Schemas

Result Document

This is the result envelope returned from all operations in this API. Each operation may add properties to this base document type with additional operation-specific data values. In some responses to GET requests, the has_next_page value will be set to true, and the marker value will be present. In those cases, repeat the original call, passing in the marker query parameter to retrieve the next page of response data.

Name	Type	Description
DATA_TYPE	string `result#1.0.0`	Type of this document.
http_response_code	integer	Numeric HTTP response code
code	string	String response code
detail		Machine readable response details
message	string	Message describing this result.
data	array (object)
has_next_page	boolean	Boolean flag indicating whether or not additional pages of response data may be requested by passing the marker to the same operation.
marker	string	Opaque marker that may be passed to this API call to fetch the next page of results if the returned document has `has_next_page` set to true.

{
  "code": "bad_request",
  "message": "Invalid input",
  "DATA_TYPE": "result#1.0.0",
  "has_next_page": false
}

PathRestrictions Document

This object represents the path restrictions for a storage gateway or a sharing path restrictions for a mapped collection.

The values of each of the path lists in this object are interpreted using the POSIX pattern matching notation as described in fnmatch(3) with flags set to 0 with additional support for some special user-specific value interpolation:

~
$HOME: The user’s home directory if the storage gateway supports such a concept, / otherwise
$USER: The effective Storage Gateway-specific username that is being used for data access. For a Guest Collection, this is the username of the identity that created the Guest Collection.

These restrictions are evaluated at every data access. When evaluating restrictions, the user-specific interpolation is applied before the file name matching is evaluated.

Globus Connect Server evaluates its path restrictions from longest leading expression match to shortest. When pattern matching characters are present, they are considered as a lower priority match than a literal character, with more specific pattern characters given precedence. The precedence is thus literal character, bracket expression, ? (single-character wildcard), * (wildcard).

If multiple path restrictions apply, all matches are applied from longest to shortest, with the following rules for overriding values:

longer restriction	shorter restriction	result
read_write	read	read_write
read_write	none	read_write
read	read_write	read_write
read	none	read
none	read_write	none
none	read	none

Name	Type	Description
DATA_TYPE	string `path_restrictions#1.0.0`	Type of this document.
read	array (string)	List of paths which are allowed read-only access.
read_write	array (string)	List of paths which are allowed read-write access.
none	array (string)	List of paths which are denied any access.

{
  "DATA_TYPE": "path_restrictions#1.0.0",
  "read": [
    "/public"
  ],
  "read_write": [
    "/home",
    "/projects"
  ],
  "none": [
    "/private"
  ]
}

Info Document

This document contains information about the Globus Connect Server, including its software and supported API version number.

Name	Type	Description
DATA_TYPE	string `info#1.0.0`	Type of this document
manager_version	string `^(0\|[1-9][0-9])\\.(0\|[1-9][0-9])\\.(0\|[1-9][0-9]*)$`	Globus Connect Server Manager Software version.
api_version	string `^(0\|[1-9][0-9])\\.(0\|[1-9][0-9])\\.(0\|[1-9][0-9])(-.)?$`	Semantic version of the Globus Connect Server API.
client_id	string <uuid>	Client ID which created the endpoint.
endpoint_id	string <uuid>	Transfer endpoint ID managed by this GCS Manager.
domain_name	string <hostname>	DNS Domain name for the GCS Manager service.

{
  "DATA_TYPE": "info#1.0.0",
  "manager_version": "5.4.0",
  "api_version": "1.0.0",
  "client_id": "8668e52f-7e2b-4f84-a03d-945a5ad15e38",
  "endpoint_id": "a0708a2f-6ccf-491f-a0a1-02db5f397cc3",
  "domain_name": "123f2.data.globus.org"
}

Connector Document

Connector extension definition object

Name	Type	Description
DATA_TYPE	string `connector#1.0.0`	Type of this document
display_name	string	Friendly name for the connector.
id	string <uuid>	UUID of this connector type.
version	string `^(0\|[1-9][0-9])\\.(0\|[1-9][0-9])\\.(0\|[1-9][0-9])(-.)?$`	Semantic version of this connector implementation.

{
  "DATA_TYPE": "connector#1.0.0",
  "display_name": "POSIX",
  "id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "version": "1.0.0"
}

Endpoint Document

A Globus Connect Server endpoint is a deployment of Globus Connect Server version 5. A single endpoint may optionally include multiple data transfer nodes. The endpoint provides a link between a Globus Connect Server deployment and the Globus Transfer service. The endpoint describes services for accessing data via GridFTP and HTTPS and also for configuring and managing the policies associated with that access.

