Guest Collection Permission Management
1. Overview
Both Globus Connect Server and Globus Connect Personal guest collections use permissions managed in the Transfer service to give collection access to users to users who do not have a local account on the parent mapped collection. The Transfer API provides resources for reading, creating, updating and deleting permissions. Each guest collection can have at most 1000 permissions.
Transfer-managed permissions are always additive, so permissions cannot be further restricted in subdirectories. For example, if a permission gives an identity read-write access to "/projects/" and another permission gives read-only access to "/projects/study1/", then the identity is still granted full read-write access to "/projects/study1/".
2. Roles
Managing permissions on a guest collection requires an "administrator", "restricted_administrator", or "access_manager" effective role on the guest collection:
-
An "administrator" has the ability to view, create, edit, and delete permissions on the guest collection, and can also assign additional "administrator" or "access_manager" roles.
-
A "restricted_administrator" has the ability to view and delete permissions on the guest collection, but cannot grant themselves data access by creating or editing permissions or assigning additional roles.
-
An "access_manager" has the ability to view, create, edit, and delete permissions on the guest collection, but cannot assign new roles.
Identities and groups with an "access_manager" or "administrator" effective role
on a guest collection also have an implicit "rw" permission on "/". These are
visible in the permission list, but the implicit permissions
can’t be fetched, updated or deleted using the below permission resources. The
Roles resources should be used to
manipulate role assignments. Note that permissions from roles can only have
principal_type
of "identity" or "group", and will have role_id
set instead
of id
, for use with the Roles resources.
3. Document Type
3.1. Permission Document
A permission document represents a single permission on the guest collection.
The DATA_TYPE
is "access" due to previous terminology.
{
"DATA_TYPE": "access",
"create_time": "2021-04-06T19:58:11+00:00",
"expiration_date": null,
"id": "ca761528-90da-11ec-bad3-cd8db799a66a",
"path": "/",
"permissions": "r",
"principal": "623568a4-3960-4836-be02-09366d201bcb",
"principal_type": "identity",
"role_id": null,
"role_type": null
}
Attempting to create a permission with the same principal_type
, principal
, and
path
as an existing permission on the guest collection will result in an "Exists"
error.
3.1.1. Fields
Field Name | JSON Type | Description |
---|---|---|
DATA_TYPE |
string |
Always has value "access" to indicate this document type. |
create_time |
ISO 8601 datetime string |
The time when this permission was created. Will be null for implicit permissions. |
expiration_date |
ISO 8601 datetime string |
If not If specified, must be earlier than
(the current time + When |
id |
string |
Unique id for this permission. Implicit permissions
from role assignments will have a null |
notify_email |
string |
When creating an identity permission, clients can optionally specify a valid email address to send notification to. This address should be known to belong to the identity being shared to, for example using Globus Auth to get the address associated with the identity id. Note that this will not be persisted as part of the permission, and can’t be set on update or other permission types. |
notify_message |
string |
If |
path |
string |
Absolute path to a directory the permission applies to. The path must begin and end with a slash, and can’t contain un-normalized components "/../" or "/./". paths beginning with "/~/" will be relative to the home directory if one exists on the file system. The path is limited to 2000 characters after encoding; in practice this means 2000 ascii characters and slightly less when unicode is present and must be encoded. |
permissions |
string |
What permissions to grant the principal specified in
|
principal |
string |
The subject of the permission; the interpretation
depends on
|
principal_type |
string |
Type of principal that the permission applies to. One of "identity", "group", "all_authenticated_users", or "anonymous". |
role_id |
string |
For an implicit permission from a role
assignment, this will be set to the id of the role.
|
role_type |
string |
If role_id is null, this is also null. Otherwise, this is the type of the role, either "administrator" or "access_manager". |
3.1.3. Identity permissions
Identity permissions apply to a single identity, indicated by a Globus Auth identity id.
When an identity permission is added, a notification email can optionally be sent to the email address associated with that user’s Globus account.
Group permissions
Group permissions specify a Globus group by id, and apply to all users in that group. Groups can be created and discovered with the Groups API.
4. Path Arguments
Name | Type | Description |
---|---|---|
collection_id |
string |
The |
permission_id |
string |
UUID of the permission. |
5. Common Query Parameters
Name | Description |
---|---|
fields |
Comma separated list of fields to include in the response. This can be used to save bandwidth on large list responses when not all fields are needed. |
6. Common Errors
The error code
can be found in the HTTP response body JSON document. See
error overview.
Code | HTTP Status | Description |
---|---|---|
EndpointNotFound[1] |
404 |
If <collection_id> not found. |
AccessRuleNotFound |
404 |
If <permission_id> is not found. |
NotSupported |
409 |
If <collection_id> is not a guest collection. |
PermissionDenied |
403 |
If you do not have permissions to view or modify permissions on <collection_id>. |
ServiceUnavailable |
503 |
If the service is down for maintenance. |
7. Operations
7.1. Get list of permissions
Get the list of permissions for a specified guest collection.
Requires an "access_manager", "administrator", or "restricted_administrator" effective role on the guest collection.
URL |
/endpoint/<collection_id>/access_list[1] |
---|---|
Method |
GET |
Response Body |
|
7.2. Get permission by id
Get a single permission for a specified guest collection by id.
Requires an "access_manager", "administrator", or "restricted_administrator" effective role on the guest collection.
URL |
/endpoint/<collection_id>/access/<permission_id>[1] |
---|---|
Method |
GET |
Response Body |
7.3. Create permission
Create a new permission on a specified guest collection.
The response contains the id of the newly created permission in the access_id
field.
Returns http status 201 and a result
document with code "Created" on success.
The notify_email
and notify_message
fields are optional and not persisted
as part of the access
document.
id
field of the access document must be omitted in create requests.
Requires the "access_manager" or "administrator" effective role on the guest collection.
URL |
/endpoint/<collection_id>/access[1] |
---|---|
Method |
POST |
Request Body |
|
Response Body |
|
7.3.1. Errors
Code | HTTP Status | Description |
---|---|---|
InvalidPath |
400 |
If the path specified in the permission is not valid or too long. |
LimitExceeded |
409 |
If the guest collection already has the maximum number of permissions. |
Exists |
409 |
If a permission with the same
|
7.4. Update permission
Update the permissions on an existing permission on a specified guest collection. Other fields may be omitted. If the id is present it must match the id in the URL.
Returns a result
document with code "Updated" on success, but checking that
the HTTP status code is 2xx is sufficient to verify success.
path
or other fields in the future, so
clients should make sure to use the correct value for the other fields
or omit them entirely.
Requires the "access_manager" or "administrator" effective role on the guest collection.
URL |
/endpoint/<collection_id>/access/<permission_id>[1] |
---|---|
Method |
PUT |
Request Body |
Access document |
Response Body |
|
7.5. Delete permission
Delete a single permission, specified by id.
Returns a result
document with code "Deleted" on success and HTTP status code
200, and an "AccessRuleNotFound" error if the permission has already been deleted. If
the client is using a retry loop, both should be accepted as success in case
the first successful attempt is disconnected after the request is processed but
before the response is received by the client.
Requires an "access_manager", "administrator", or "restricted_administrator" effective role on the guest collection.
URL |
/endpoint/<collection_id>/access/<permission_id>[1] |
---|---|
Method |
DELETE |
Request Body |
Empty |
Response Body |
|