Sec/User Mgmt: Step 3. Verify Query and Session Attributes per Role

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Aug 28, 2017
Version 3Show Document
  • View in full screen mode
  

This topic explains the query and session attributes and provides instructions for setting these attributes for user roles. This topic also describes how these role settings impact individual user settings and what happens if a user is a member of multiple roles.

After you define your user roles, it is important to verify the query and session attributes that are set for each role. You can adjust these settings according to your requirements. These attributes can be set for user roles and for individual users. If you set these attributes for individual users, the user settings override their assigned role settings.

Query and Session Attributes

Query and session attributes determine how to handle the queries that a user runs. These attributes enable you to lock down the information that users can retrieve. These attributes apply to all sessions of users assigned to a role unless these attributes are also set at the user level.

Depending on your requirements, you can specify the following query-handling attributes for a user role or an individual user:

  • Query Timeout is an optional setting that applies to Security Analytics 10.5 and later Core services. It specifies the maximum number of minutes that a user can run a query. If this value is set, it must be zero (0) or greater. A value of zero represents no timeout.
  • Query Level is an optional setting that applies to Security Analytics 10.4 and earlier Core services. It defines the maximum query running time for a user based on three query levels: 1, 2, and 3. The default query levels are Query Level 1 = 60 minutes, Query Level 2 = 40 minutes, and Query Level 3 = 20 minutes. Query Level is deprecated for Core services starting with Security Analytics 10.5.
  • Query Prefix is an optional filter applied to queries the user runs. The prefix restricts query results that the user sees. For example, the 'service' = 80 query prefix prepends to any queries run by the user and the user can only access meta of HTTP sessions.
  • Session Threshold is a required setting. This value must be zero (0) or greater. If the threshold is greater than zero, a query optimization will extrapolate the total session counts that exceed the threshold. When the meta value returned by the query reaches the threshold, the system will:
    • Stop its determination of the session count
    • Show the threshold and percentage of query time used to reach the threshold

The query-handing attribute settings applied for a user depend on the role memberships of the user and whether these attributes have been set for the roles and the user. It is important to verify the query-handling attribute settings for your roles and users.

How Query-Handling Attribute Settings Apply to Individual Users

Query-handling attributes set for individual users override assigned role settings. If a user is a member of multiple roles, the following logic applies for the user:

  • Query Timeout/Query Level: Individual user settings override all role settings. If individual user settings are not set, the most permissive (highest) value of all assigned roles applies to the user.
  • Query Prefix: Individual user settings override all role settings. If individual user settings are using defaults, which are shown in italics, the query prefixes of each of the user roles are AND'd together. If the query prefix is blank for both user and roles, no query prefix applies to the user.
  • Session Threshold: Individual user settings override all role settings. The highest value of all the assigned roles applies to the user.

Procedure

To set query handling attributes for a user role:

  1. In the Security Analytics menu, select Administration > Security.
    The Security view is displayed with the Users tab open.
  2. Click the Roles tab. If you are adding a role, click . If you are editing a role, select the role and click .
    The Add or Edit Role dialog is displayed.
  3. To set the attributes for the role, in the Attributes section:
    • (Optional) In the SA Core Query Timeout field, type the maximum number of minutes that a user can run a query. The default value is 5 minutes. This timeout only applies to queries performed from Investigation. Security Analytics 10.5 and later Core services use this field.
      When migrating to Security Analytics 10.5 and later, if there is no value set in the roles, 5 minutes is set by default.
    • (Optional) In the SA Core Query Level field, select the query level for the user. The default query levels are Query Level 1 = 60 minutes, Query Level 2 = 40 minutes, and Query Level 3 = 20 minutes. Security Analytics 10.4 and earlier Core services use this field. Query Level is deprecated for Core services starting with Security Analytics 10.5.
    • (Optional) Type an SA Core Query Prefix to filter query results that the role members see. By default, this is blank.
    • Type an SA Core Session Threshold for the system to stop its determination of the session count. The default is 100000. The limit you specify here overrides the Max Session Export value defined in Profile > Preferences > Investigation.
    A value shown in italics indicates a default value, for example 5. A value shown without italics indicates a change from the default value, for example, 1200.
  4. Click Save.
You are here
Table of Contents > Manage Users with Roles and Permissions > Step 3. Verify Query and Session Attributes per Role

Attachments

    Outcomes