Tanium RBAC For Integrations

When an integration is being developed, the focus is on getting the code right: Make sure it is efficient, has proper error handling, is sufficiently tested, etc. While this is all critically important, sometimes the integrator will neglect to devote as much attention to the equally important work around roles, permissions, and user accounts associated with the configuration of the integration. There are serious security, risk, and continuity repercussions to these decisions.

Tanium uses API Tokens to authenticate calls into the REST and GraphQL APIs and these API Tokens have all the permissions of the User/Persona that generated them. Previously, session tokens were generated using a username and password. This is no longer a supported authentication method for API calls.

This article will explain how to create a minimally permissioned role and service account for an integration. It will explain how to generate API tokens with this service account for authentication with the Tanium APIs.

If you are not familiar with Tanium's RBAC model, it is strongly recommended that you familiarize yourself with it in the Tanium Resource Center before proceeding.

Creating a Custom Role

A custom role needs to be created that will grant a user the minimal required permissions needed for the integration to operate. Roles control the actions you can perform (permissions) and the data you can access with those permissions (content sets). The predefined roles that Tanium includes are designed for users interacting with Tanium via the console and are not appropriate for integrations.
In the Tanium Console, navigate to Administration > Permission > Roles and click New Role. Give your role a name and description indicating which integration it is for. You will then need to select the Permissions for your role, followed by the Content Sets.

Permissions

Choose the permissions your integration needs and add them to the role. This will vary depending on what your code does, but the table below maps the most common functions performed by integration code to the permissions required. The GraphQL schema will mention required permissions on some queries and mutations, so check this as well. Each requirement below is being done via API unless otherwise noted.

Content Sets

A Content Set is a group of Tanium Content objects that a permission is applied against. Some permissions will require you to specify a collection of content they should be used with. For example, Sensor(Read) permission will require you to select the content sets that contain the sensors that you wish to grant the integration access to read.
This will be indicated by a gray circle with a 0+ appearing next to the permission after you add it to the role. permission_requiring_content_sets
Click the gray circle and select the necessary content sets, which will be determined by which specific data your API calls are accessing.

Direct Access of Sensors

If you are using Saved Questions, Reports, or sensorReadings in a GraphQL Endpoints query, you are accessing the sensors by their actual names. You will need to collect a list of all of the sensors that your questions, reports, or sensorReadings reference and lookup their content sets.
The Sensor Inventory List can be used to look up which content set each sensor you are accessing belongs to.

Indirect Access of Sensors

GraphQL schema fields access underlying sensors using field names that may not match the actual sensor name. Therefore, you will need to look up what those underlying sensor names are in order to find the content sets you need. Some have more have more than one sensor underlying it, so be sure to include the content sets for all of them.
The underlying sensor will be in the description of the field in the schema. Some fields with subfields use multiple sensors, in which case the sensor name will be found in the subfields.
identify_graphql field's_sensor

identify_graphql subfield's_sensor

Finding a Sensor's Content Set

Once you have the list of sensors you are accessing, both directly and indirectly, you need to look up which content set each of them belongs to. The easiest way to do that is using the sensor inventory list. It contains all of the script-based as well as the virtual sensors supplied by Tanium. If you are accessing any custom sensors, you can find their content set by navigating to Administration>Content>Sensors in the Tanium Console and searching for their name.

Common Integration Scenarios

This chart covers the permission and content set requirements for most common integration scenarios. It is intended to help you create a custom role, but is not an exhaustive list of everything you might need to include. This chart is a work in progress and we are continuing to add content to it.

Integration Requirement Relevant APIs Role Requirements

Generate an API Token with UI

Permissions	Content Sets
Administration>Token - Use	-
Administration>Token - View	-

Use Any Tanium API

GraphQL, All REST

Permissions	Content Sets
Administration>Token - Use	-

Use GraphQL API

GraphQL

Permissions	Content Sets
Gateway>Gateway API(Execute)	-

Rotate an API Token

GraphQL, Platform REST

Permissions	Content Sets
Administration>Token - Rotate	-
Administration>Token - Use	-

Create a Report

GraphQL reportImport mutation

Permissions	Content Sets
Reporting>Report(Write)	The content set you will create a report in
Reporting>Report API(User)	-

Create a Report with UI

Permissions	Content Sets
Reporting>Report(Write)	The content set you will create a report in
Report API(User)	-
Reporting>Reporting>Report API(Operator)	-

Read a Report

GraphQL reportResultData query

Permissions	Content Sets
Platform Content Permissions>Sensor(Read)	"Tanium Data Service" The Content Sets that contain the sensors in your repor
Reporting>Report>Reporting(Read)	The content set that contain the Report you are accessing
Reporting>Report API(User)	-
Reporting>Report API(Operator)	-
Interact>Data Collection(Operator)	-
Interact>Data Collection(Start)	-

