Enforce requirements

Review the requirements before you install and use Enforce.

Core platform dependencies

Make sure that your environment meets the following requirements:

Tanium™ Core Platform servers: 7.4.3.1204 or later*
Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.
If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

* Tanium Core Platform server 7.4.3.1204 is the minimum supported Tanium Core Platform server version for Enforce. It is a best practice to use Tanium Core Platform server 7.4.5.1240 or later. For more information, see Tanium Server release notes: Version_7.4.3.1204 Special Notes.

Solution dependencies

Other Tanium solutions are required for Enforce to function (required dependencies) or for specific Enforce features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Enforce dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Enforce requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Enforce, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Enforce to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Enforce, the server automatically updates those dependencies to the latest available versions.

If you select only Enforce to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Enforce has the following required dependencies at the specified minimum versions:

Tanium™ Direct Connect 2.8.34 or later
Tanium™ Endpoint Configuration 1.5.252 or later
Tanium™ Interact 2.8.102 or later
Interact 3.0 or later requires Tanium Core Platform 7.6.1 or later
Tanium™ RDB Service 1.0.148 or later
(Windows endpoints) Tanium™ Client Recorder Extension^*
Tanium™ Secrets Service 1.0.48 or later
Tanium™ System User Service 1.0.72 or later
Tanium™ Trends 3.6.0 or later

^*= The required version of this client extension is installed as part of Enforce and also includes the Tanium Driver.

If the Tanium Core Content version is missing or not up to date, this alert occurs: Tanium Core Content solution is missing or minimum version is not satisfied. Install the Core Content solution and then restart the Enforce module service.

After you install the latest version, restart the Enforce module service. For Windows, restart the service in the Service Manager on the Tanium Module Server. For TanOS, see Tanium Appliance Deployment Guide: Start, stop, or restart Tanium services.

Feature-specific dependencies

Enforce has the following feature-specific dependencies at the specified minimum versions:

If you select only Enforce to import, you must manually import or update its feature-specific dependencies regardless of Tanium Console or Tanium Core Platform versions. Enforce has the following feature-specific dependencies at the specified minimum versions:

Tanium™ Core Content 1.2.1 or later is required for BitLocker and FileVault policies
Tanium™ End-User Notifications 1.6.5 or later is required for BitLocker and FileVault policies
Tanium Mac Device Enrollment 1.0.450 or later is required for Mac device configuration profiles and to manage macOS devices
Tanium Reporting 1.12.144 or later is required to view enhanced endpoint details for enforcements

Client extensions

Tanium Endpoint Configuration installs client extensions for Enforce on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Enforce functions:

Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
(Windows endpoints) Recorder CX - Provides the ability to save event data on each endpoint and monitor the endpoint kernel and other low-level subsystems to capture a variety of events. Tanium Enforce, Tanium Integrity Monitor, Tanium Map, or Tanium Threat Response installs this client extension.*
DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension.
Enforce CX - Provides Enforce functions on the endpoint. Tanium Enforce installs this client extension.
Stream CX - Provides the ability to gather large amounts of data from endpoints and send it to an external destination. Tanium Enforce or Tanium Threat Response installs this client extension.

* This client extension also installs the Tanium Driver.

Tanium™ Module Server

Enforce is installed and runs as a service on the Tanium Module Server host computer. The impact on the Module Server is minimal and depends on usage.

Endpoints

Supported Internet protocols

Enforce supports IPv4 and IPv6 addresses.

Supported operating systems

Enforce policies support the following endpoint operating systems:

All Windows editions that support the Group Policy feature are supported for each of the following Windows versions, unless otherwise noted. Available Group Policy settings vary depending on Windows version and edition.

