About Security and Access
The GigaVUE HC Series nodes provide an interlocking set of options that let you create a comprehensive security strategy for the node. These options are summarized in the following table:
Security Tools |
Description |
||||||||||||
Roles/Groups |
Roles specify which users have access to a given port. The following built-in roles are provided:
Administrators create additional custom roles and assign them to users together with the Default role. For example, if you create a role named Security_Team and assign it to tool port 5/1/x2, users assigned the Security_Team role will be able to access tool port 5/1/x2. Conversely, users without a role that gives them some access to tool port 5/1/x2 will not even be able to see it in the CLI. Users can have multiple assigned roles, allowing administrators to fine-tune access to the Gigamon Deep Observability Pipeline. |
||||||||||||
Permissions |
Administrators assign Permissions to specify what users can do with a port to which they have access. You can assign the following permission levels:
Permissions are hierarchical so that higher levels include all lower-level permissions (for example, a Level 3 user also has Level 2 permissions and can configure all traffic distribution, set locks, and share locks). Administrators can configure permissions differently on a port-by-port basis for a given role. This can be useful in situations where you want to give a group full authority to reconfigure maps and port parameters for a set of tool ports but only map creation permissions for a network port shared with other groups. |
||||||||||||
Port Locking/Sharing |
Port locking lets a user with Level 2+ access to a port prevent other users from changing any settings for a locked port. This is useful in situations where a user needs undisturbed access to a port for short-term troubleshooting. When a port is locked, all users with Level 2+ access to the port will temporarily only have Level 1 access (read-only). Normal configured permissions are restored when the lock is released. Users can also share a locked port with any other specified user. Sharing a locked port provides the account with whom the port is shared the same port permissions as the account sharing the port. So, for example, if UserX has Level 2 permissions on port 12/5/x3, he can share a lock on 12/5/x3 with any other user account, providing them with Level 2 permissions regardless of their normal privileges on the port. |
||||||||||||
Authentication |
The GigaVUE HC Series node can authenticate users against a local user database or against the database stored on an external authentication server (LDAP, RADIUS, or TACACS+). Admin users can specify the authentication methods used for logging in using AAA Authentication. Note: The serial console port always retains local authentication as a fallback option to prevent unintended lockouts. |