Every report, whether custom or Tanium-managed, belongs to a content set. You'll need to select the content sets that the reports you are reading belong to. You can find the name of the content set a report belongs to by click the Data tab in the Tanium Console and selection Reports. Locate your Report Name in the list and find the corresponding value in the Content Set column in the table.
find a report's content set

Query Endpoint Data

GraphQL endpoints query

Permissions	Content Sets
Administration>Computer Group(Read)	-
Platform Content Permissions>Sensor(Read)	"Tanium Data Service" The content sets that contain the underlying sensors for the fields you are accessing

GraphQL sensorHarvest mutation

Permissions	Content Sets
Interact>Data Collection Registration(Write)	-
Interact>Ask Dynamic Questions	-
Platform Content Permissions>Sensor(Read)	"Tanium Data Service" The content set that contains the sensor you are registering

Run an Action

GraphQL actionPerform mutation

Permissions	Content Sets
Administration>Action Group(Read)	-
Administration>Computer Group(Read)	-
Platform Content Permissions>Sensor(Read)	"Tanium Data Service" The content sets that contain the sensors used in the targeting parameters
Platform Content Permissions>Package(Read)	The content set that contains the package to deploy
Platform Content Permissions>Action(Write)	The content set that contains the package to deploy

Get an Action's Status

GraphQL action query

Permissions	Content Sets
Administration>Action Group(Read)	-
Administration>Computer Group(Read)	-
Platform Content Permissions>Action(Read)	The content set that contains the package that was deployed
Platform Content Permissions>Saved Questions(Read) (not required after Platform version 7.6.2.1055)	"Reserved"
Platform Content Permissions>Sensor(Read)	"Reserved"

Get Asset SIU Data

GraphQL assetProducts query

Permissions	Content Sets
Asset>Asset API User(Read)	-

Get Asset SIU Endpoint Data

GraphQL assetProductEndpoints query

Permissions	Content Sets
Asset>Asset API User(Read)	-

Create/Modify a Connect Job

/plugin/products/connect/v1/import

Permissions	Content Sets
Connect>Connect(Write)	-

Create a Connect Job

/plugin/products/connect/v1/import

Permissions	Content Sets
Connect>Connect	-
Connect>Connect Write	-

Create a Connect Job with UI

Permissions	Content Sets
Connect>Connect	-
Connect>Connect Write	-

Run a Connect Job

GraphQL connectConnectionsStart mutation
/plugin/products/connect/v1/connections/:id/runs

Permissions	Content Sets
Connect>Connect(Run)	-

Pull Data From Asset View

/plugin/products/asset/v1/assets?viewId=:id

Permissions	Content Sets
Asset>Asset API User(Read)	-
Asset>Asset Report (Read)	-

Insert Data into Asset

GraphQL assetsImport mutation

Permissions	Content Sets
Asset>Asset API User(Write)	-

Create/Update a Software Package with Tanium Deploy /plugin/products/deploy/v1/software-packages
/plugin/products/deploy/v1/tempfiles/
/plugin/products/deploy/v1/software-packages/:id

Start a Software Deployment with Tanium Deploy

GraphQL manageSoftware mutation
/plugin/products/deploy/v1/deployments/

Permissions	Content Sets
Deploy>Deploy Software Package(Read & Execute)	The content set that contains the Software Package to deploy. Usually "Deploy Content Set".
Deploy>Deploy Deployment(Write)	The content set that contains the Software Package to deploy. Usually "Deploy Content Set".

Create Discover Label

GraphQL discoverLabelCreate mutation

Permissions	Content Sets
Discover>Discover Tag(Write)	-
Discover>Discover Asset(Write)	-
Discover Location Permissions(Write)	-

Get Discover Interfaces

GraphQL discoverInterfaces query

Permissions	Content Sets
Discover>Discover Asset(Read)	-

Apply/Remove Discover Labels

GraphQL discoverInterfaceAddLabel and discoverInterfaceRemoveLabel mutations

Permissions	Content Sets
Discover>Discover Tag(Write)	-

Pull Threat Response Alerts

/plugin/products/threat-response/api/v1/alerts

Permissions	Content Sets
Threat Response>Threat Response Alerts(Read)	-
Threat Response>Threat Response API(Execute)	-
Platform Content Permissions>Plugin(Read)	"Tanium Data Service"
Platform Content Permissions>Sensor(Read)	"Base"

Start/Stop a Threat Response Live Connection (DEC)

/plugin/products/threat-response/api/v1/conns/connect

Permissions	Content Sets
Threat Response>Threat Response API(Execute)	-
Threat Response>Threat Response Live Connection(Write)	-

Create Saved Evidence From File (DEC)

Create Saved Evidence From Process (DEC)

Retrieve Saved Evidence

Delete Saved Evidence

Create a Snapshot (DEC)

Retrieve a Snapshot

Delete a Snapshot

Perform Threat Response Live Response Action

Insert Threat Response Intel

Terminate a Process (DEC)

Delete a File (DEC)

Retrieve a File (DEC)

Resolve Threat Response Alert

Create Computer Group

Delete Computer Group

Create Action Group

Delete Action Group

Create Patch Deployment

Stop Patch Deployment

Testing a Custom Role

Tanium Personas are a great tool for testing out a custom role. If you aren't familiar with Personas yet, please start by reading about them in the Tanium Console User Guide.