Policy	Operating System	Notes
Anti-malware: System Center Endpoint Protection (SCEP)	Windows 7 SP1 or later Enterprise, Professional or Ultimate Windows Server 2008 R2 SP1 or later	Windows 7 SP1 requires Microsoft KB2758857 . Windows Server 2008 R2 SP1 requires Microsoft KB2758857.
Anti-malware: Windows Defender	Windows 8.1 or later Enterprise or Professional Windows Server 2016 or later
AppLocker	Windows 7 Windows 8.1 Windows 10 Windows 11 Windows Server 2008 R2 SP1 or later	Windows 7 SP1 requires Microsoft KB2758857 . Windows Server 2008 R2 SP1 requires Microsoft KB2758857. For specific requirements, including supported editions and other required Microsoft KBs, see Microsoft: Requirements to use AppLocker - Operating System Requirements. Enforce supports the versions that list Yes in the Can be enforced column in the Microsoft document. Packaged app rules are not supported for any operating system.
BitLocker	Windows 7 SP1 Enterprise or Ultimate Windows 8.1 Enterprise or Pro Windows 10 Education, Pro Education, Enterprise, or Pro Windows 11 Enterprise or Pro	Windows 7 SP1 requires Microsoft KB2758857. Windows 7 endpoints must have a TPM chip to use BitLocker. Application of policy settings using a configuration service provider (CSP) requires specific versions of Windows. To determine the earliest supported operating system version for a specific setting, hover over next to the setting.
Device Control - Windows	Windows 7 SP1 or later Windows Server 2008 R2 SP1 or later	Windows 7 SP1 requires Microsoft KB2758857 . Windows Server 2008 R2 SP1 requires Microsoft KB2758857.
FileVault	macOS 10.13.6 High Sierra or later
Firewall Management - Linux	CentOS 6, 7, or 8 Red Hat Enterprise Linux (RHEL) 6, 7, 8, or 9 Oracle Linux (OEL) 6, 7, 8, or 9 Ubuntu 16 or 18	ARM architecture is supported with Enforce 2.1.287 or later and only for OEL 8, 9 and RHEL 8,9. For versions of the Tanium Client that support this architecture, see Tanium Client Management User Guide: Client version and host system requirements.
Firewall Management - Windows	Windows 7 SP1 or later Windows Server 2008 R2 SP1 or later	Windows 7 SP1 requires Microsoft KB2758857 . Windows Server 2008 R2 SP1 requires Microsoft KB2758857.
Machine Administrative Templates	Windows 7 SP1 or later Windows Server 2008 R2 SP1 or later	Requires Windows Pro or Enterprise edition. Windows 7 SP1 requires Microsoft KB2758857 . Windows Server 2008 R2 SP1 requires Microsoft KB2758857. Application of policy settings using a configuration service provider (CSP) requires specific versions of Windows. To determine the earliest supported operating system version for a specific setting, hover over next to the setting.
Mac Device Configuration Profile	macOS 11 Big Sur or later	Requires integration with the Mac Device Enrollment service. For more information, see Mac Device Enrollment User Guide: Overview.
Mac Password Profile	macOS 11 Big Sur or later	Requires integration with the Mac Device Enrollment service. For more information, see Mac Device Enrollment User Guide: Overview.
Remediation - Linux	CentOS 6, 7, or 8 Red Hat Enterprise Linux (RHEL) 6, 7, 8, or 9 Oracle Linux (OEL) 8 or 9 Ubuntu 16 or 18	ARM architecture is supported with Enforce 2.1.287 or later and only for OEL 8, 9 and RHEL 8,9. For versions of the Tanium Client that support this architecture, see Tanium Client Management User Guide: Client version and host system requirements.
Remediation - Mac	macOS 10.13.6 High Sierra or later
Remediation - Windows	Windows 7 SP1 or later Windows Server 2008 R2 SP1 or later	Requires Windows Pro or Enterprise edition. Windows 7 SP1 requires Microsoft KB2758857 . Windows 7 is not supported for purge tasks. Windows Server 2008 R2 SP1 requires Microsoft KB2758857.
SRP Management	Windows 7 SP1 or later Windows Server 2008 R2 SP1 or later	Requires Windows Pro or Enterprise edition. Windows 7 SP1 requires Microsoft KB2758857 . Windows Server 2008 R2 SP1 requires Microsoft KB2758857.
Security Settings	Windows 10 or later	Application of policy settings using a configuration service provider (CSP) requires specific versions of Windows. To determine the earliest supported operating system version for a specific setting, hover over next to the setting.
Tanium Removable Storage Access	Windows 7 SP1 or later Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows 8.1 Windows 10, build 1607 or later Windows 11 Windows Server 2016 Windows Server 2019 Windows Server 2022	Same Windows endpoint requirements as Client Recorder Extension. See Client Recorder Extension User Guide: Endpoints.
User Administrative Templates	Windows 7 SP1 or later Windows Server 2008 R2 SP1 or later	Requires Windows Pro or Enterprise edition. Windows 7 SP1 requires Microsoft KB2758857 . Windows Server 2008 R2 SP1 requires Microsoft KB2758857. Application of policy settings using a configuration service provider (CSP) requires specific versions of Windows. To determine the earliest supported operating system version for a specific setting, hover over next to the setting.

