In the Add Role and Edit Role dialogs, you can add or edit a role and the permissions assigned to it. You can also specify the query-handling attributes for role members to lock down the information that they can retrieve. The structure of these dialogs is the same. The only difference is that you either add a new role or modify an existing role.
When you change permissions for a role, the change is immediately applied to users who are assigned the particular role after the role is saved.
To access this view:
- In the Security Analytics menu, select Administration > Security.
The Security view opens to the Users tab by default.
- Click the Roles tab.
- Do one of the following:
The Add Role and Edit Role dialogs include three sections: Role Info, Attributes, and Permissions.
This is the information in the Role Info section.
|Name||The name of the user role.|
|Description||An optional description of the user role.|
This is the information in the Attributes section. A value shown in italics indicates a default value, for example, 5. A value shown without italics indicates a change from the default value, for example, 1200. Step 3: Verify Query and Session Attributes per Role provides more information.
|SA Core Query Timeout||(Optional) Specifies the maximum number of minutes that a user can run a query. The default value is 5 minutes. This timeout only applies to queries performed from Investigation. If this value is set, it must be zero (0) or greater. A value of zero represents no timeout.|
When migrating to Security Analytics 10.5, if there is no value set in the roles, 5 minutes is set by default.
Note: Security Analytics 10.5 and later Core services use this field.
|SA Core Query Level||(Optional) Specifies the maximum number of minutes that a user can run a query. There are three query levels: 1, 2, and 3. The default query levels are Query Level 1 = 60 minutes, Query Level 2 = 40 minutes, and Query Level 3 = 20 minutes. |
Note: Security Analytics 10.4 and earlier Core services use this field. Query Level is deprecated for Core services starting with Security Analytics 10.5.
|SA Core Query Prefix||(Optional) Filters query results to restrict what the role members see. By default, this is blank. For example, the 'service' = 80 query prefix prepends to any queries run by the user and the user can only access meta of HTTP sessions.|
|SA Core Session Threshold||Controls how the service scans meta values to determine session counts. This value must be zero (0) or greater. If this value is greater than zero, a query optimization will extrapolate the total session counts that exceed the threshold. When the meta value returned by the query reaches the threshold, the system will: |
The default value is 100000. The limit you specify here overrides the Max Session Export value defined in the Profile > Preferences > Investigation.
This is the information in the Permissions section. Role Permissions describes the permissions.
|There are eight tabs, one for each module: Administration, Alerting, Incidents, Investigation, Live, Malware, Reports, and Dashboard. Each tab lists the permissions for a module.|
|List of of all permissions for the module.|
|Checkbox that indicates if a module permission is assigned to the role.|
|Save||Saves the role with the selected permissions assigned to it.|
|Cancel||Cancels any work and closes the dialog.|