Overview

The Globus Connect Server CLI and API support role based authorization so that administrators can delegate ability to perform administration tasks on an endpoint or a collection to others. These roles may be associated with either a Globus Auth user identity or with a globus group, which grants that role to all members of that group.

Role Document

The "Role" document type represents the assignment of a role on an Endpoint or Collection to a Globus identity or group.

Name

Type

Description

DATA_TYPE

string role#1.0.0

Type of this document

id

string uuid

Unique id string for this role assignment. This is system generated and should not be included in create requests.

collection

string uuid

Collection Id. This value is omitted when creating an endpoint role or when creating role definitions when creating collections.

principal

principal string ^(urn:globus:auth:identity|urn:globus:groups:id):[a-f0-9-]*$

Auth identity or group id URN.

role

string [owner, administrator, access_manager, activity_manager, activity_monitor]

Role assigned to the principal

Example Role Document
{
  "DATA_TYPE": "node#1.0.0",
  "id": "5a91ee5a-b28f-44b8-b0cb-2adbd5beee2c",
  "ip_addresses": [
    "192.168.44.2"
  ],
  "status": "active",
  "incoming_port_range": [50000, 51000],
  "outgoing_port_range": [50000, 51000]
}

Endpoint Roles

owner

The owner of the endpoint has the following capabilities:

  • View or modify the endpoint, even if it is not public

  • View, add, delete or modify GCS Manager nodes which provide access to the endpoint

  • View, add, or delete the custom DNS name for mapped collections.

  • View, add, modify, or delete the storage gateways provided by the endpoint.

  • View (public information only) or delete the user credentials registered with the endpoint.

  • View, delete or modify collections hosted by the endpoint

administrator

A principal with this role on the endpoint has all of the capabilities of the endpoint owner plus the following capabilities:

  • View, add, delete or modify other role assignments on the endpoint or any of its collections.

Additionally, the endpoint administrator has the administrator role on the Transfer API for the endpoint’s guest and mapped collections, so it may interact with parts of the Transfer Management API.

activity_manager

A principal with this role on the endpoint has the following capabilities:

  • View the endpoint configuration, including storage gateways and their public policies.

Additionally, the endpoint activity_manager has the activity_manager role on the Transfer API for the endpoint’s guest and mapped collections, so it may interact with parts of the Transfer Management API.

activity_monitor

A principal with this role on the endpoint has the following capabilities:

  • View the endpoint configuration, including storage gateways and their public policies.

Additionally, the endpoint activity_manager has the "activity_monitor" role on the Transfer API for the endpoint’s guest and mapped collections, so it may interact with parts of the Transfer Management API.

Collection Roles

administrator

A principal with this role on a collection has the following capabilities

  • view, modify, or delete the collection even if it is not public

  • view, add, update, and delete role assignments on the collection

  • all capabilities of the access_manager for this collection on the endpoint

  • all capabilities of the activity_manager for all collection on the endpoint

  • all capabilities of the activity monitor for the collection

Additionally, the collection administrator has the administrator role on the Transfer API for the collection, so it may interact with parts of the Transfer Management API.

access_manager

A principal with this role on a guest collection has the following capabilities

  • View, add, and delete access rules on a guest collection.

Additionally, the collection administrator has the access_manager role on the Transfer API for the collection, so it may interact with parts of the Transfer Management API.

activity_manager

A principal with this role on a collection has the following capabilities.

  • View the collection document even if it is not public

  • View and control tasks and other endpoint activity to or from the collection. This includes all operations in the Advanced Endpoint Management API (view, pause/resume, cancel).

  • View events, task pause info, pause rules, and ACLs for storage gateways and collections on this endpoint.

Additionally, the collection administrator has the activity_manager role on the Transfer API for the collection, so it may interact with parts of the Transfer Management API.

activity_monitor

A principal with this role on a collection has the following capabilities for that collection

  • View the collection document even if it is not public

Additionally, the collection administrator has the activity_monitor role on the Transfer API for the collections, so it may interact with parts of the Transfer Management API.

Commands

globus-connect-server collection role create
globus-connect-server endpoint role create

Create a new role assignment for a collection or endpoint.

globus-connect-server collection role delete
globus-connect-server endpoint role delete

Delete a role assignment from a collection or endpoint.

globus-connect-server collection role list
globus-connect-server endpoint role list

List roles associated with a collection or endpoint.

globus-connect-server collection role show
globus-connect-server endpoint role show

Show a role associated with a collection or endpoint.

© 2010- The University of Chicago Legal