Host and network security requirements

Specific ports and processes are needed to run Enforce.

Required ports

The following ports are required for Enforce communication.

The following port is required for Enforce communication.

Component	Direction	Port	Protocol	Purpose
Module ServerTanium Cloud	Inbound	17475	TCP	Required only when you use disk encryption policies. Allows communication between the Module Server and endpoints for Direct Connect.
	Module ServerTanium Cloud (Loopback)	17476	TCP	Required only when you use disk encryption policies. Allows notifications on endpoints from the End-User Notifications shared service.
	Module ServerTanium Cloud (Loopback)	17497	TCP	Internal purposes; not externally accessible.
	Module ServerTanium Cloud (Loopback)	17512	TCP	Required only when you use BitLocker and when the BitLocker recovery database is hosted on the Module ServerTanium Cloud.
Recovery portal server	Inbound	443	TCP	Required only when you use the recovery portal with disk encryption policies. Allows users to access the recovery portal.
Recovery portal server	Outbound	443	TCP	Required only when you use the recovery portal with disk encryption policies. Allows the recovery portal to access the Tanium Server.
Zone ServerTanium Cloud	Inbound	17486	TCP	Required only when you use disk encryption policies for external endpoints that connect through a Zone Server.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Enforce security exclusions for Tanium Core Platform servers (Windows deployments only)
Target Device	Exclusion Type	Exclusion
Module Server	Process	<Module Server>\services\enforce-service\node.exe
Zone Server	Process	<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe
Zone Server	Process	<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\twsm.exe

