The Tanium Console is designed for a display resolution of at least 1280 pixels wide and at least 720 pixels high. The Tanium Console might not appear as designed in browser windows smaller than these dimensions.
Update the following Internet Explorer settings if their current configuration interferes with the Tanium Console display:
Tanium dependencies
The Tanium Console and Interact depend on other Tanium Core Platform components:
| Tanium Server |
Interact 2.0 or later requires Tanium Server 7.2 or later. You can update both Interact and the Tanium Console UI version independently from the Tanium Server. For details, see Managing Tanium solutions. |
| Tanium content |
The Interact module does not include content. However, Interact functionality depends on sensors, saved questions, dashboards, and categories that you import when installing Tanium content packs and other Tanium modules. |
| License |
The license entitlement for the Tanium Core Platform includes the Tanium Console and Interact. For details, see Managing the Tanium license. |
Tanium Server computer resource and network requirements
Unlike other modules, Interact is installed on the Tanium Server, not the Tanium Module Server. The Tanium Console is also installed on the Tanium Server. The resource specifications for the Tanium Server include the host computer resource and network requirements for the Tanium Console and Interact. For details, see the guide for your deployment:
Endpoints
Supported operating systems
Interact supports the same operating systems (OSs) for endpoints that the Tanium Client supports:
- Windows
- MacOS
- Linux
- AIX
- Solaris
For details about support for specific OS versions, see Tanium Client User Guide: Host system requirements.
Disk space requirements
On managed endpoints, Interact requires at least 100 MB of disk space and another 100 MB of cache space for data files. The cache space includes the Tanium Client shard cache and objects such as sensors and logs.
Processor requirements
On managed endpoints, Interact requires at least 10 MB of RAM and accounts for less than 0.5% of idle CPU usage.
Host and network security requirements
Host and network security requirements for the Tanium Core Platform apply to the Tanium Console and Interact. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exceptions.
User role requirements
Before using the Tanium Console or Interact to perform tasks, verify that your user account has the necessary roles and permissions, as listed in the following tables. To configure and assign roles, see Managing roles.
Tanium Core Platform configuration permissions
The following table summarizes the roles and permissions required to import or upgrade Tanium modules, customize the Tanium Console, and configure Tanium Core Platform settings. The listed permissions are advanced role permissions except where otherwise noted.
Table 1: User roles and permissions for configuring your Tanium deployment
| Import, export, upgrade, or uninstall Tanium modules and content packs
Export and import content Upgrade the Tanium Console |
Tanium Solutions
|
The Administrator reserved role can perform all these tasks.
Import Signed Content (micro admin) permission enables importing digitally signed content files, Tanium modules, and content packs. |
| Customize the Tanium Console color, logo, header text, help URL, and confirmation prompt |
Configuration > Miscellaneous
|
Administrator reserved role only |
| Manage whitelisted URLs |
Administration > Whitelisted URLs |
Write Whitelisted URLs (micro admin) permission is required to create, modify, or delete the whitelisted URLs configurations. Read Whitelisted URLs (micro admin) permission is required to export the whitelisted URLs configurations. The Administrator reserved role has these permissions. The Administrator and Content Administrator reserved roles can also import the whitelisted URLs configurations. |
| Manage proxy server settings
|
Configuration > Common > Proxy Settings |
Administrator reserved role only
|
| Configure Tanium Client subnets
|
Configuration > Tanium Server > Subnets
|
Administrator reserved role only
|
| Manage bandwidth throttling
|
Configuration > Tanium Server > Bandwidth Throttling
|
Administrator reserved role only
|
| Manage Tanium licenses |
Configuration > Tanium Server > Tanium License
|
Administrator reserved role only |
| Manage Tanium keys |
Configuration > Tanium Server > Tanium Public Key
Configuration > Tanium Server > Root Key Management
|
Administrator reserved role only |
| Manage trust approval and revocation among Tanium Core Platform servers |
Configuration > Tanium Server > Active-Active Server Trusts
Configuration > Tanium Server > Zone Server Hub Trusts
|
Administrator reserved role only |
| Configure server logging levels |
Configuration > Common > Log Level
|
Administrator reserved role only |
| Configure global settings
|
Administration > Global Settings |
Write Global Settings (micro admin) permission is required to create, modify, or delete global settings configurations.
The Administrator reserved role has this permission. |
Tanium Interact permissions
The Interact module has the following predefined module roles and associated module permissions.
Table 2: Interact user roles and permissions
Show Interact
View the Interact workbench.
|
|
|
|
|
Interact Module Read
View Interact content.
