Globus Connect Server Endpoint Role Create
Description
The globus-connect-server endpoint role create command creates a new role association to manage an endpoint. This is a premium feature---the endpoint must be managed by a subscription in order to create and use role-based authorization with a Globus Connect Server v5 endpoint.
When creating an endpoint role, this command takes two positional arguments:
ROLE and PRINCIPAL.
The meaning of these arguments are
- ROLE
-
The type of role to grant access.
- PRINCIPAL
-
The principal being granted the role’s access. This may be a user identity or a globus group.
Endpoint Roles
administrator
A principal with this role on the endpoint has the following capabilities:
-
View or modify the endpoint, even if it is not public
-
View, add, delete or modify GCS Manager nodes which provide access to the endpoint
-
View, add, or delete the custom DNS name for mapped collections.
-
View, add, modify, or delete the storage gateways provided by the endpoint.
-
View (public information only) or delete the user credentials registered with the endpoint.
-
View, delete or modify collections hosted by the endpoint
-
View, add, delete or modify other role assignments on the endpoint or any of its collections.
Additionally, the endpoint administrator has the administrator role on the
Transfer API for the endpoint’s guest and mapped collections, so it may
interact with parts of the Transfer Management API.
activity_manager
A principal with this role on the endpoint has the following capabilities:
-
View the endpoint configuration, including storage gateways and their public policies.
Additionally, the endpoint activity_manager has the activity_manager role on
the Transfer API for the endpoint’s guest and mapped collections, so it may
interact with parts of the Transfer Management API.
activity_monitor
A principal with this role on the endpoint has the following capabilities:
-
View the endpoint configuration, including storage gateways and their public policies.
Additionally, the endpoint activity_manager has the "activity_monitor" role on the Transfer API for the endpoint’s guest and mapped collections, so it may interact with parts of the Transfer Management API.
Role Principals
A role may be assigned to either a Globus user identity or to a Globus group. You
may choose which type of principal to use by including the --principal-type
command line option with the argument identity or group. If not explicitly
chosen, this command assumes that the principal is for an identity.
When assigning a role to a single user, the PRINCIPAL value may be
either the ID of the user’s Globus identity, or the username property of that
identity. In the latter case, the identity is resolved by querying the Globus Auth
service and the ID is stored as the role assignment.
Options
- -h, --help
-
Show help message and exit.
- --version
-
Show the version and exit.
- --principal-type "identity"|"group"
-
The type of principal to assign
- -F, --format "text"|"json"
-
Output format for this command. If the format is json, then the resulting role document is displayed.
- --use-explicit-host IP_ADDRESS (new in 5.4.23)
-
IP address of the GCS node to use for this request. If not specified, any available GCS node in the endpoint will be used.
Example
This example creates a new administrator role for a group by its ID:
globus-connect-server endpoint role create --principal-type group \
administrator 35081edc-475d-4bfe-b230-c55c6ce160e5
This example creates a new activity_monitor role for a user and displays the
resulting document:
globus-connect-server endpoint role create activity_monitor admin@example.edu -F json
{
"DATA_TYPE": "role#1.0.0",
"id": "251cba70-8568-11ea-ab13-0aeadf0d30f1",
"principal": "urn:globus:auth:identity:0723a736-7f6c-4284-b436-def991a7d330",
"role": "activity_monitor"
}