This topic provides instructions for setting query-handling attributes for individual users if you want to override the role settings.
Query-handling attributes determine how to handle the queries that a user runs. These attributes enable you to lock down the information that users can retrieve. You can specify the following query-handling attributes for a role or user:
- Query Timeout is an optional setting that applies to Security Analytics 10.5 and later Core services. It specifies the maximum number of minutes that a user can run a query. If this value is set, it must be zero (0) or greater. A value of zero represents no timeout.
- Query Level is an optional setting that applies to Security Analytics 10.4 and earlier Core services. It defines the maximum query running time for a user based on three query levels: 1, 2, and 3. The default query levels are Query Level 1 = 60 minutes, Query Level 2 = 40 minutes, and Query Level 3 = 20 minutes. Query Level is deprecated for Core services starting with Security Analytics 10.5.
- Query Prefix is an optional filter applied to queries the user runs. The prefix restricts query results that the user sees. For example, the 'service' = 80 query prefix prepends to any queries run by the user and the user can only access meta of HTTP sessions.
- Session Threshold is a required setting. This value must be zero (0) or greater. If the threshold is greater than zero, a query optimization will extrapolate the total session counts that exceed the threshold. When the meta value returned by the query reaches the threshold, the system will:
- Stop its determination of the session count
- Show the threshold and percentage of query time used to reach the threshold
You should not set these query-handling attributes at the user level unless you want to override the role settings. Query-handling attributes set for individual users override assigned role settings. If you do not specify these settings for individual users, the settings are applied to users based on their role memberships. Step 3. Verify Query and Session Attributes per Role provides information on how the role settings impact individual user settings and what happens if a user is a member of multiple roles.
It is important to verify the query-handling attributes that are set for each user.
To set query-handling attributes for a user:
- In the Security Analytics menu, select Administration > Security.
The Security view is displayed with the Users tab open.
- If you are adding a user, click . If you are editing a user, select the user and click .
- In the Add or Edit User dialog, select the Attributes tab.
- To set an attribute for the user:
- (Optional) In the SA Core Query Timeout field, type the maximum number of minutes that a user can run a query. This timeout only applies to queries performed from Investigation. This field is blank by default. If you do not want to override the assigned role settings, leave this field blank. Security Analytics 10.5 and later Core services use this field.
- (Optional) In the SA Core Query Level field, select the query level for the user. The default query levels are Query Level 1 = 60 minutes, Query Level 2 = 40 minutes, and Query Level 3 = 20 minutes. Security Analytics 10.4 and earlier Core services use this field. Query Level is deprecated for Core services starting with Security Analytics 10.5.
- (Optional) Type an SA Core Query Prefix to filter query results the user sees. By default, this is blank.
- Type an SA Core Session Threshold for the system to stop its determination of the session count. The default is 100000. The limit you specify here overrides the Max Session Export value defined in Profile > Preferences > Investigation.
- (Optional) If you want to revert to the existing values, click Reset Form.
- Click Save.
To verify the attributes assigned for a user, you can turn DEBUG logging on the com.netwitness.platform.server.common.auth package. When the user logs on to Security Analytics, a Debug log message is generated that shows the attributes applied for that user.