> ## Documentation Index
> Fetch the complete documentation index at: https://ona.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Port sharing policy

> Control whether members can share ports from environments and how widely those ports can be accessed.

Control whether users can expose ports from environments to the network and who can access those shared ports. Useful when:

* Preventing accidental exposure of development services
* Enforcing network security policies
* Restricting access to internal services

## Port access levels

When port authentication is available, each shared port can use one of these access levels:

| Dashboard label            | CLI value      | Who can access it                             |
| -------------------------- | -------------- | --------------------------------------------- |
| Creator only               | `creator_only` | Only the environment creator after signing in |
| Organization members only  | `organization` | Signed-in members of the same organization    |
| Anyone (no login required) | `everyone`     | Anyone who can reach the URL                  |

If you narrow a port from `everyone` to a more restrictive level, existing browser sessions must authenticate again before the port loads.

## Settings

<img src="https://mintcdn.com/gitpod-13c83c2b/OlRNf2HjRGblBNyT/images/docs/ona/organizations/port-sharing-policy.png?fit=max&auto=format&n=OlRNf2HjRGblBNyT&q=85&s=ead29c45f7e76eca084150011eedf00e" alt="Port sharing policy settings showing the Disable port sharing toggle and Maximum port admission level dropdown" width="1062" height="390" data-path="images/docs/ona/organizations/port-sharing-policy.png" />

### Disable port sharing

Check **Disable port sharing** to block user-initiated shared ports in the dashboard and CLI. Use this when your organization does not allow externally reachable development services at all.

### Maximum port admission level

Use **Maximum port admission level** to cap the most permissive access level members can choose when opening or editing a port.

| Setting                    | What users can choose                         |
| -------------------------- | --------------------------------------------- |
| Creator only               | Only `creator_only`                           |
| Organization members only  | `creator_only` or `organization`              |
| Anyone (no login required) | `creator_only`, `organization`, or `everyone` |

When the cap is lower than a user's requested access level, the dashboard disables the blocked options and the CLI/API rejects wider access levels.

### How the controls interact

These controls are orthogonal:

* **Disable port sharing** answers "can users open shared ports at all?"
* **Maximum port admission level** answers "if they can open a port, how broadly may they share it?"

If **Disable port sharing** is turned on, it takes precedence and the maximum-admission dropdown becomes inactive until port sharing is re-enabled.

For the user-facing flow for opening ports, see [Port sharing](/ona/integrations/ports#open-ports). For the browser retry flow, see [Access denied and retry](/ona/integrations/ports#access-denied-and-retry).

## Exemptions

VS Code Browser and agents are exempt from this policy and continue to work when port sharing is disabled. Only user-initiated port sharing is affected.

## Effect on users

* Dashboard users cannot choose admission levels above the configured cap
* CLI users cannot open ports when port sharing is disabled, and `ona environment port open --admission ...` fails if the requested level exceeds the cap
* Users see a notification or error explaining the restriction
* VS Code Browser and agents remain functional