Enforce security exclusions for endpoints
Endpoint OS	Notes	Exclusion Type	Exclusion
Windows		Process	<Tanium Client>\Tools\StdUtils\7za.exe
	x86 endpoints	Process	<Tanium Client>\Tools\Enforce\devcon32.exe
	x64 endpoints	Process	<Tanium Client>\Tools\Enforce\devcon64.exe
		Process	<Tanium Client>\Tools\Enforce\LocalPolicyTool.exe
	7.4.x clients 7.2.x clients	Process	<Tanium Client>\Python38\TPython.exe
	7.4.x clients 7.2.x clients	Folder	<Tanium Client>\Python38
		Process	<Tanium Client>\TaniumClient.exe
		Process	<Tanium Client>\TaniumCX.exe
		Process	<Tanium Client>\Tools\recorder\TaniumRecorderCtl.exe
		File	<Tanium Client>\extensions\TaniumRecorder.dll
		File	<Tanium Client>\extensions\TaniumRecorder.dll.sig
		File	<Tanium Client>\extensions\recorder\proc.bin
		File	<Tanium Client>\extensions\recorder\recorder.db
		File	<Tanium Client>\extensions\recorder\recorder.db-shm
		File	<Tanium Client>\extensions\recorder\recorder.db-wal
		File	C:\Windows\System32\drivers\TaniumRecorderDrv.sys
		Process	<Tanium Client>\tools\driver\service\TaniumDriverSvc.exe
	x86 endpoints	Process	<Tanium Client>\tools\driver\TaniumDriverCtl.exe
	x86 endpoints	Process	<Tanium Client>\tools\driver\TaniumDriverSvc.exe
	x86 endpoints	File	<Tanium Client>\tools\driver\TaniumProcessMonitor.dll
	x64 endpoints	Process	<Tanium Client>\tools\driver\TaniumDriverCtl64.exe
	x64 endpoints	Process	<Tanium Client>\tools\driver\TaniumDriverSvc64.exe
	x64 endpoints	File	<Tanium Client>\tools\driver\TaniumProcessMonitor64.dll
	x64 endpoints	File	C:\Windows\SysWOW64\TaniumProcessMonitor.dll
		Folder	<Tanium Client>\extensions\stream
macOS and Linux x86 and x64	7.4.x clients 7.2.x clients	Process	<Tanium Client>/python38/python
	7.4.x clients 7.2.x clients	Folder	<Tanium Client>/python38
		Process	<Tanium Client>/python38/bin/pybin
		Process	<Tanium Client>/TaniumClient
		Process	<Tanium Client>/TaniumCX

To use Enforce features that require End-User Notifications or Direct Connect, you must also configure the required security exclusions for each of these services to allow them to run without interference.

Internet URLs

For anti-malware policies, allow outbound communication from the Tanium Module Server to the following Microsoft download URLs. See Managed Anti-Malware definitions download URLs for configuration details.

Enforce Internet URLs
Architecture	URL
Windows x86 endpoints	https://go.microsoft.com/fwlink/?LinkID=121721&arch=x86
	https://go.microsoft.com/fwlink/?LinkId=211053
	https://definitionupdates.microsoft.com
	http://catalog.update.microsoft.com¹
	http://catalog.s.download.windowsupdate.com¹
Windows x64 endpoints	https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64
	https://go.microsoft.com/fwlink/?LinkId=211054
	https://definitionupdates.microsoft.com
	http://catalog.update.microsoft.com¹
	http://catalog.s.download.windowsupdate.com¹
¹ Required for Microsoft Defender Platform updates. For more information, see Windows Defender Platform Updates.

User role requirements

The following tables list the role permissions required to use Enforce. To review a summary of the predefined roles, see Set up Enforce users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

The Enforce service account role is for internal use only. It is automatically managed by the Enforce user. Do not assign the Enforce service account role to users.