This module permission provides these advanced permissions: Read Filter Group, Read Sensor, Read Saved Question, Read Dashboard, and Read Dashboard Group.
|
|
|
|
|
Interact Module Write
Add, edit, or delete Interact content.
This module permission provides the Interact Module Read permission.
It also provides these advanced permissions: Read Filter Group, Read Sensor, Read Saved Question, Read Dashboard, Read Dashboard Group, Write Saved Question, Write Dashboard, Write Dashboard Group.
|
|
|
|
|
Interact Execute Action
Deploy actions in the Interact module.
This module permission provides the Interact Module Read and Interact Module Write permissions.
It also provides these advanced permissions: Read Filter Group, Read Sensor, Read Saved Question, Read Dashboard, Read Dashboard Group, Read Package, Read Action, Write Saved Question, Write Dashboard, Write Dashboard Group, and Write Action.
|
|
|
|
|
The following table lists the provided advanced permissions and associated content sets (see the table footnotes) for the Interact module permissions in Table 2.
Table 3: Provided Interact advanced role permissions
Read Sensor¹
View and use sensors in the Interact Question Bar, Question Builder, and similar user interfaces throughout the Tanium Console.
|
|
|
|
|
Read Saved Question¹
View saved questions in the Interact workbench.
|
|
|
|
|
Read Dashboard¹
View dashboards in the Interact workbench.
|
|
|
|
|
Read Dashboard Group¹
View categories in the Interact workbench.
|
|
|
|
|
Read Filter Group²
View and use computer filter groups in questions and question results within the Interact workbench.
|
|
|
|
|
Ask Dynamic Questions
Issue questions through the Interact Question Bar and Question Builder. This is a global advanced permission: it applies to all content sets.
|
|
|
|
|
Write Saved Question³
Create, edit, or delete saved questions, and assign them to content sets for which the user has permission.
|
|
|
|
|
Write Dashboard³
Create, modify, or delete dashboard configurations. Read Saved Question content set permissions determine which saved questions are available in dashboards.
|
|
|
|
|
Write Dashboard Group³
Create, modify, or delete category configurations. Read Dashboard content set permissions determine which dashboards are available in categories.
|
|
|
|
|
Read Package¹
Select packages for actions in the Deploy Action page.
|
|
|
|
|
Read Action¹
View the Actions pages. The visibility of rows in the grid depends on the Read Action permission on the content sets for the associated packages.
|
|
|
|
|
Write Action¹
See and use the Deploy Action button on the Question Results grid for dynamic questions and saved questions.
View the Actions > Scheduled Actions page. Users can see rows for actions they issued. If a user has the Read Action permission on the content set for the underlying package, that user can see rows for actions that other users issued.
Implies the Read Own Action, Read Package, and Show Preview permissions.
|
|
|
|
|
The following table summarizes the permissions required to perform specific tasks in the Tanium Interact module. The module workbench includes the Interact Home page and Interact Content page. The Administrator reserved role has all the listed permissions. The table also indicates whether other reserved roles have permissions for the features.
Table 4: Required permissions to perform Interact tasks
| Install or uninstall Interact |
Administrator reserved role only
|
| All tasks in Interact |
Show Interact (module) permission is required for all Interact features, so be sure to assign a role with that permission to all Interact users. |
| View Interact content |
Interact Module Read (module) permission is required to view content in the Interact content set. |
| Manage Interact content |
Interact Module Write (module) permission is required to add, edit, or delete content in the Interact content set. |
| Deploy actions in Interact |
Interact Execute Action (module) permission enables users to deploy actions in the Interact module. It implies the advanced permissions Read Package, Read Action, and Write Action. |
|
Issue questions through the Question Bar and Question Builder |
Ask Dynamic Questions permission is required to issue questions through the Question Bar and Question Builder. You can assign the permission to any advanced role.
Read Sensor content set permissions determine which sensors are available for you to select for questions. Read Filter Group content set permissions determine which computer filter groups are available for you to view and select for questions and question results. The Tanium™ Asset module stores endpoint information that is visible in the Question Results grid to users who have the Asset Report Read permission. The Administrator and Content Administrator reserved roles have all these permissions. |
| Save a question |
Write Saved Question permission is required to assign a saved question to content sets for which you have permission.