Name	Type	Description
DATA_TYPE	string `endpoint#1.0.0`	Type of this document
public	boolean	Flag indicating whether this endpoint is visible to all other Globus users. If false, only users which have been granted a role on the endpoint or one of its collections, or belong to a domain allowed access to any of its storage gateways may view it.
id	string <uuid>	Unique identifier string for the endpoint.
display_name	string	Friendly name for the endpoint, not unique. Unicode string, no new lines (`\r` or `\n`). Searchable.
gcs_manager_url	string <uri>	URL of the GCS Manager API service for this endpoint.
subscription_id	string anyOf { <uuid>, `DEFAULT` }	The UUID of the subscription that is managing this endpoint. This may be the special value `DEFAULT` when using this as input to PATCH or PUT to use the caller’s default subscription id.
network_use	string `normal`, `minimal`, `aggressive`, `custom`	Allowed values for network_use are: normal The default setting. Uses an average level of concurrency and parallelism. The levels depend on the number of physical servers in the endpoint. minimal Uses a minimal level of concurrency and parallelism. aggressive Uses a high level of concurrency and parallelism. custom Uses custom values of concurrency and parallelism set by the endpoint admin. When setting this level, you must also set the max_concurrency, preferred_concurrency, max_parallelism, and preferred_parallelism options.
max_concurrency	integer	Admin-specified value when the network_use property’s value is `custom`; otherwise the preset value for the specified network_use.
preferred_concurrency	integer	Admin-specified value when the network_use property’s value is `custom`; otherwise the preset value for the specified network_use.
max_parallelism	integer	Admin-specified value when the network_use property’s value is `custom`; otherwise the preset value for the specified network_use.
preferred_parallelism	integer	Admin-specified value when the network_use property’s value is `custom`; otherwise the preset value for the specified network_use.
organization	string	Organization that runs the server(s) represented by the endpoint. Optional to preserve backward compatibility, but will eventually be required and all clients are encouraged to require users to specify it. Unicode string, max 1024 characters, no new lines.
department	string	Department within organization that runs the server(s). Searchable. Optional. Unicode string, max 1024 characters, no new lines.
keywords	array (string)	List of search keywords for the endpoint. Optional. Unicode string, max 1024 characters total across all strings.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the server(s) represented by the endpoint.
contact_info	string	Other non-email contact information for the endpoint, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint. The administrator is responsible for running a website at this URL and verifying that it is accepting public connections.
allow_udt	boolean	Allow data transfer on this endpoint using the UDT protocol.

{
  "DATA_TYPE": "endpoint#1.0.0",
  "public": true,
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "display_name": "string",
  "gcs_manager_url": "https://gcs.data.globus.org/",
  "subscription_id": "2d99530d-3b20-44cb-94d3-61d8f85cd896",
  "network_use": "normal",
  "max_concurrency": 1,
  "preferred_concurrency": 1,
  "max_parallelism": 1,
  "preferred_parallelism": 1,
  "organization": "string",
  "department": "string",
  "keywords": [
    "string"
  ],
  "description": "string",
  "contact_email": "user@example.com",
  "contact_info": "string",
  "info_link": "http://example.com",
  "allow_udt": false
}

Role Document

The "Role" document type represents the assignment of a role on an Endpoint or Collection to a Globus identity or group.

Name	Type	Description
DATA_TYPE	string `role#1.0.0`	Type of this document
id	string <uuid>	Unique id string for this role assignment. This is system generated and should not be included in create requests.
collection	string <uuid>	Collection Id. This value is omitted when creating an endpoint role or when creating role definitions when creating collections.
principal	string `^(urn:globus:auth:identity\|urn:globus:groups:id):[a-f0-9-]*$`	Auth identity or group id URN.
role	string `owner`, `administrator`, `access_manager`, `activity_manager`, `activity_monitor`	Role assigned to the principal.

{
  "DATA_TYPE": "role#1.0.0",
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "collection": "65986b24-c0b1-41fa-b21f-4a319273f511",
  "principal": "string",
  "role": "owner"
}

Node (v1.0.0) Properties Document

Name	Type	Description
id	string <uuid>	Unique id string for this node. This is system generated and should not be included in create requests.
ip_addresses	array (string)	IP addresses of the node.
status	string `active`, `inactive`	Current status of the Node. If a Node is marked inactive, it will be removed from the DNS entries for this endpoint and will return an error on any attempt to use the Manager API or attempt a Transfer using this node.
incoming_port_range	array (integer)	Allowed port range for incoming TCP data connections.
outgoing_port_range	array (integer)	Port range used as the source for outgoing TCP data connections.

