Flows API Menu
  • Globus Flows
  • Overview
  • Authentication and Authorization
  • Authoring Flows
  • Authoring Input Schemas
  • Permissions
  • Limits
  • Hosted Action Providers
    • Hello World
    • Globus Transfer - Transfer Task
    • Globus Transfer - Delete Task
    • Globus Transfer - Set Permission
    • Globus Transfer - List Directory Contents
    • Globus Transfer - Make Directory
    • Globus Transfer - Get Collection
    • Globus Search - Ingest Task
    • Globus Search - Delete Task
    • Send Notification Email
    • Wait For User Selection
    • Expression Evaluation
    • Datacite Mint
Skip to main content
Globus Docs
  • APIs
    Auth Compute Flows Globus Connect Server Groups Search Transfer Python SDK Helper Pages
  • How To
  • Guides
    Globus Connect Server High Assurance Collections for Protected Data Command Line Interface Premium Storage Connectors Security Modern Research Data Portal
  • Support
    FAQs Mailing Lists Contact Us Check Support Tickets
  1. Home
  2. Globus APIs
  3. Globus Flows

Authentication and Authorization

All interactions with Globus Action Providers and Globus Flows are authenticated by Globus Auth.

Tokens provided by Globus Auth authenticate the user and provide limited authorization semantics. Roles established within the Globus Flows service provide richer authorization capabilities for flows and runs.

Authentication

Globus Flows APIs require the use of OAuth2 access tokens issued by Globus Auth unless stated otherwise.

Tokens must be requested with one or more of the Globus Flows scopes listed below, or for a scope associated with a specific flow.

Once obtained, the access token needs to be passed in the Authorization header with the method Bearer:

Authorization: Bearer <access_token>

For example, using curl:

curl -H "Authorization: Bearer $TOKEN" https://flows.automate.globus.org/

Service Scopes

The following scopes are those which belong to the Globus Flows service, giving tokens with these scopes capabilities to manipulate flows and runs.

Name Scope String Definition

manage_flows

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/manage_flows

Grants ability to manage flows

view_flows

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/view_flows

Grants ability to view flows

run

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/run

Grants ability to view flows

run_status

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/run_status

Grants ability to check the status of runs

run_manage

https://auth.globus.org/scopes/eec9b274-0c81-4334-bdc2-54e90e689b9a/run_manage

Grants ability to manage runs

Flow Scopes

In addition to the service scopes, each flow has its own scope which is named based on the flow ID.

These scopes can be requested from the flow itself or via a supported Globus SDK.

For example, to get the scope for a flow with ID f1b4c6c0-6b2d-11e9-bd8c-0a06afd4a22e using an authenticated curl and the jq tool:

curl -s -H "Authorization: Bearer $TOKEN" \
    "https://flows.automate.globus.org/flows/f1b4c6c0-6b2d-11e9-bd8c-0a06afd4a22e" \
    | jq -r '.globus_auth_scope'

Or via the globus CLI:

globus flows show "f1b4c6c0-6b2d-11e9-bd8c-0a06afd4a22e" \
    --jmespath 'globus_auth_scope' -Funix

The flow's specific scope is used to start runs of the flow.

Authorization

Authorization in Globus Flows is managed via roles. In addition to the capabilities and restrictions on tokens provided by scopes, roles establish the permissions and capabilities of users.

Roles are defined for flows and runs.

Flow Roles

Permissions on flows are managed via lists of identities and groups. These lists define which users have a given role on the flow.

The supported roles are:

flow_viewers

Users who are allowed to see that the flow exists and read its definition. Users without this permission cannot see that the flow exists.

flow_starters

Users who can run this flow. A user without flow_starters permissions will receive an error if they attempt to start this flow. flow_starters have all of capabilities of flow_viewers.

flow_administrators

Users who can manage the flow's roles, edit its definition, and alter metadata such as "title" and "description". flow_administrators have all of capabilities of flow_starters.

flow_owner

The user primarily responsible for maintaining the flow. Other users with flow_administrators permissions may assume ownership of the flow. A flow_owner has all of the capabilities of flow_administrators.

Run Roles

A run is an instance of a flow, started by a particular user, at a point in time, and viewable until (and after) completion.

The runner of a flow may be different from the flow's author, so the run has its own roles which are as follows:

run_monitors

Users who can view the current state of this run, including the steps which have been executed, the input and output of each step, and whether or not the run has terminated.

run_managers

Users who can edit the run's metadata (e.g. label and tags) and cancel the execution of the run. run_managers have all of the capabilities of run_monitors.

run_owner

The user who started this run. This role cannot be transferred to another user. A run_owner has all of the capabilities of run_managers.

Note

Users with permissions on a Flow are not given any implicit permissions on Runs of that Flow.

If a user running a Flow wants to allow an owner or administrator of the Flow to see their Run, they must explicitly grant that permission.

Role Values

Roles within Globus Flows are primarily specified in the form of Principal URNs.

To formulate a Principal URN, prefix Identity IDs with urn:globus:auth:identity: and Group IDs with urn:globus:groups:id:.

For example, urn:globus:auth:identity:46bd0f56-e24f-11e5-a510-131bef46955c specifies an Identity ID. It can be used to indicate that the user with ID 46bd0f56-e24f-11e5-a510-131bef46955c has a given role. Similarly, urn:globus:groups:id:fdb38a24-03c1-11e3-86f7-12313809f035 specifies the Group with ID fdb38a24-03c1-11e3-86f7-12313809f035. It can be used to indicate that all members of that Group have a given role.

In addition to Principal URNs, two special values are defined by the service for use in roles:

all_authenticated_users

All users who have logged in via Globus Auth

public

all_authenticated_users plus unauthenticated access

  • Globus Flows
  • Overview
  • Authentication and Authorization
  • Authoring Flows
  • Authoring Input Schemas
  • Permissions
  • Limits
  • Hosted Action Providers
    • Hello World
    • Globus Transfer - Transfer Task
    • Globus Transfer - Delete Task
    • Globus Transfer - Set Permission
    • Globus Transfer - List Directory Contents
    • Globus Transfer - Make Directory
    • Globus Transfer - Get Collection
    • Globus Search - Ingest Task
    • Globus Search - Delete Task
    • Send Notification Email
    • Wait For User Selection
    • Expression Evaluation
    • Datacite Mint
© 2010- The University of Chicago Legal Privacy Accessibility