Write Saved Question is also required to create, edit, or delete saved questions. The Read Sensor content set permissions determine the available sensors. Read Filter Group content set permissions determine the available filter groups. In addition to the Write Saved Question permission, users require the Write Action and Write Package permissions to add associated actions to a new saved question configuration. In addition to these three permissions, users require owner permissions for the question if they want to modify or delete the associated actions. The Administrator and Content Administrator reserved roles have all these permissions.
|
| Use Interact Saved Questions |
Read Saved Question content set permissions determine the saved questions that you can see in the Tanium Console, such as on the Interact Home page, Interact Content page, and Question Results grid drill-down. Read Sensor permission is required for the sensors specified in a saved question that you want to issue. Read Filter Group content set permission is required for the filter groups specified in the saved question. Ask Dynamic Questions permission is required to use the drill down feature in the Saved Question Results grid. |
| Use Interact Categories |
Read Dashboard Group content set permissions determine the categories that you can see in the Tanium Console, such as on the Interact Home page and Interact Content page. Write Dashboard Group permission is required to create, modify, or delete category configurations. Read Dashboard content set permissions determine which dashboards are available in categories. The Administrator and Content Administrator reserved roles can export and import categories. |
| Use Interact Dashboards |
Read Dashboard content set permissions determine the dashboards that you can see in the Tanium Console, such as on the Interact Home page and Interact Content page.
Write Dashboard permission is required to create, modify, or delete dashboard configurations. Read Saved Question content set permissions determine which saved questions are available in dashboards. The Administrator and Content Administrator reserved roles can export and import dashboards. Note: By default, new dashboards are added to the Other Dashboards category, which is visible only to users with the Administrator or Content Administrator reserved role. Therefore, only users with one of those roles, or the user who created the dashboard, can see the new dashboard. To make the dashboard visible to users, you must move it to another category. |
| Deploy an action |
Write Action permission is required to see the Deploy Action button on the Question Results grid.
Read Package content set permissions determine which packages are available for you to select for actions. Read Sensor and Read Saved Question permissions on the Reserved content set are required to complete the deploy action workflow. During the workflow, these permissions allow special saved questions that the Tanium Server uses to track and report action status. |
| Use the Interact Home page and Interact Content page |
Users require the Ask Dynamic Questions permission to see the Welcome and Best Practices sections of the Interact Home page:
To see the following sections of the Interact Home page and Interact Content page, users require the specified permissions: - Interact Content: Read Dashboard Group, Read Dashboard, and Read Saved Question permissions control the summary counts.
- Favorite Categories: Read Dashboard Group permission
- Favorite Dashboards: Read Dashboard permission
- Favorite Saved Questions: Read Saved Question permission
|
Action management permissions
The following table summarizes the roles and permissions required to manage actions. When you configure roles, specify the content sets that include the packages associated with the actions. The listed permissions are advanced role permissions except where otherwise noted.
Table 5: User role requirements for managing actions
| Deploy actions, including action locks |
Question Results Saved Question Results |
Write Action permission is required to see the Deploy Action button on the Question Results grid.
Read Package content set permissions determine which packages are available for selection in actions. Read Sensor and Read Saved Question permissions are required on the Reserved content set. The Tanium Server uses special saved questions to track action status and report action status within the deploy action workflow. Therefore, these permissions are required to complete the workflow. The Administrator and Content Administrator reserved roles have all these permissions. |
| Manage scheduled actions |
Actions > Scheduled Actions
|
Read Action permission is required to view the Scheduled Actions page. Visibility of rows in the page grid depends on the Read Action permission on the content set for the underlying package. The permission enables users to re-download package files and copy grid rows to the clipboard. Write Action permission: - Enables users to see rows for actions that they issued. Users can see rows for actions that others
issued if the users have Read Action permission on the content set for the
underlying package.
- Enables users to see and use the Deploy Action button on the Question Results grid for dynamic questions and saved questions.
- Enables users to export specific scheduled actions for which they have Write Action permission.
- Implies the Read Own Action, Read Package, and Show Preview permissions.
Write Action for Saved Question permission: - Enables users to see the Scheduled Actions page, but the only rows are for the actions that the user has deployed.
- Enables users to see and use the Deploy Action button on the Question Results grid, but only for saved questions that are configured with an associated package. The Read Package permission is not required for the associated package. If the saved question is not configured with an associated package, the Deploy Action button does not appear.
