This topic introduces the Add User and Edit User dialogs accessible from the Administration Security view > Roles tab.
In the Add Role and Edit Role dialogs, you can add or edit a role and the permissions assigned to it. You can also specify the query-handling attributes for role members to lock down the information that they can retrieve. The structure of these dialogs is the same. The only difference is that you either add a new role or modify an existing role.
When you change permissions for a role, the change is immediately applied to users who are assigned the particular role after the role is saved.
To access this view:
- In the Security Analytics menu, select Administration > Security.
The Security view opens to the Users tab by default. - Click the Roles tab.
- Do one of the following:
The Add Role and Edit Role dialogs include three sections: Role Info, Attributes, and Permissions.
Role Info
This is the information in the Role Info section.
Feature | Description |
---|---|
Name | The name of the user role. |
Description | An optional description of the user role. |
Attributes
This is the information in the Attributes section. A value shown in italics indicates a default value, for example, 5. A value shown without italics indicates a change from the default value, for example, 1200. Step 3. Verify Query and Session Attributes per Role provides more information.
Feature | Description |
---|---|
SA Core Query Timeout | (Optional) Specifies the maximum number of minutes that a user can run a query. The default value is 5 minutes. This timeout only applies to queries performed from Investigation. If this value is set, it must be zero (0) or greater. A value of zero represents no timeout. When migrating to Security Analytics 10.5 and later, if there is no value set in the roles, 5 minutes is set by default. Note: Security Analytics 10.5 and later Core services use this field. |
SA Core Query Level | (Optional) Specifies the maximum number of minutes that a user can run a query. There are three query levels: 1, 2, and 3. The default query levels are Query Level 1 = 60 minutes, Query Level 2 = 40 minutes, and Query Level 3 = 20 minutes. Note: Security Analytics 10.4 and earlier Core services use this field. Query Level is deprecated for Core services starting with Security Analytics 10.5. |
ConcurrentSessions Allowed | Specifies the maximum number of Concurrent Sessions Allowed for a user. The default value is 100. If this value is set, it must be 1 or greater. |
SA Core Query Prefix | (Optional) Filters query results to restrict what the role members see. By default, this is blank. For example, the 'service' = 80 query prefix prepends to any queries run by the user and the user can only access meta of HTTP sessions. |
SA Core Session Threshold | Controls how the service scans meta values to determine session counts. This value must be zero (0) or greater. If this value is greater than zero, a query optimization will extrapolate the total session counts that exceed the threshold. When the meta value returned by the query reaches the threshold, the system will:
The default value is 100000. The limit you specify here overrides the Max Session Export value defined in Profile > Preferences > Investigation. |
Permissions
This is the information in the Permissions section. Role Permissions describes the permissions.
Feature | Description |
---|---|
Module tabs | There are eight tabs, one for each module: Administration, Alerting, Incidents, Investigation, Live, Malware, Reports, and Dashboard. Each tab lists the permissions for a module. |
Description column | List of all permissions for the module. |
Assigned column | Checkbox that indicates if a module permission is assigned to the role. |
Save | Saves the role with the selected permissions assigned to it. |
Cancel | Cancels any work and closes the dialog. |