Permissions

The Flows service provides several roles that can be used to grant access to Globus users and groups on a particular flow or run.

In the tables below, the each column represents the type and degree of access granted by a particular role. The roles with least access appear first and incrementally increase to the right.

Flow Roles

Permissions on flows are managed via lists of identities and groups. These lists define which users have a given role on the flow.

The supported roles are:

flow_viewers: Users who are allowed to see that the flow exists and read its definition. Users without this permission cannot see that the flow exists.
flow_starters: Users who can run this flow. A user without flow_starters permissions will receive an error if they attempt to start this flow. flow_starters have all of capabilities of flow_viewers.
flow_administrators: Users who can manage the flow's roles, edit its definition, and alter metadata such as "title" and "description". flow_administrators have all of capabilities of flow_starters.
flow_owner: The user primarily responsible for maintaining the flow. Other users with flow_administrators permissions may assume ownership of the flow. A flow_owner has all of the capabilities of flow_administrators.

	Flow Viewer	Flow Starter	Flow Administrator	Flow Owner
Start Flow Run	No	Yes	Yes	Yes
Delete Flow	No	No	Yes	Yes
Flow Metadata	View	View	View & Modify	View & Modify
Flow Definition	View	View	View & Modify	View & Modify
Flow Input Schema	View	View	View & Modify	View & Modify
Flow Private Parameters	No Access	No Access	View & Modify	View & Modify
Flow Roles (Owner)	View	View	View & Modify	View & Modify
Flow Roles (Other)	No Access	No Access	View & Modify	View & Modify

Run Roles

A run is an instance of a flow, started by a particular user, at a point in time, and viewable until (and after) completion.

The runner of a flow may be different from the flow's author, so the run has its own roles which are as follows:

run_monitors: Users who can view the current state of this run, including the steps which have been executed, the input and output of each step, and whether or not the run has terminated.
run_managers: Users who can edit the run's metadata (e.g. label and tags) and cancel the execution of the run. run_managers have all of the capabilities of run_monitors.
run_owner: The user who started this run. This role cannot be transferred to another user. A run_owner has all of the capabilities of run_managers.

Note

Users with permissions on a flow are not given any implicit permissions on runs of that flow.

If a user running a flow wants to allow an owner or administrator of the flow to see their run, they must explicitly grant that permission.

	Run Monitor	Run Manager	Run Owner
Cancel Run	No	Yes	Yes
Resume Run	No	Yes	Yes
Run Metadata	View	View & Modify	View & Modify
Run Event Log	View	View	View
Flow Definition Snapshot	View	View	View
Flow Input Schema Snapshot	View	View	View
Run Roles (Owner)	View	View	View
Run Roles (Other)	No Access	View & Modify	View & Modify

Role Values

Roles within Globus Flows are primarily specified in the form of Principal URNs.

To formulate a Principal URN, prefix Identity IDs with urn:globus:auth:identity: and Group IDs with urn:globus:groups:id:.

For example, urn:globus:auth:identity:46bd0f56-e24f-11e5-a510-131bef46955c specifies an Identity ID. It can be used to indicate that the user with ID 46bd0f56-e24f-11e5-a510-131bef46955c has a given role. Similarly, urn:globus:groups:id:fdb38a24-03c1-11e3-86f7-12313809f035 specifies the Group with ID fdb38a24-03c1-11e3-86f7-12313809f035. It can be used to indicate that all members of that Group have a given role.

In addition to Principal URNs, two special values are defined by the service for use in roles:

all_authenticated_users: All users who have logged in via Globus Auth
public: all_authenticated_users plus unauthenticated access