Tip: Use the Write Action for Saved Question permission instead of the Write Action permission to limit use by action users who use Tanium to execute standard operating procedures that someone else created. Read Sensor and Read Saved Question permissions are required on the Reserved content set for users to deploy, edit, or check the status of actions. The Reserved content set includes content used to ask preview and polling questions. The Administrator and Content Administrator reserved roles have all these permissions, and can export or import the complete scheduled actions configuration. |
| Manage action groups |
Actions > Scheduled Actions
|
Read Action Group (micro admin) permission is required to view action groups in the Actions > Scheduled Actions page. Write Action Group (micro admin) permission is required to create, edit, and delete action groups. The Administrator reserved role has these permissions. |
| Manage action history |
Actions > Action History
|
Read Action permission is required to view the Action History page. Visibility of rows in the page grid depends on the Read Action permission on the content set for the underlying package. The Administrator and Content Administrator reserved roles have this permission, and can export the action history. |
| View action summary (status) |
Action Summary |
The following permissions are required to view and use the Action Summary page. This page appears when you deploy an unscheduled action. You can access it from the Action History page also.
- Read Saved Question permission (regardless of content sets) is required to view the Action Summary page of an action in the Action History grid.
- Read Package permission on the content set for the underlying package is required to view files in the Action Summary page.
- Read Sensor and Read Saved Question permissions on the Reserved content set are required to view and use the Show Client Status Details button in the Action Summary page.
- Read Sensor permission on the Client Management content set is required to view and use the Get action log for selected machines button in the Action Summary page.
The Administrator and Content Administrator reserved roles have these permissions. |
| Review and approve pending actions , or bypass action approval |
Actions > All Pending Approval
Actions > Actions I Can Approve
|
Approve Action permission:
- Users require this permission to view the All Pending Approval page.
- Users require this permission on the content set for the underlying package to approve actions that another user created. Users cannot approve their own actions.
Read Action permission on the content set for the underlying packages determines which rows are visible on the All Pending Approval page. Read Own Action permission is required for users to see their own actions on the All Pending Approval page. Bypass Action Approval permission enables users to bypass approval for their own actions. The permission does not apply retroactively. The Administrator and Content Administrator reserved roles have all these permissions except Bypass Action Approval. |
Content management permissions
The following table summarizes the roles and permissions required to manage sensors, packages, and saved questions. The listed permissions are advanced role permissions except where otherwise noted.
Table 6: User role requirements for managing content
| Manage sensors |
Content > Sensors > Sensor Management
Content > Sensors > Quarantined Sensors
|
Write Sensor permission is required to create, modify, or delete sensor configurations. Users can export sensors for which they have Write Sensor permission.
The Administrator and Content Administrator reserved roles have this permission, and can export or import the complete sensors configuration. Write Global Setting (global admin) permission is required to enable or disable quarantine enforcement. The Administrator reserved role has this permission. Computer management group assignments determine on which endpoints users can manually quarantine or unquarantine sensors. |
| Manage packages
|
Content > Packages
|
Write Package permission is required to create, modify, or delete package configurations. Users can export specific packages for which they have Write Package permission.
The Administrator and Content Administrator reserved roles have this permission, and can export or import the complete packages configuration. |
| Manage saved questions |
Content > Saved Questions
|
Write Saved Question permission is required to create, modify, or delete saved question configurations. Users can export specific saved questions for which they have Write Saved Question permission.
Write Action and Write Package permissions are required, in addition to Write Saved Question, to add associated actions to a new saved question configuration. In addition to these three permissions, a user also requires owner permissions for the question to later modify or delete the associated actions. Read Sensor content set permissions determine which sensors users can select for questions. The Administrator and Content Administrator reserved roles have these permissions, and can export or import the complete saved questions configuration. |
| Manage filter groups |
Content > Filter Groups
|
Read Filter Group or Read Computer Group permission is required to view the Content > Filter Groups page and to display the configuration of a specific filter group.
Write Filter Group permission is required to create, clone, edit, and delete filter groups. To create or clone filter groups, the Ask Dynamic Question permission is also required. The Write Filter Group permission implies the Read Filter Group permission. The Administrator and Content Administrator reserved roles have these permissions. All roles that have the Ask Dynamic Question permission in Tanium Core Platform 7.3 or earlier will have the Read Filter Group permission on the Default Filter Groups content set after you upgrade to version 7.4 or later. |
| Import content files |
All Content and Permissions pages
Solutions page |
Import Signed Content (micro admin) permission is required to import digitally signed content files. For example, you can import sensors, roles, and solution modules.
Note that this permission enables accessing the Solutions page (for importing modules and content packs), but you need additional permissions to access the Content and Permissions pages (for importing other types of content). For example, you need the Read Sensor permission to access the Content > Sensors page. The Administrator and Content Administrator reserved roles have the Import Signed Content permission, and also the permissions to access all Content and Permissions pages. |
| Question history |
Administration > Question History
|
Read Question History (micro admin) permission is required to see the Question History page. However, a user with only the microadmin permission cannot load a question from the Question History page.
