Types of resource restrictions You can set limitations on searches by configuring either time or data set restrictions based on user, role, or tenant. Resource restrictions are applied in the following order: user, user role, and tenant. For example, restrictions that are set for a user take precedence over restrictions that are set for the user role or tenant that the user is assigned to. You can set the following types of restrictions on event and flow searches: The length of time that a search runs before data is returned. The time span of the data to be searched. The number of records that are processed by the Ariel query server. User-based restrictions User-based restrictions define limits for an individual user, and they take precedence over role and tenant restrictions. For example, your organization hires university students to work with the junior analysts in your SOC. The students have the same user role as the other junior analysts, but you apply more restrictive user-based restrictions until the students are properly trained in building QRadar® queries. Role-based restrictions Role-based restrictions allow you to define groups of users who require different levels of access to your QRadar deployment. By setting role-based restrictions, you can balance the needs of different types of users. For example, a junior security analyst might focus on security incidents that happened recently, while a senior security analyst might be more involved in forensic investigations that review data over a longer period of time. By setting role-based restrictions, you can limit a junior analyst to accessing only the last 7 days of data, find dutch ovens for bread-making here, while a senior analyst has access to a much larger time span of data. ... View more