This topic explains the query and session attributes and provides instructions for setting these attributes for user roles. This topic also describes how these role settings impact individual user settings and what happens if a user is a member of multiple roles.
After you define your user roles, it is important to verify the query and session attributes that are set for each role. You can adjust these settings according to your requirements.
Query and Session Attributes
Query and session attributes determine how to handle the queries that a user runs. These attributes enable you to lock down the information that users can retrieve. These attributes apply to all sessions of users assigned to a role.
Depending on your requirements, you can specify the following query-handling attributes for a user role:
- Core Query Timeout is an optional setting that applies to NetWitness Suite Core services. It specifies the maximum number of minutes that a user can run a query. If this value is set, it must be zero (0) or greater. A value of zero represents no timeout. The default value is 5 minutes.
- Core Session Threshold is a required setting. This value must be zero (0) or greater. The default is 100000. The limit you specify here overrides the Max Session Export value defined in the Investigate view settings. If the threshold is greater than zero, a query optimization will extrapolate the total session counts that exceed the threshold. When the meta value count returned by the query reaches the threshold, the system will:
- Stop its determination of the session count.
- Show the threshold and percentage of query time used to reach the threshold.
- Core Query Prefix is an optional filter applied to queries the user runs. The prefix restricts query results that the user sees. For example, the 'service' = 80 query prefix is prepended to any queries run by the user, and the user can only access metadata of HTTP sessions.
The query-handing attribute settings applied for a user depend on the role memberships of the user. It is important to verify the query-handling attribute settings for your roles.
How Query-Handling Attribute Settings Apply to Individual Users
If a user is a member of multiple roles, the following logic applies for the user:
- Query Timeout: The most permissive (highest) value of all assigned roles is applied to the user.
- Query Prefix: The query prefixes of each of the user roles are AND'd together.
- Session Threshold: The highest value of all the assigned roles is applied to the user.
Set Query Handling Attributes for a User Role
- Go to ADMIN > Security.
The Security view is displayed with the Users tab open.
- Click the Roles tab. If you are adding a role, click . If you are editing a role, select the role and click .
The Add or Edit Role dialog is displayed.
- To set the attributes for the role, in the Attributes section:
- (Optional) In the Core Query Timeout field, type the maximum number of minutes that a user can run a query. This timeout applies to queries performed from Investigate.
- Type a Core Session Threshold for the system to stop its determination of the session count.
- (Optional) Type a Core Query Prefix to filter query results that role members see in the Investigate Navigate view, Events view, and Event Analysis view. You can specify a query that is prepended to all queries executed by users with a specific role. For example, if the 'service' = 80 query prefix is prepended to all queries by users in this role, the users can only access metadata of HTTP sessions. If users attempt to navigate to non-HTTP event, the view is not displayed.
- Click Save.