Port Access and Map Sharing
There are two ways to define a user’s access to ports and maps:
| Port-based access levels |
| Map sharing |
Both methods assign permissions to user roles, as defined by the user groups, rather than specific user accounts.
Port-based Access Levels
Users are assigned roles based on their user group. Each user group is given permission to specific ports on the node. There are four port-based permission levels:
| Level 1—Can view the port but cannot make any changes to port settings or maps. When applied to a network port, can view maps attached to the network port. This level is used for users who only need to monitor the activities of the port. |
| Level 2—Can use the port for maps, create tool-mirror to/from port, and change egress port filters. Can configure port-lock, lock-share, and all traffic objects except port-pair. Also includes all Level 1 permissions. |
| Level 3—Can configure port parameters (such as administrative status of the port, speed, duplex, and autonegotiation, as well as create port pairs. Also includes all Level 2 and Level 1 permissions. |
| Level 4—Can change the port type. Also includes all Level 3, 2, and 1 permissions. |
Table 1: Port-based Permission Levels summarized the permissions for each of the levels.
|
Permissions |
Level 1 |
Level 2 |
Level 3 |
Level 4 |
Admin |
|
View port |
ü |
ü | ü | ü | ü |
|
View maps attached to network port |
ü |
ü | ü | ü | ü |
|
Create/edit map attached to port |
û |
ü | ü | ü | ü |
|
Create tool-mirror to/from port |
û |
ü | ü | ü | ü |
|
Change egress filters |
û |
ü | ü | ü | ü |
|
Edit port parameters |
û |
û | ü | ü | ü |
|
Create port pairs |
û |
û | ü | ü | ü |
|
Change port type |
û |
û | û | ü | ü |
How to share Maps
Maps can be shared with one or more user groups. When sharing a map, the map owner or Admin designates which user groups have which permissions. There are four map-sharing permission levels:
| Read Only – Can view the map but cannot make any changes. |
| Listen – Can add or remove tool ports they own*. This is equivalent to “subscribing” to a map. |
| Read/Write – Can delete and edit the map, can remove any network ports, can add network ports they own*, and can add or remove tool ports they own*. |
| Read/Write/Owner – Can perform all the Read/Write functions and assign map sharing permission levels. |
*Requires Level 2 or Level 3 access, based on User Group membership.
Table 2: Permission Levels for Map Sharing. summarizes the permission levels for map sharing.
|
Permissions |
Read Only |
Listen |
Read/Write |
Read/Write/Owner |
|
View map |
ü |
ü | ü | ü |
|
Add tool port* |
û |
ü | ü | ü |
|
Remove tool port |
û |
ü* | ü | ü |
|
Remove network port |
û |
û | ü | ü |
|
Add network port* |
û |
û | ü | ü |
|
Delete/edit map |
û |
û | ü | ü |
|
Share map |
û |
û | û | ü |
*Only applies to ports to which the user has Level 2 or Level 3 access.
Note: In Table 2: Permission Levels for Map Sharing., tool port includes ports of type tool and inline-tool. Network port includes ports of type network and inline-network.
The admin user can also assign map sharing permissions.
Users with Level 1 (or greater) access to a given network port can also view, but not edit, maps associated with that network port. This is independent of the map sharing permissions.
Map sharing permissions override and supersede role based access controls. Thus, a user group can be assigned Read/Write access to map even if they do not have any access rights to any of the associated network or tool ports. However, adding tool ports to a map or removing network or tool ports from a map requires Level 2 or Level 3 permissions, as defined by the user group, for the ports to be added or removed.