{
  "id": "5a91ee5a-b28f-44b8-b0cb-2adbd5beee2c",
  "ip_addresses": [
    "192.168.44.2"
  ],
  "status": "active",
  "incoming_port_range": [
    50000,
    51000
  ],
  "outgoing_port_range": [
    50000,
    51000
  ]
}

Node (v1.1.0) Properties Document

Name	Type	Description
data_interface	string One of { <ipv4>, <ipv6> }	IP address for data transfers.

{
  "data_interface": "192.168.44.2"
}

Node 1.0.0 Document

Name	Type	Description
id	string <uuid>	Unique id string for this node. This is system generated and should not be included in create requests.
ip_addresses	array (string)	IP addresses of the node.
status	string `active`, `inactive`	Current status of the Node. If a Node is marked inactive, it will be removed from the DNS entries for this endpoint and will return an error on any attempt to use the Manager API or attempt a Transfer using this node.
incoming_port_range	array (integer)	Allowed port range for incoming TCP data connections.
outgoing_port_range	array (integer)	Port range used as the source for outgoing TCP data connections.
DATA_TYPE	string `node#1.0.0`	Type of this document

{
  "id": "5a91ee5a-b28f-44b8-b0cb-2adbd5beee2c",
  "ip_addresses": [
    "192.168.44.2"
  ],
  "status": "active",
  "incoming_port_range": [
    50000,
    51000
  ],
  "outgoing_port_range": [
    50000,
    51000
  ],
  "DATA_TYPE": "node#1.0.0"
}

Node 1.1.0 Document

Name	Type	Description
id	string <uuid>	Unique id string for this node. This is system generated and should not be included in create requests.
ip_addresses	array (string)	IP addresses of the node.
status	string `active`, `inactive`	Current status of the Node. If a Node is marked inactive, it will be removed from the DNS entries for this endpoint and will return an error on any attempt to use the Manager API or attempt a Transfer using this node.
incoming_port_range	array (integer)	Allowed port range for incoming TCP data connections.
outgoing_port_range	array (integer)	Port range used as the source for outgoing TCP data connections.
data_interface	string One of { <ipv4>, <ipv6> }	IP address for data transfers.
DATA_TYPE	string `node#1.1.0`	Type of this document

{
  "id": "5a91ee5a-b28f-44b8-b0cb-2adbd5beee2c",
  "ip_addresses": [
    "192.168.44.2"
  ],
  "status": "active",
  "incoming_port_range": [
    50000,
    51000
  ],
  "outgoing_port_range": [
    50000,
    51000
  ],
  "data_interface": "192.168.44.2",
  "DATA_TYPE": "node#1.1.0"
}

Node Document

Services for Globus Connect Server endpoints may be deployed on multiple different physical resources, referred to as Data Transfer Nodes. Each node may have one or more IP addresses, TCP incoming and outgoing port ranges, and a status value indicating whether it is configured to actively respond to requests or is in maintenance mode.

Name	Type	Description
Node	Node One of { Node 1.0.0 , Node 1.1.0 }	Services for Globus Connect Server endpoints may be deployed on multiple different physical resources, referred to as Data Transfer Nodes. Each node may have one or more IP addresses, TCP incoming and outgoing port ranges, and a status value indicating whether it is configured to actively respond to requests or is in maintenance mode.

{
  "id": "5a91ee5a-b28f-44b8-b0cb-2adbd5beee2c",
  "ip_addresses": [
    "192.168.44.2"
  ],
  "status": "active",
  "incoming_port_range": [
    50000,
    51000
  ],
  "outgoing_port_range": [
    50000,
    51000
  ],
  "DATA_TYPE": "node#1.0.0"
}

