PSA/ee/docs/plans/2026-04-06-tanium-rmm-integration/SCRATCHPAD.md

Scratchpad — Tanium RMM Integration

• Plan slug: tanium-rmm-integration
• Created: 2026-04-06

What This Is

Keep a lightweight, continuously-updated log of discoveries and decisions made while implementing this plan.

Prefer short bullets. Append new entries as you learn things, and also update earlier notes when a decision changes or an open question is resolved.

Decisions

• (2026-04-06) Use a provider-neutral RMM adapter plus shared ingestion path before adding Tanium. Rationale: current NinjaOne and Tactical implementations already diverge enough that a third bespoke stack would compound duplication.
• (2026-04-06) Treat tenant_external_entity_mappings as the core asset identity seam for all RMM providers. Rationale: it already exists, is provider-neutral, and both NinjaOne and Tactical depend on it.
• (2026-04-06) Tanium v1 should be inventory-first and scope-mapping-first. Rationale: official Tanium guidance prefers Gateway for querying online/offline systems and reserves module APIs for gaps.
• (2026-04-06) Tanium event push should be modeled as an optional capability, not assumed as a public webhook subsystem. Rationale: official Tanium guidance positions Connect as the push/event delivery method for downstream systems.

Discoveries / Constraints

• (2026-04-06) server/src/middleware.ts hard-codes public or API-key-skipped routes for NinjaOne and Tactical webhooks/callbacks. A new provider with public ingress would currently require another manual middleware change.
• (2026-04-06) ee/server/src/interfaces/rmm.interfaces.ts is nominally generic but still contains NinjaOne-specific settings leakage such as ninja_instance_region.
• (2026-04-06) ee/server/src/lib/integrations/ninjaone/sync/syncEngine.ts and ee/temporal-workflows/src/activities/ninjaone-sync-activities.ts duplicate asset upsert and external mapping logic.
• (2026-04-06) Official Tanium docs state:
  • Gateway is the preferred integration method.
  • Connect is best for scheduled or event-triggered outbound delivery to files, syslog, webhook, and similar destinations.
  • Asset API is useful for endpoints that have aged out of TDS.
  • Direct Connect is for limited live endpoint troubleshooting/evidence/remediation, not the main integration transport.
• (2026-04-06) Public developer docs give method-selection truth, but exact Gateway schema details still need tenant-backed verification. The docs themselves say the schema reference in Gateway is the most up-to-date source.

Commands / Runbooks

• (2026-04-06) Pull official Tanium markdown guidance:
  • curl -L --max-time 20 https://developer.tanium.com/guides/core-platform/integration_methods.md
  • curl -L --max-time 20 https://developer.tanium.com/use_cases.md
• (2026-04-06) Browser inspection of the logged-in Tanium developer portal:
  • alga-dev list-browsers --allTabs --pretty
  • alga-dev browser-eval --paneId=<tanium-pane> --script='(() => document.body.innerText)()'
  • alga-dev browser-get-dom --paneId=<tanium-pane> --query='li, a' --pretty
• (2026-04-06) Repo inspection used for architecture grounding:
  • rg -n "rmm_organization_mappings|rmm_integrations|tenant_external_entity_mappings" ee packages server -g '!**/node_modules/**'
  • sed -n '1,240p' ee/server/src/interfaces/rmm.interfaces.ts
  • sed -n '1,220p' ee/server/src/app/api/integrations/ninjaone/callback/route.ts
  • sed -n '1,240p' packages/integrations/src/actions/integrations/tacticalRmmActions.ts

Links / References

• Official Tanium docs:
  • https://developer.tanium.com/apis/api_intro
  • https://developer.tanium.com/guides/core-platform/integration_methods
  • https://developer.tanium.com/use_cases
  • https://help.tanium.com/bundle/ug_gateway_cloud/page/gateway/index.html
  • https://help.tanium.com/bundle/ug_gateway_cloud/page/gateway/gateway.html
• Key repo files:
  • /Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/server/src/middleware.ts
  • /Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/server/migrations/20250502173321_create_tenant_external_entity_mappings.cjs
  • /Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/server/migrations/20251124000001_create_rmm_integration_tables.cjs
  • /Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/ee/server/src/interfaces/rmm.interfaces.ts
  • /Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/ee/server/src/lib/integrations/ninjaone/sync/syncEngine.ts
  • /Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/packages/integrations/src/actions/integrations/tacticalRmmActions.ts
  • /Users/roberisaacs/alga-psa.worktrees/feature/tanium-integration/packages/integrations/src/components/settings/integrations/RmmIntegrationsSetup.tsx

Open Questions

• What exact Gateway object(s) represent Tanium endpoint inventory in the target tenant?
• What exact field(s) map a Tanium endpoint to an MSP customer/client boundary?
• Is aged-out inventory fallback necessary in the target tenant, or is Gateway sufficient for the required device estate?
• If Connect is used for outbound event delivery, can the customer’s Tanium deployment deliver to the intended Alga-hosted destination model?
• Should Tanium v1 include only inventory, or does the customer expect compliance/vulnerability findings in the initial release?