Permissions
The Flows service provides several roles that can be used to grant access to Globus users and groups on a particular flow or run.
In the tables below, the each column represents the type and degree of access granted by a particular role.
Flow Roles
Permissions on flows are managed via lists of identities and groups. These lists define which users have a given role on the flow.
The supported roles are:
flow_viewers-
Users who are allowed to see that the flow exists and read its definition. Users without this permission cannot see that the flow exists.
flow_starters-
Users who can run this flow. A user without
flow_starterspermissions will receive an error if they attempt to start this flow.flow_startershave all of capabilities offlow_viewers. flow_administrators-
Users who can manage the flow's roles, edit its definition, and alter metadata such as "title" and "description".
flow_administratorshave all of capabilities offlow_startersand are implicitly included asflow_run_managers. flow_owner-
The user primarily responsible for maintaining the flow. Other users with
flow_administratorspermissions may assume ownership of the flow. Aflow_ownerhas all of the capabilities offlow_administratorsand is implicitly included asflow_run_managers. flow_run_managers-
Users who can manage all runs of the flow.
flow_run_managerscan view the flow and have the capabilities ofrun_managers(except the ability to resume) on all of its runs. See Run Roles for more information. flow_run_monitors-
Users who can view the current state of all runs of the flow.
flow_run_monitorscan view this flow and have the capabilities ofrun_monitorson all of its runs. See Run Roles for more information.
| Flow Viewer | Flow Starter | Flow Administrator | Flow Owner | Flow Run Manager | Flow Run Monitor | |
|---|---|---|---|---|---|---|
Start Flow Run |
No |
Yes |
Yes |
Yes |
No |
No |
Delete Flow |
No |
No |
Yes |
Yes |
No |
No |
Flow Metadata |
View |
View |
View & Modify |
View & Modify |
View |
View |
Flow Definition |
View |
View |
View & Modify |
View & Modify |
View |
View |
Flow Input Schema |
View |
View |
View & Modify |
View & Modify |
View |
View |
Flow Private Parameters |
No Access |
No Access |
View & Modify |
View & Modify |
No Access |
No Access |
Flow Roles (Owner) |
View |
View |
View & Modify |
View & Modify |
No Access |
No Access |
Flow Roles (Other) |
No Access |
No Access |
View & Modify |
View & Modify |
No Access |
No Access |
Manage All Flow Runs |
No |
No |
Yes |
Yes |
Yes |
No |
Monitor All Flow Runs |
Yes |
No |
Yes |
Yes |
Yes |
Yes |
Run Roles
A run is an instance of a flow, started by a particular user, at a point in time, and viewable until (and after) completion.
The runner of a flow may be different from the flow's author, so the run has its own roles which are as follows:
run_monitors-
Users who can view the current state of this run, including the steps which have been executed, the input and output of each step, and whether or not the run has terminated.
run_managers-
Users who can edit the run's metadata (e.g.
labelandtags) and cancel the execution of the run.run_managershave all of the capabilities ofrun_monitors. run_owner-
The user who started this run. This role cannot be transferred to another user. A
run_ownerhas all of the capabilities ofrun_managers. flow_run_managers-
Users who can manage all runs of a flow.
flow_run_managershave the capabilities ofrun_managers(except the ability to resume) on all of its runs. flow_run_monitors-
Users who can view the current state of all runs of a flow.
flow_run_monitorscan view this flow and have the capabilities ofrun_monitorson all of its runs.
If a user running a flow wants to allow an owner or administrator of the flow to manage or see their run, they must explicitly grant that permission.
| Run Monitor | Run Manager | Run Owner | Flow Run Manager | Flow Run Monitor | |
|---|---|---|---|---|---|
Cancel Run |
No |
Yes |
Yes |
Yes |
No |
Resume Run |
No |
Yes |
Yes |
No |
No |
Run Metadata |
View |
View & Modify |
View & Modify |
View & Modify |
View |
Run Event Log |
View |
View |
View |
View |
View |
Flow Definition Snapshot |
View |
View |
View |
View |
View |
Flow Input Schema Snapshot |
View |
View |
View |
View |
View |
Run Roles (Owner) |
View |
View |
View |
View |
View |
Run Roles (Other) |
No Access |
View & Modify |
View & Modify |
View & Modify |
No Access |
Role Values
Roles within Globus Flows are primarily specified in the form of Principal URNs.
To formulate a Principal URN, prefix Identity IDs with
urn:globus:auth:identity: and Group IDs with urn:globus:groups:id:.
For example, urn:globus:auth:identity:46bd0f56-e24f-11e5-a510-131bef46955c
specifies an Identity ID.
It can be used to indicate that the user with ID
46bd0f56-e24f-11e5-a510-131bef46955c has a given role.
Similarly, urn:globus:groups:id:fdb38a24-03c1-11e3-86f7-12313809f035
specifies the Group with ID fdb38a24-03c1-11e3-86f7-12313809f035.
It can be used to indicate that all members of that Group have a given role.
In addition to Principal URNs, two special values are defined by the service for use in roles:
all_authenticated_users-
All users who have logged in via Globus Auth
public-
all_authenticated_usersplus unauthenticated access
Globus Subscription
Most features of the Flows service are available without a subscription, but users may only have a single non-subscribed flow at a time. Flows without an assigned subscription expire after 30 days and cannot be run.
A flow must have an associated subscription in order to assign flow_run_managers and flow_run_monitors.
For more information, see: Globus Subscriptions.