StorageGateway (v1.0.0) Properties Document

Name	Type	Description
id	string <uuid>	Unique id string for this Storage Gateway.
display_name	string	Name of the Storage Gateway.
connector_id	string <uuid>	Id of the connector type that this Storage Gateway interacts with.
high_assurance	boolean	Flag indicating if the storage_gateway requires high assurance features.
require_high_assurance (deprecated)	boolean	Alias for high_assurance.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated to access files or create user credentials on this Storage Gateway. For a high assurance Storage Gateway, this must be done within the current Globus Auth session, otherwise, the caller can perform the authentication with any application which uses Globus Auth.
authentication_assurance_timeout (deprecated)	integer	Alias for authentication_timeout_mins.
allowed_domains	array (string)	List of allowed domains. Users creating credentials or collections on this storage_gateway must have an identity in one of these domains.
identity_mappings	array ( IdentityMapping )	List of identity mappings to attempt to apply to user identities to determine what accounts are available for access.[Private]
users_allow	array (string)	List of connector-specific usernames allowed to access this Storage Gateway.[Private]
users_deny	array (string)	List of connector-specific usernames denied access to this Storage Gateway.[Private]
restrict_paths	One of { object PathRestrictions }	Path restrictions within this Storage Gateway. paths are interpreted as absolute paths in the file namespace of the connector.[Private]
process_user	string	Local POSIX user the GridFTP server should run as when accessing this Storage Gateway.[Private]
load_dsi_module	string	NAme of the DSI module to load by the GridFTP server when accessing this Storage Gateway.[Private]
policies	One of { BlackPearlStoragePolicies , object BoxStoragePolicies , object CephStoragePolicies , GoogleDriveStoragePolicies , GoogleCloudStoragePolicies , IrodsStoragePolicies , PosixStoragePolicies , PosixStagingStoragePolicies , object S3StoragePolicies , object }	Connector-specific storage policies.

{
  "id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "display_name": "Posix Storage Gateway",
  "connector_id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "high_assurance": true,
  "require_high_assurance": true,
  "authentication_timeout_mins": 30,
  "authentication_assurance_timeout": 30,
  "allowed_domains": [
    "example.com"
  ],
  "identity_mappings": [
    {
      "DATA_TYPE": "external_identity_mapping#1.0.0",
      "command": [
        "/opt/globus/bin/python",
        "/opt/globus/map-globus-identity-data"
      ]
    }
  ],
  "users_allow": [
    "user1"
  ],
  "users_deny": [
    "user2"
  ],
  "restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "process_user": "gcsweb",
  "load_dsi_module": "google_drive",
  "policies": {
    "DATA_TYPE": "blackpearl_storage_policies#1.0.0",
    "s3_endpoint": "http://blackpearl.example.org:8080",
    "bp_access_id_file": "/etc/blackpearl/access-id-file"
  }
}

StorageGateway (v1.1.0) Properties Document

Name	Type	Description
require_mfa	boolean	Flag indicating if the storage_gateway requires multi- factor authentication. Only usable on high assurance storage gateways.

{
  "require_mfa": true
}

StorageGateway 1.0.0 Document

Name	Type	Description
id	string <uuid>	Unique id string for this Storage Gateway.
display_name	string	Name of the Storage Gateway.
connector_id	string <uuid>	Id of the connector type that this Storage Gateway interacts with.
high_assurance	boolean	Flag indicating if the storage_gateway requires high assurance features.
require_high_assurance (deprecated)	boolean	Alias for high_assurance.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated to access files or create user credentials on this Storage Gateway. For a high assurance Storage Gateway, this must be done within the current Globus Auth session, otherwise, the caller can perform the authentication with any application which uses Globus Auth.
authentication_assurance_timeout (deprecated)	integer	Alias for authentication_timeout_mins.
allowed_domains	array (string)	List of allowed domains. Users creating credentials or collections on this storage_gateway must have an identity in one of these domains.
identity_mappings	array ( IdentityMapping )	List of identity mappings to attempt to apply to user identities to determine what accounts are available for access.[Private]
users_allow	array (string)	List of connector-specific usernames allowed to access this Storage Gateway.[Private]
users_deny	array (string)	List of connector-specific usernames denied access to this Storage Gateway.[Private]
restrict_paths	One of { object PathRestrictions }	Path restrictions within this Storage Gateway. paths are interpreted as absolute paths in the file namespace of the connector.[Private]
process_user	string	Local POSIX user the GridFTP server should run as when accessing this Storage Gateway.[Private]
load_dsi_module	string	NAme of the DSI module to load by the GridFTP server when accessing this Storage Gateway.[Private]
policies	One of { BlackPearlStoragePolicies , object BoxStoragePolicies , object CephStoragePolicies , GoogleDriveStoragePolicies , GoogleCloudStoragePolicies , IrodsStoragePolicies , PosixStoragePolicies , PosixStagingStoragePolicies , object S3StoragePolicies , object }	Connector-specific storage policies.
DATA_TYPE	string `storage_gateway#1.0.0`	Type of this document