Enforce Global user role permissions
Permission	Enforce Administrator^1,2,5	Enforce Defender Scan User^1,2	Enforce Defender Scan Viewer^1,2	Enforce Endpoint Configuration Approver^1,2,3	Enforce Operator^1,2³⁴	Enforce Policy Administrator (Global)^1,2	Enforce Policy User (Global)^1,2	Enforce Policy Viewer (Global)^1,2	Enforce Quarantine Administrator ^1,2	Enforce Write Content Wipe Action^1,2
Disk Encryption Recovery Keys Read, rotate, export, or delete recovery keys for disk encryption in given content sets	EXPORT ROTATE READ DELETE				EXPORT ROTATE READ DELETE
Enforce SHOW: View the Enforce workbench OPERATOR: Read, edit, and delete most Enforce objects (except edit access to Enforce settings)	SHOW⁴ OPERATOR	SHOW⁴	SHOW⁴	SHOW⁴	SHOW⁴ OPERATOR	SHOW⁴	SHOW⁴	SHOW⁴	SHOW⁴	SHOW⁴
Enforce Administrator Unrestricted access to Enforce	ADMINISTER
Enforce Create Enforce policies in given content sets	ENFORCEMENT				ENFORCEMENT	ENFORCEMENT	ENFORCEMENT
Enforce Defender Scan View, create, or delete Defender scans	READ WRITE	READ WRITE	READ		READ WRITE
Enforce Edit Any Edit available policy enforcements. Users always have access to enforcements that they created.	ENFORCEMENT				ENFORCEMENT	ENFORCEMENT
Enforce Endpoint Configuration Approve Enforce items in Endpoint Configuration				APPROVER
Enforce Endpoint Configuration All View or create Endpoint Configuration items for Enforce	WRITE				WRITE	WRITE	WRITE	READ
Enforce Endpoint Wipe Issue Windows Remediation actions that wipe, freeze, or recover endpoints						ACTION				ACTION
Enforce Operator Settings Globally read or edit most Enforce settings	READ WRITE				READ WRITE
Enforce Policy Prioritize, view, create, or edit Enforce policy priorities in given content sets	PRIORITIZE READ WRITE				PRIORITIZE READ WRITE	PRIORITIZE READ WRITE	READ WRITE	READ
Enforce Recovery Portal View recovery portal configuration and status, or write recovery portal configuration and download the installer	READ WRITE
Enforce Settings Globally read or edit all Enforce settings	READ WRITE
Enforce Write Policy Create policy packages for enforcements
Policy Template Read, edit, or delete policy templates in given content sets	READ WRITE DELETE				READ WRITE DELETE	READ WRITE DELETE	READ	READ
Policy Type Read or edit policy types in given content sets	READ WRITE				READ WRITE	READ WRITE DELETE	READ WRITE	READ
Reports Read, edit, or delete reports in given content sets	READ WRITE DELETE				READ WRITE DELETE	READ WRITE DELETE	READ WRITE DELETE	READ
Restore from Quarantine Restore files quarantined by Microsoft Defender.	ADMINISTER				ADMINISTER				ADMINISTER
Enforce MDM Action Provides Mac Device Enrollment policy privileges for non-destructive actions such as lock, as well as un-enrolling a device	USER				USER
Enforce MDM Mac Policy View, use, and write Mac Device Enrollment policies	USER VIEWER READ WRITE				USER VIEWER READ WRITE	USER VIEWER READ WRITE	USER VIEWER READ WRITE	VIEWER READ
¹ This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in Tanium Console. For more information, see Tanium Interact User Guide: User role requirements. ² This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ³ This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. ⁴ To import the Enforce solution, you must be assigned the Administrator reserved role. ⁴⁵ This role provides module permissions for Tanium Mac Device Enrollment. You can view which Mac Device Enrollment permissions are granted to this role in Tanium Console. For more information, see Tanium Mac Device Enrollment User Guide: User role requirements.

