Globus Connect Server Collection Role Create

Name

globus-connect-server collection role create - Create a role assignment

Synopsis

globus-connect-server collection role create COLLECTION_ID ROLE PRINCIPAL [OPTIONS]…​

Description

The globus-connect-server collection role create command creates a new role association to manage a collection. This is a premium feature---the endpoint must be managed by a subscription in order to create and use role-based authorization with a Globus Connect Server v5 endpoint.

When creating a collection role, this command takes three positional arguments: COLLECTION_ID, ROLE and PRINCIPAL.

The meaning of these arguments are

COLLECTION_ID

The ID of the collection being granted access to.

ROLE

The type of role to grant access.

PRINCIPAL

The principal being granted the role’s access. This may be a user identity or a globus group.

Collection Roles

administrator

A principal with this role on a collection has the following capabilities

  • view, modify, or delete the collection even if it is not public

  • view, add, update, and delete role assignments on the collection

  • all capabilities of the access_manager for this collection on the endpoint

  • all capabilities of the activity_manager for all collection on the endpoint

  • all capabilities of the activity monitor for the collection

Additionally, the collection administrator has the administrator role on the Transfer API for the collection, so it may interact with parts of the Transfer Management API.

access_manager

A principal with this role on a guest collection has the following capabilities

  • View, add, and delete permissions on a guest collection.

Additionally, the collection administrator has the access_manager role on the Transfer API for the collection, so it may interact with parts of the Transfer Management API.

activity_manager

A principal with this role on a collection has the following capabilities.

  • View the collection document even if it is not public

  • View and control tasks and other endpoint activity to or from the collection. This includes all operations in the Advanced Endpoint Management API (view, pause/resume, cancel).

  • View events, task pause info, pause rules, and permissions for storage gateways and collections on this endpoint.

Additionally, the collection administrator has the activity_manager role on the Transfer API for the collection, so it may interact with parts of the Transfer Management API.

activity_monitor

A principal with this role on a collection has the following capabilities for that collection

  • View the collection document even if it is not public

Additionally, the collection administrator has the activity_monitor role on the Transfer API for the collections, so it may interact with parts of the Transfer Management API.

Role Principals

A role may be assigned to either a Globus user identity or to a Globus group. You may choose which type of principal to use by including the --principal-type command line option with the argument identity or group. If not explicitly chosen, this command assumes that the principal is for an identity.

When assigning a role to a single user, the PRINCIPAL value may be either the ID of the user’s Globus identity, or the username property of that identity. In the latter case, the identity is resolved by querying the Globus Auth service and the ID is stored as the role assignment.

Options

-h, --help

Show help message and exit.

--version

Show the version and exit.

--principal-type "identity"|"group"

The type of principal to assign

-F, --format "text"|"json"

Output format for this command. If the format is json, then the resulting role document is displayed.

--use-explicit-host IP_ADDRESS (new in 5.4.23)

IP address of the GCS node to use for this request. If not specified, any available GCS node in the endpoint will be used.

Example

This example creates a new administrator role for a group by its ID:

globus-connect-server collection role create d7d5cf80-d4c9-4039-81cc-ddc11fdbf1c2 \
    --principal-type group \
    administrator 35081edc-475d-4bfe-b230-c55c6ce160e5

This example creates a new activity_monitor role for a user and displays the resulting document:

globus-connect-server collection role create d7d5cf80-d4c9-4039-81cc-ddc11fdbf1c2 \
    activity_monitor admin@example.edu -F json
Example JSON Output
{
  "DATA_TYPE": "role#1.0.0",
  "id": "251cba70-8568-11ea-ab13-0aeadf0d30f1",
  "principal": "urn:globus:auth:identity:0723a736-7f6c-4284-b436-def991a7d330",
  "role": "activity_monitor",
  "resource": "d7d5cf80-d4c9-4039-81cc-ddc11fdbf1c2"
}