write permissions are required to add associated packages to a new saved question. In addition to these three permissions, a user also requires owner permissions for the question to later edit or delete the associated packages: see the Visibility setting in Saved question settings.

Sensor: Read permissions on content sets determine which sensors users can select for questions.

The Administrator reserved role has all these permissions and can import saved questions. The Content Administrator reserved role has all these permissions except the ability to export saved questions in JSON format or to import them in any format.
Manage filter groups Permissions > Filter Groups Filter Group:
  • Read permission is required to view the Filter Groups page. Read permission on the content sets to which the filter groups are assigned is required to:
    • View the configuration (group membership) of specific filter groups. Ask Dynamic Questions permission is also required for this activity.
    • Export filter groups in CSV format.
  • Write permission is required to:
    • Create, clone, and edit filter groups. These abilities also require Ask Dynamic Questions permission.
    • Delete filter groups.

Export Content (administration permission): This permission is required to export filter groups in JSON format.

Import Signed Content: This permission is required to import filter groups.

The Administrator reserved role has all these permissions and can import filter groups.

All roles that have the Ask Dynamic Questions permission in Tanium Core Platform 7.3 will have the Filter Group read permission on the Default Filter Groups content set after you upgrade to version 7.4 or later.
Export content files Various Content and Permissions pages

Solutions page

 Export Content (administration permission): This permission is required to export the following content types:
  • Allowed URLs
  • Computer management groups
  • Filter groups
  • Packages
  • Saved questions
  • Scheduled actions
  • Sensors

The Administrator reserved role has this permission.
Import content files All Content and Permissions pages

Solutions page

 Import Signed Content (administration permission): This permission is required to import digitally signed content files.

The Administrator reserved role can import all content types.
Question history Content > Question History Question History (administration permission): Read permission is required to view and export information in the Question History page. To issue a question from the Question History page, users also require the following permissions:

  • Interact module permissions:

    • Interact show

    • Interact Module read

  • Platform Content Permissions:

    • Saved Question read permission on the content sets that contain the questions that the user is allowed to issue.

    • Sensor read permission on the content sets that contain the sensors that are used in the questions that the user is allowed to issue.

The Administrator reserved role has these permissions.
Manage question and sensor runtime indicator thresholds Content > Sensor Thresholds Administrator reserved role only
Manage content sets Permissions > Content Sets Content set permissions are not explicit. Permission Administrator permission implies content set permissions and is required to manage content sets. The Admin reserved role has Permission Administrator permission. Administrator or Content Set Administrator reserved role only

The following table summarizes the roles and permissions that are required to manage role-based access control (RBAC) configurations. The listed permissions are administration permissions except where otherwise noted.

 Table 9: Tanium Console user roles and permissions
Tasks Tanium Console Administration pages Roles and permissions
Manage content sets Permissions > Content Sets Content set permissions are not explicit. Permission Administrator permission implies content set permissions and is required to manage content sets. The Admin reserved role has Permission Administrator permission. Administrator or Content Set Administrator reserved role only
Manage roles Permissions > Roles Administrator or Content Set Administrator reserved role only. Note that a Content Set Administrator cannot manage the assignment of reserved roles to users and user groups.
Role:
  • Write permission is required to create, edit, and delete roles.
  • Read permission is required to view role configurations and export them.
  • Grant permission is one of the permissions that are required to edit role assignments. The following combined permissions are required to edit roles assignments:
    • Permission Administrator and User write permissions are required to edit the role assignments of users.
    • Permission Administrator and User Group write permissions are required to edit the role assignments of user groups.
    • Permission Administrator and Persona write permissions are required to edit the role assignments of personas.

These are not explicit permissions. Permission Administrator permission provides Role write, read, and grant permissions, along with read permissions for User, User Group, and Persona. Therefore, only the Permission Administrator permission is required to view the role assignments of users, user groups, and personas.

The Admin reserved role has all these permissions.
Manage computer management groups Permissions > Computer Groups Computer Group: Write permission is required to create, edit, or delete computer management groups.

To create a computer management group in which membership is based on a sensor filter, the following permissions are required in addition Computer Group write permission:

  • Sensor (platform content permission): Read permission on the Reserved content set, which includes content that is used to ask preview questions
  • Interact Module (module permission): Write permission

Computer groups with manually defined membership do not require the Sensor read or Interact Module write permissions.

The following permissions are required to edit the assignments of computer management groups:

  • Permission Administrator and User write permissions are requiredUser: Write permission is required to edit the computer management group assignments of users.
  • Permission Administrator and User Group write permissions are requiredUser Group: Write permission is required to edit the computer management group assignments of user groups.
  • Permission Administrator and Persona write permissions are requiredPersona: Write permission is required to edit the computer management group assignments of personas.

Computer Group: Read permission is required to export computer management groups in CSV format.

Export Content: This permission is required to export computer groups in JSON format.

Import Signed Content: This permission is required to import computer groups.

The following permissions are required to view the assignments of computer management groups:

  • User: Read permission is required to view the computer management group assignments of users.
  • User Group: Read permission is required to view the computer management group assignments of user groups.
  • Persona: Read permission is required to view the computer management group assignments of personas.

The Administrator reserved role has all these permissions and can import or export computer groups in JSON format.

The Permission Administrator permission provides read permissions for User, User Group, and Persona. Therefore only Permission Administrator permission is required to view the computer management group assignments of users, user groups, and personas.

