In Tanium Console, how is RBAC typically implemented to enforce least privilege?

• A. All users share a single set of permissions with no role differentiation.
• B. Administrators are granted roles with specific permissions and scopes; access can be restricted by modules, assets, and actions to enforce least privilege.
• C. Access is granted randomly based on user email domain.
• D. Permissions are granted only during business hours.

Answer: (B)

In Tanium, least privilege is achieved by true role-based access control where each administrator is assigned a role that bundles a precise set of permissions and a defined scope. This means the user can only access the modules they’re allowed to use, only see and manage the endpoints they’re permitted to, and only perform the actions their role permits. By combining module-level permissions with asset and action scopes, you can tightly constrain what a user can do, on which devices, and with which capabilities. This granular structure prevents overreach and ensures users can fulfill their job functions without gaining broader access than necessary. For example, an admin might be allowed to view reports in a specific module and manage only a designated group of endpoints, with no ability to alter other modules or target assets outside that scope. Other approaches that ignore granular module, asset, and action restrictions—such as sharing a single permission set, granting access by email domain, or tying access to time-of-day windows—do not enforce the same precise least-privilege protections.