About Role-Based Access
GigaVUE H Series and TA Series nodes use role-based access to manage access to the Gigamon Visibility and Analytics Fabric. Creating roles and assigning users to those roles from H-VUE or CLI allows for the partition of separate sets of tool ports for different groups of users while different sets of network ports are shared. This makes it possible to provide different groups of users with different analysis needs to have full access to the packets they need for their tools.
GigaVUE-FM provides a mode that controls whether GigaVUE-FM manages devices under a single admin-level device account provided during the Add Physical Node process. The devices managed by GigaVUE-FM should be able to validate user credentials with the credentials provided to the device during the login from GigaVUE-FM. If the user account does not exist on the device or the passwords do no match GigaVUE-FM cannot log in to the device. To minimize this type of problem, it is recommended that both GigaVUE-FM and the managed device validate user credentials against a common authentication service (such as LDAP, RADIUS, or TACACS+).
GigaVUE-FM has an RBAC mode is that is set by default. When in RBAC mode, GigaVUE-FM ensure that the users are added to the local server or the central server (LDAP, RADIUS, or TACACS+) on the GigaVUE-FM with the same node credentials as the device.
Note: Starting in Software version 5.7, device RBAC is not supported in GigaVUE-FM for new users. But, if you are already using device RBAC and upgrade to GigaVUE-FM version 5.7, then GigaVUE-FM supports device RBAC and also provides an option for the existing users to migrate to GigaVUE-FM RBAC.
To set this:
| 1. | On the right side of the top navigation bar, click  . |
| 2. | On the left navigation pane, select Authentication > RBAC. |
The RBAC page shown in Figure 271: Enabling or Disabling RBAC Mode on GigaVUE-FM displays.
Figure 271: Enabling or Disabling RBAC Mode on GigaVUE-FM
| 3. | Select or clear the checkbox as required: |
| • | If the checkbox is cleared (which is the default), device RBAC is supported in GigaVUE-FM. For a GigaVUE-FM user to be able to manage a node, the user should have the same credentials (username and password) in both GigaVUE-FM and the node. If the number of nodes and/or devices is large, it is recommended that LDAP or similar mechanism be used to ease user management. |
| • | If the checkbox is selected, GigaVUE-FM RBAC is used to manage the devices. |
In both the cases, GigaVUE-FM RBAC is enforced. For example, a GigaVUE-FM user with the role fm_user will not be able to modify anything on the node.
Note: Selecting or clearing the checkbox has no impact on the following operations performed by GigaVUE-FM:
| • | Rediscovery |
| • | Configuration sync |
| • | Statistics collection |
Irrespective of whether the checkbox is selected/cleared, GigaVUE-FM uses the credentials stored in the GigaVUE-FM database to manage the devices.
| 4. | Click Save to set the mode. |
For more detailed information related to role-based access, refer to the following sections:
| • | Access Levels on GigaVUE-FM |
| • | Role-Based Access and Flow Mapping |
MORE INFORMATION 