Create a new Persona to test out your custom integration role.
- Assign your custom role to it.
- Assign your user account to it. It is recommended to use an administrator user account in a lab for testing to ensure that any permission issues found are in the custom role rather than in your user's default role.
- Add any Computer Groups your integration needs access to to the persona. If your integration needs access to all Computer Groups, then check the "Unrestricted Management Rights" option.
Once you have created your Persona, click on your account profile at the top right in the Tanium Console and select the Persona option. Apply the Persona you just created. If your new persona isn't showing up or you don't see the Persona option, you may need to refresh your browser.
Generate an API token with your account while your new persona is applied and use it to authenticate your API calls for testing. Test out all other features of your integration using this persona such as connect jobs or reports.
If any issues are found, switch back to your default role and make adjustments to the role and then try again. You can keep testing using the API token you already generated since changes to the underlying role/persona/user combination will be automatically applied to any tokens previously generated by it. Continue iterating and testing until your integration is working properly with the custom role you created.
Congratulations, this role is now ready to be used with a Service Account to run your integration!
Be aware that it can take up to 10 minutes for a Persona to work again after you make a change to the underlying role. If you see RBACInsufficientPrivilege returned from your API calls after updating a role, try again in a few minutes.

Tanium Asset RBAC

The Tanium Asset module does not use standard Tanium RBAC rules to control which views and reports can be accessed. If access is granted with RBAC to read Asset Views with the API, then all Views will be accessible. Asset uses a different concept called Permission Groups to limit access to which endpoints a user can view data for. You can read more about setting up Asset Permission Groups in the Configuring Asset Guide.

Tanium Connect RBAC

Each connection in Tanium Connect has a user account assigned as the owner, and optionally a persona. The data that is exported from Connect is limited to the data that is accessible to the user/persona that owns it. It is recommended to set each connection's owner to a Service Account that has the minimum permissions required to access the data that you want Connect to deliver. For more information, please read about Managing Connections in the Tanium Resource Center.

Computer Groups

We've covered how Permissions and Content Sets in a role are used to control which content can be accessed and how it can be used. Computer Groups are the other part of the Tanium RBAC model. They control which endpoints are in scope for the permissions granted by the role. The can be configured at the User, User Group, or Persona level in Tanium. You should review the documentation in the Tanium Resource Center to learn about Computer Groups and how they are used and configured for RBAC.
For the majority of integration scenarios, there is a requirement to access data about all endpoints. For this reason, selecting Unrestricted Management Rights is usually appropriate.

Creating an Integration Service Account

Why is this important?

Security: It is very unlikely that any user has the exact same permission needs as an integration. An integration is typically designed to do a narrow set of things on a narrow set of data, and security best practices dictate that roles should always be minimally provisioned to grant access to only those capabilities and data that are required. This limits the impact of a breach or misuse.
Continuity: An integration is not a person. People regularly change jobs or depart organizations, meaning their Tanium account could be deactivated or changed suddenly. If you have an integration running with an API token generated by this user account, this is likely to cause an unexpected failure. It is unlikely that you want your integrations to stop working because a personnel change. Creating a proper service account mitigates this risk.
Auditability: Having each integration run under its own service account makes it much easier to audit activity on the Tanium platform. If a human's user account is used to generate the API token that an integration is using, it can be hard to distinguish what or who initiated a particular activity when multiple integrations or integrations and humans are sharing an account. We all know that account sharing is generally considered bad practice for people, but it is also bad practice for integrations for similar reasons.

API Tokens are associated to a particular user account. A user account configured with the specific roles and computer groups required for your integration should be created. A separate user account should be created for each integration so that the permissions can be properly tailored and for auditing purposes. Following security best practices, excess permissions on any user account, including integration users, should be avoided.

This user will need to be granted access to all computer groups that contain endpoints that your integration needs to view or control. In most cases, this means Unrestricted Management Rights, but will ultimately depend on your specific use case. A customer will need to provision this user account in their IdP. For on-prem testing, you can create a “Local Tanium User” in the TanOS menu.

Service Accounts should be used to create all Connect Jobs and API Tokens that an integration relies on.

Last Updated: May 28, 2024