All users must either have a local user account with username and password or an external user account that is mapped to Security Analytics.
To display the Add User or Edit User dialog:
- In the Security Analytics menu, select Administration > Security.
The Security view is displayed with the Users tab open.
- Do one of the following:
The Add User and Edit User dialogs show:
- User information
- Roles to which the user belongs
- Security settings for queries
The following table provides descriptions of the user information.
The following table provides descriptions of the Roles tab features.
|Opens the Add Role dialog that lists roles you could assign to the user.|
|Removes the selected role from being assigned to the user.|
|Shows permissions for the selected role.|
|Name||Lists each role assigned to the user.|
The following table describes fields on the Attributes tab. You should not set these query-handling attributes at the user level unless you want to override assigned role settings. If you do not specify these settings for individual users, the settings are applied to users based on their role memberships. Step 3: Verify Query and Session Attributes per Role provide additional information.
A value shown in italics indicates a default value, for example, 1000. A value shown without italics indicates a change from the default value, for example, 40.
|SA Core Query Timeout||(Optional) Specifies the maximum number of minutes that a user can run a query. This timeout only applies to queries performed from Investigation. By default, this is blank. If you specify a value, it overrides the assigned role settings. If this value is set, it must be zero (0) or greater. A value of zero represents no timeout. |
Note: Security Analytics 10.5 and later Core services use this field.
|SA Core Query Level||(Optional) Specifies the maximum number of minutes that a user can run a query. There are three query levels: 1, 2, and 3. The default query levels are Query Level 1 = 60 minutes, Query Level 2 = 40 minutes, and Query Level 3 = 20 minutes. |
Note: Security Analytics 10.4 and earlier Core services use this field. Query Level is deprecated for Core services starting with Security Analytics 10.5.
|SA Core Query Prefix||(Optional) Filters query results to restrict what the user sees. By default, this is blank. For example, the 'service' = 80 query prefix prepends to any queries run by the user and the user can only access meta of HTTP sessions.|
|SA Core Session Threshold||Controls how the service scans meta values to determine session counts. This value must be zero (0) or greater. If this value is greater than zero, a query optimization will extrapolate the total session counts that exceed the threshold. When the meta value returned by the query reaches the threshold, the system will: |