Users who have the Administrator reserved role can see the Question History page, load a question from the page, and export the question history. |
| Manage question and sensor runtime indicator thresholds |
Configuration > Sensor Thresholds
|
Administrator reserved role only |
| Manage content sets |
Permissions > Content Sets Permissions > Content Alignment |
Administrator or Content Set Administrator reserved role only
|
RBAC management permissions
The following table summarizes the roles and permissions required to manage role-based access control (RBAC) configurations.
Table 7: Tanium Console user roles and permissions
| Manage content sets |
Permissions > Content Sets Permissions > Content Alignment |
Administrator or Content Set Administrator reserved role only |
| Manage roles |
Permissions > Roles
|
Administrator or Content Set Administrator reserved role only
Note that a Content Set Administrator cannot manage the assignment of reserved roles to users and user groups. |
| Manage computer groups |
Administration > Computer Groups
Content > Filter Groups
|
Write Computer Group (micro admin) permission is required to create, modify, or delete computer management group configurations. This permission also enables viewing filter groups. Read Sensor permission on the Reserved content set is also required to create a computer group in which membership is based on a sensor filter. The Reserved content set includes content used to ask preview questions. Computer groups in which membership is manually defined do not require this permission. Write Filter Group permission on content sets is required to create, modify, or delete filter group configurations. Read Filter Group permission on content sets is required to see filter groups and use them for filtering questions and question results. The Administrator and Content Administrator reserved roles have these permissions. |
| Manage users |
Administration > Users
|
Write User permission is required to create a new user configuration, add properties, or save changes to a configuration.
Reader User permission is required to export user configurations. Write Computer Group permission is required to change computer management group assignments from the user configuration page. To change the assignment of computer groups in which membership is based on a sensor filter, you also need the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions. Computer groups in which membership is manually defined do not require this permission. Write User Group permission permission is required to change the user group assignment. The Administrator or Content Set Administrator reserved role is required to change the role assignment. However, a Content Set Administrator cannot manage the assignment of reserved roles. Also, a user cannot manage their own roles from the user configuration page. The Administrator reserved role is required to change persona assignments. Only the Administrator reserved role has all of these permissions. The Content Set Administrator reserved role can also export user configurations. Users cannot modify their own persona, computer group, or role assignment. |
| Manage user groups |
Administration > User Groups
|
Write User Group permission is required to create a new user group configuration, add properties, or save changes to a configuration.
Reader User Group permission is required to export user group configurations. Write Computer Group permission is required to change computer management group assignment from the user group configuration page. To change the computer group assignment, you also need the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions. Read User permission is required to change the user assignment. The Administrator or Content Set Administrator reserved role is required to change the role assignment. However, a Content Set Administrator cannot manage the assignment of reserved roles. The Administrator reserved role is required to change persona assignments. Only the Administrator reserved role has all of these permissions. The Content Set Administrator reserved role can also export user configurations. |
| Manage personas |
Permissions > Personas
|
Administrator reserved role only |
| Import users and user groups from an LDAP server |
Configuration > Authentication > LDAP Sync
|
Administrator reserved role only |
| Configure SAML authentication |
Configuration > Authentication > SAML
|
Administrator reserved role only |
| Manage API tokens |
Configuration > Authentication > API Tokens
|
View Token permission is required to see the Configuration > Authentication > API Tokens page.
Use Token permission is required to send requests to the Tanium Server for new API tokens. Revoke Token permission is required to revoke API tokens that are used to access the Tanium Server. |
Troubleshooting permissions
The following table summarizes the roles and permissions required to perform troubleshooting tasks in the Tanium Console. The listed permissions are advanced role permissions except where otherwise noted.
Table 8: User roles and permissions for configuring your Tanium deployment
| Monitor Tanium Client registration and communication
|
Administration > System Status |
Read System Status (micro admin) permission is required to see the System Status page and filter the table.
The Administrator reserved role has this permission. |
| Configure server logging levels
|
Configuration > Common > Log Level |
Administrator reserved role only
|
| View plugins and plugin schedules
|
Configuration > Common > Plugins Configuration > Common > Plugin Schedules |
Administrator reserved role only
|
| View cache usage
|
Configuration > Tanium Server > Cache Info |
Administrator reserved role only
|
| View the info page
|
https://<Tanium_Server>/info
|
Administrator reserved role only
|