Global Template (Permissions restricted by operating system content sets: Windows, macOS, or Linux) user role permissions
Permission	Enforce Policy Administrator (Template)^1,2,^4,5^5,6	Enforce Policy User (Template)^1,2,⁵⁶	Enforce Policy Viewer (Template)^1,2,⁵⁶	Enforce Quarantine Administrator ^1,2	Enforce Recovery Key Administrator (Template)^1,2 Enforce Recovery Key User (Template)^1,2	Enforce Recovery Key Viewer (Template)^1,2	Enforce Recovery Portal (Template)^1,2	Enforce Recovery Portal Administrator (Template)^1,2	Enforce Recovery Portal Viewer (Template)^1,2	Enforce MDM Action User^1,2,³⁴	Enforce MDM Wipe User^1,2,³⁴
Disk Encryption Recovery Keys Read, rotate, or delete recovery keys for disk encryption in given content sets					ROTATE READ DELETE	READ	READ
Enforce SHOW: View the Enforce workbench OPERATOR: Read, edit, and delete most Enforce objects (except edit access to Enforce settings)	SHOW³	SHOW³	SHOW³	SHOW³	SHOW³	SHOW³	SHOW³	SHOW³	SHOW³	SHOW³
Enforce Create Enforce policies in given content sets	ENFORCEMENT	ENFORCEMENT
Enforce Edit Any Edit available policy enforcements. Users always have access to enforcements that they created.	ENFORCEMENT
Enforce Endpoint Configuration (Template) View or create Endpoint Configuration items for OS	WRITE	WRITE	READ
Enforce Policy Prioritize, view, create, or edit Enforce policy priorities in given content sets	READ WRITE	READ WRITE	READ
Enforce Recovery Allows the user to be used as the Enforce Recovery Portal							PORTAL
Enforce Recovery Portal View recovery portal configuration and status, or write recovery portal configuration and download the installer								READ WRITE	READ
Policy Template Read, edit, or delete policy templates in given content sets	READ WRITE DELETE	READ	READ
Policy Type Read or edit policy types in given content sets	READ WRITE	READ WRITE	READ
Quarantine Restore files quarantined by Microsoft Defender	ADMINISTER			ADMINISTER
Reports Read, edit, or delete reports in given content sets	READ WRITE DELETE	READ WRITE DELETE	READ
Enforce MDM Mac Policy Administrator Provides privileges to administer Mac Device Enrollment policies	ADMINISTER
Enforce MDM Mac Policy View, use, and write Mac Device Enrollment policies	USER VIEWER READ WRITE	USER VIEWER READ WRITE	VIEWER READ
Enforce MDM Action Provides MDM privileges for non-destructive actions such as lock, as well as unenrolling a device										USER
Enforce MDM Wipe Provides MDM privileges for wiping devices											USER
¹ This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in Tanium Console. For more information, see Tanium Interact User Guide: User role requirements. ² This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ³ To import the Enforce solution, you must be assigned the Administrator reserved role. ³⁴ This role provides module permissions for Tanium Mac Device Enrollment. You can view which Mac Device Enrollment permissions are granted to this role in Tanium Console. For more information, see Tanium Mac Device Enrollment User Guide: User role requirements. ⁴⁵ The Enforce MDM Mac Policy Administrator permission is provided only to the Enforce Mac Policy Administrator role by default. ⁵⁶ The Enforce MDM Mac Policy permission is provided only to the Enforce Mac Policy Administrator, Enforce Mac Policy User, and Enforce Mac Policy Viewer roles by default.

Module Objects with Access Control by Content Sets
Access Control Type	Policy Definition	Policy Type	Policy Templates	Policy Item	Managed Definition Files	Reports	Disk Encryption Recovery Keys
Global
Content Set

Provided administration and platform content permissions
Permission	Permission Type	Enforce Administrator¹	Enforce Defender Scan User¹	Enforce Defender Scan Viewer¹ Enforce Endpoint Configuration Approver¹	Enforce Operator¹ Enforce Policy Administrator¹ Enforce Policy User¹	Enforce Policy Viewer¹	Enforce Quarantine Administrator ¹	Enforce Recovery Key Administrator¹ Enforce Recovery Key User¹ Enforce Recovery Key Viewer¹ Enforce Recovery Portal Administrator¹ Enforce Recovery Portal Viewer¹	Enforce Recovery Portal¹	Enforce Write Content Wipe Action¹
Action Group	Administration	WRITE			READ
Computer Group	Administration	WRITE	READ		READ	READ
Token - Use	Administration	WRITE							SPECIAL
Token - View	Administration	WRITE							SPECIAL
Action	Platform Content	WRITE	WRITE		WRITE		WRITE			WRITE
Action for Saved Question	Platform Content	WRITE			WRITE
Filter Group	Platform Content	READ	READ	READ	READ	READ	READ	READ	READ	READ
Own Action	Platform Content	READ	READ		READ		READ			READ
Package	Platform Content	READ	READ		READ		READ			READ
Plugin	Platform Content	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE
Saved Question	Platform Content	READ WRITE	READ WRITE		READ WRITE
Sensor	Platform Content	READ	READ	READ	READ	READ	READ	READ	READ	READ
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions. ¹ This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.