After you define your user roles, it is important to verify the query and session attributes that are set for each role. You can adjust these settings according to your requirements.

You can understand how these role settings impact individual user settings and what happens if a user is a member of multiple roles.

Query and Session Attributes

Query and session attributes determine how to handle the queries that a user runs. These attributes enable you to lock down the information that users can retrieve, and the attributes apply to all sessions of users assigned to a role.

Depending on your requirements, you can specify the following query-handling attributes for a user role:

  • Core Query Timeout is an optional setting that applies to NetWitness Platform Core services. It specifies the maximum number of minutes that a user can run a query. If this value is set, it must be zero (0) or greater. A value of zero represents no timeout. The default value is 5 minutes.
  • Core Session Threshold is a required setting. This value must be zero (0) or greater. The default is 100000. The limit you specify here overrides the Max Session Export value defined in the Investigate view settings. If the threshold is greater than zero, a query optimization will extrapolate the total session counts that exceed the threshold. When the meta value count returned by the query reaches the threshold, the system will:
    • Stop its determination of the session count.
    • Show the threshold and percentage of query time used to reach the threshold.
  • Core Query Prefix is an optional filter applied to queries the user runs. The prefix restricts query results that the user sees. For example, the 'service' = 80 query prefix is prepended to any queries run by the user, and the user can only access metadata of HTTP sessions. If you set up data privacy using a whitelist, every meta key specified in the core query prefix must also be whitelisted as described in the Data Privacy Management Guide.

Note: In Version 11.1 and later, you can use configured meta entities in a Core Query Prefix. For additional information about configuring meta entities, refer to the Core Database Tuning Guide.

The query-handing attribute settings applied for a user depend on the role memberships of the user. It is important to verify the query-handling attribute settings for your roles.

How Query-Handling Attribute Settings Apply to Individual Users

If a user is a member of multiple roles, the following logic applies for the user:

  • Query Timeout: The most permissive (highest) value of all assigned roles is applied to the user.
  • Query Prefix: The query prefixes of each of the user roles are AND'd together.
  • Session Threshold: The highest value of all the assigned roles is applied to the user.

Set Query Handling Attributes for a User Role

  1. Go to AdminIcon_25x22.png (Admin) > Security.
    The Security view is displayed with the Users tab open.
  2. Click the Roles tab. If you are adding a role, click icon-add.png. If you are editing a role, select the role and click icon_edit.png.
    The Add or Edit Role dialog is displayed.
  3. To set the attributes for the role, in the Attributes section:
    • (Optional) In the Core Query Timeout field, type the maximum number of minutes that a user can run a query. This timeout applies to queries performed from Investigate.
    • Type a Core Session Threshold for the system to stop its determination of the session count.
    • (Optional) Type a Core Query Prefix to filter query results that role members see in the Investigate Navigate view, Events view, and Event Analysis view. You can specify a query that is prepended to all queries executed by users with a specific role. For example, if the 'service' = 80 query prefix is prepended to all queries by users in this role, the users can only access metadata of HTTP sessions. If users attempt to navigate to non-HTTP event, the view is not displayed.

    Caution: If you add or modify a query prefix, and a user who has access to everything falls into a user role that is now restricted by a query prefix, that user will still be able to access cached data and view restricted content. To remove visibility of restricted content and enforce the query prefix in the Navigate or Events view, go to AdminIcon_25x22.png (Admin) > System > Investigation, and use Reconstruction Cache Settings to clear the cache for all services available to affected users. The user will still be able to access cached data and view restricted content in the Event Analysis view until the analyst restarts the NetWitness Investigate services or the cache is cleared automatically after 24 hours.

  1. Click Save.