Globus Connect Server Administration Guides
  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Command summary
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Cleanup
      • Key Convert
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Disable
      • Enable
      • New Secret
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Batch Delete
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription Admin Verified Collection Property
      • Update
      • Delete
      • Domain
      • Check
      • Role
    • Auth Policy
      • Create
      • List
      • Show
      • Update
      • Delete
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • OAuth Create
      • Delete
      • List
      • S3 Create
      • S3 Keys Add
      • S3 Keys Delete
      • S3 Keys Update
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
  • API Access for Portals
  • Automated Endpoint Deployment
  • Data Access Application Guide
  • Application Migration Guide
  • Change Log
Skip to main content
Globus Docs
  • APIs
    Auth Flows Groups Search Timers Transfer Globus Connect Server Compute Helper Pages
  • Applications
    Globus Connect Personal Globus Connect Server Premium Storage Connectors Compute Command Line Interface Python SDK JavaScript SDK
  • Guides
  • Support
    FAQs Mailing Lists Contact Us Check Support Tickets
  1. Home
  2. Globus Connect Server
  3. v5.4
  4. Command-Line Reference
  5. Auth Policy

Globus Connect Server Auth Policy

Overview

The auth-policy commands manage authentication policies which can be used to enhance data access controls on GCS guest collections. Authentication policies are stored within the Globus Auth service and can be shared between GCS endpoints.

As of GCS 5.4.57, mapped collection admins may assign authentication policies to mapped collections in order to restrict which identity provider domains can be used to access guest collections. In this way, the mapped collection admin can place boundaries on whom guest collection owners may share data. Note that this does not prevent guest collection owners from setting permissions for these domains. Instead, it filters which permissions (including guest collection owner or admin permissions) are considered when authorizing a user to access the guest collection.

An authentication policy defines these criteria which a user must meet in order to satisfy the authentication policy so that the user may be granted access to the data. Authentication policies are stored within the Globus Auth service and can be shared between GCS endpoints.

Included Domains (Optional)

List of identity provider domains allowed for guest collection permissions. Users accessing the guest collection must have an identity from at least one of the included domains and that identity must have a valid guest collection permission. If Included Domains is empty, all of the user’s guest collection permissions are considered. The domains may include wildcards, ie '*.edu'.

Excluded Domains (Optional)

List of identity provider domains not allowed for guest collection permissions. Any of the user’s guest collection permissions from Excluded Domains will not be considered for guest collection access. Any domain listed in both Included Domains and Excluded Domains will not be able to access the guest collection. The domains may include wildcards, ie '*.edu'.

The following option indicates the type of collection the policy will be used on.

High Assurance (Optional)

When a policy is set as high assurance, only permissions for identities from included identity provider domains which have been authenticated within the current session will be considered for guest collection access. A policy is required to be configured as high assurance in order to be placed on high assurance collections. Likewise, if the policy is not high assurance, it can only be used with regular collections. This setting is immutable.

Commands

globus-connect-server auth-policy create

Create a new authentication policy.

globus-connect-server auth-policy update

Update information about an authentication policy.

globus-connect-server auth-policy list

List authentication policies.

globus-connect-server auth-policy show

Show information about an authentication policy.

globus-connect-server auth-policy delete

Delete an authentication policy.

  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Command summary
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Cleanup
      • Key Convert
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Disable
      • Enable
      • New Secret
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Batch Delete
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription Admin Verified Collection Property
      • Update
      • Delete
      • Domain
      • Check
      • Role
    • Auth Policy
      • Create
      • List
      • Show
      • Update
      • Delete
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • OAuth Create
      • Delete
      • List
      • S3 Create
      • S3 Keys Add
      • S3 Keys Delete
      • S3 Keys Update
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
  • API Access for Portals
  • Automated Endpoint Deployment
  • Data Access Application Guide
  • Application Migration Guide
  • Change Log
© 2010- The University of Chicago Legal Privacy Accessibility