The Admin reserved role has all these permissions.
Manage users Permissions > Users User:
  • Read permission is required to:
    • View user configurations and export them in CSV format.
    • View the user group assignments of users. This ability also requires the User Group read permission.
    • View the computer management group assignments of a user.

  • Write permission is required to:

    • Add a user.

    • Manage user properties.

    • Edit the computer management group assignments of a user.

    • Save changes to a user.

    • Delete a user.

    • Edit the user group assignments of users. This ability also requires the User Group write permission.

Changing the role, persona, or computer management group assignments of users requires the following permissions:

  • Permission Administrator and User write permissions are required to edit the computer management group assignments of users.
  • Permission Administrator, Persona write, and User write permissions are required to edit the persona assignments of users.
  • Permission Administrator and User write permissions are required to edit the role assignments of users.

The Permission Administrator permission provides the User read permission. Therefore, only the Permission Administrator permission is required to view the computer management group assignments of users.

The Permission Administrator permission also provides read permissions for Role, User Group, and Persona. Therefore, only the Permission Administrator permission is required to view the role, user group, and persona assignments of users.

The Admin reserved role has all these permissions and can also export user configurations in JSON format.

Only the Administrator reserved role has all these permissions and can export users in JSON format.

The Administrator or Content Set Administrator reserved role is required to change the role assignments of users. However, a Content Set Administrator cannot manage the assignment of reserved roles.

The Administrator reserved role is required to change persona assignments.

Users cannot modify their own persona, computer group, or role assignments.
Manage user groups Permissions > User Groups User Group:

  • Read permission is required to:

    • Export user groups in CSV format.

    • View the user assignments of user groups. This ability also requires the User read permission.

    • View the computer management group assignments of user groups.

  • Write permission is required to:

    • Add a user group.

    • Edit a user group.

    • Edit the computer management group assignments of a user group.

    • Edit the user assignments of user groups. This ability also requires the User write permission.
    • Set the default user group. This ability also requires the Global Settings write permission.

    • Delete a user group.

Changing the role, persona, or computer management group assignments of user groups requires the following permissions:

  • Permission Administrator and User Group write permissions are required to edit the computer management group assignments of user groups.
  • Permission Administrator, Persona write, and User Group write permissions are required to edit the persona assignments of user groups.
  • Permission Administrator and User Group write permissions are required to edit the role assignments of user groups.

The Permission Administrator permission provides the User Group read permission. Therefore, only the Permission Administrator permission is required to view the computer management group assignments of user groups.

The Permission Administrator permission provides read permissions for Role, User, User Group, and Persona. Therefore, only the Permission Administrator permission is required to view the role, user and persona assignments of user groups.

The Admin reserved role has all these permissions and can also export user groups in JSON format.

Only the Administrator reserved role has all these permissions and can export user groups in JSON format.

The Administrator or Content Set Administrator reserved role is required to change the role assignments of user groups. However, a Content Set Administrator cannot manage the assignment of reserved roles.

The Administrator reserved role is required to change persona assignments.
Manage personas Permissions > Personas Persona: Write permission is required to add, edit, and delete personas, and to edit the computer management group and role assignments of personas. Permission Administrator and Persona write permissions are required to add, edit, and delete personas. These permissions are also required to edit the computer management group and role assignments of personas.

The following permissions are required to edit the user and user group assignments of personas:

  • Permission Administrator, Persona write, and User write permissions are required to edit the user assignments of personas.
  • Persona write and User write permissions are required to edit the user assignments of personas.
  • Permission Administrator, Persona write, and User Group write permissions are required to edit the user group assignments of personas.
  • Persona write and User Group write permissions are required to edit the user group assignments of personas.

Persona: Read permission is required to view and export persona configurations.

Permission Administrator permission provides read permissions for Persona, User, User Group, and Role. Therefore, only the Permission Administrator permission is required to:

  • View and export persona configurations.

  • View the user, user group, role, and computer management group assignments of personas.

The Admin reserved role has all these permissions.

The Administrator reserved role has all these permissions.

Import users and user groups from an LDAP server Configuration > LDAP/AD Sync Configuration Administrator reserved role only
Configure SAML authentication Configuration > SAML Configuration Administrator reserved role only
Manage API tokens Permissions > API Tokens Token - View: This permission is required to see the API Tokens page.

Token - Use permission: This permission is required to send requests to Tanium Cloudthe Tanium Server for new API tokens.

Token - Revoke permission: This permission is required to revoke API tokens that are used to access Tanium Cloudthe Tanium Server.

The Administrator reserved role has these permissions.

The following table summarizes the roles and permissions that are required to perform troubleshooting tasks in the Tanium Console. The listed permissions are platform content permissions except where otherwise noted.

 Table 10: User roles and permissions for troubleshooting your Tanium deployment
Tasks Tanium Console Administration pages Roles and permissions
Monitor Tanium Client registration and communication Configuration > Client Status Client Status (administration permission): Read permission is required to see the Client Status page and filter the table.

The Administrator reserved role has this permission.
View date-times for activities related to user sign ins, user account configuration, and platform setting configuration Permissions > User

Configuration > Settings

Audit (administration permission): Read permission is required to view:
  • Last Sign In information on the Users page
  • Last Modified information on the user configuration page
  • Last Modified information on the Settings page
Configure server logging levels Configuration > Logging Administrator reserved role only
View plugins and plugin schedules Configuration > Plugins Administrator reserved role only
View cache usage Configuration > Package File Repository Administrator reserved role only
View the info page https://<Tanium_Server>/info Server Status (administration permission) read is required to view the https://<Tanium_Server>/info page.