{
  "id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "display_name": "Posix Storage Gateway",
  "connector_id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "high_assurance": true,
  "require_high_assurance": true,
  "authentication_timeout_mins": 30,
  "authentication_assurance_timeout": 30,
  "allowed_domains": [
    "example.com"
  ],
  "identity_mappings": [
    {
      "DATA_TYPE": "external_identity_mapping#1.0.0",
      "command": [
        "/opt/globus/bin/python",
        "/opt/globus/map-globus-identity-data"
      ]
    }
  ],
  "users_allow": [
    "user1"
  ],
  "users_deny": [
    "user2"
  ],
  "restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "process_user": "gcsweb",
  "load_dsi_module": "google_drive",
  "policies": {
    "DATA_TYPE": "blackpearl_storage_policies#1.0.0",
    "s3_endpoint": "http://blackpearl.example.org:8080",
    "bp_access_id_file": "/etc/blackpearl/access-id-file"
  },
  "DATA_TYPE": "storage_gateway#1.0.0"
}

StorageGateway 1.1.0 Document

Name	Type	Description
id	string <uuid>	Unique id string for this Storage Gateway.
display_name	string	Name of the Storage Gateway.
connector_id	string <uuid>	Id of the connector type that this Storage Gateway interacts with.
high_assurance	boolean	Flag indicating if the storage_gateway requires high assurance features.
require_high_assurance (deprecated)	boolean	Alias for high_assurance.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated to access files or create user credentials on this Storage Gateway. For a high assurance Storage Gateway, this must be done within the current Globus Auth session, otherwise, the caller can perform the authentication with any application which uses Globus Auth.
authentication_assurance_timeout (deprecated)	integer	Alias for authentication_timeout_mins.
allowed_domains	array (string)	List of allowed domains. Users creating credentials or collections on this storage_gateway must have an identity in one of these domains.
identity_mappings	array ( IdentityMapping )	List of identity mappings to attempt to apply to user identities to determine what accounts are available for access.[Private]
users_allow	array (string)	List of connector-specific usernames allowed to access this Storage Gateway.[Private]
users_deny	array (string)	List of connector-specific usernames denied access to this Storage Gateway.[Private]
restrict_paths	One of { object PathRestrictions }	Path restrictions within this Storage Gateway. paths are interpreted as absolute paths in the file namespace of the connector.[Private]
process_user	string	Local POSIX user the GridFTP server should run as when accessing this Storage Gateway.[Private]
load_dsi_module	string	NAme of the DSI module to load by the GridFTP server when accessing this Storage Gateway.[Private]
policies	One of { BlackPearlStoragePolicies , object BoxStoragePolicies , object CephStoragePolicies , GoogleDriveStoragePolicies , GoogleCloudStoragePolicies , IrodsStoragePolicies , PosixStoragePolicies , PosixStagingStoragePolicies , object S3StoragePolicies , object }	Connector-specific storage policies.
require_mfa	boolean	Flag indicating if the storage_gateway requires multi- factor authentication. Only usable on high assurance storage gateways.
DATA_TYPE	string `storage_gateway#1.1.0`	Type of this document

{
  "id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "display_name": "Posix Storage Gateway",
  "connector_id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "high_assurance": true,
  "require_high_assurance": true,
  "authentication_timeout_mins": 30,
  "authentication_assurance_timeout": 30,
  "allowed_domains": [
    "example.com"
  ],
  "identity_mappings": [
    {
      "DATA_TYPE": "external_identity_mapping#1.0.0",
      "command": [
        "/opt/globus/bin/python",
        "/opt/globus/map-globus-identity-data"
      ]
    }
  ],
  "users_allow": [
    "user1"
  ],
  "users_deny": [
    "user2"
  ],
  "restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "process_user": "gcsweb",
  "load_dsi_module": "google_drive",
  "policies": {
    "DATA_TYPE": "blackpearl_storage_policies#1.0.0",
    "s3_endpoint": "http://blackpearl.example.org:8080",
    "bp_access_id_file": "/etc/blackpearl/access-id-file"
  },
  "require_mfa": true,
  "DATA_TYPE": "storage_gateway#1.1.0"
}

StorageGateway Document

A storage gateway provides the access policies for the endpoint’s connected storage systems. It is a named interface by which authorized users can create and manage collections on the connected storage system. A single storage system may be associated with multiple storage gateways, each with its own policies.

Storage gateway policies describe what type connector the storage gateway uses, the paths it allows access to, the login requirements are for the storage gateway, and the algorithm to map Globus identities to the user namespace of the storage gateway (e.g. local accounts).

Name	Type	Description
StorageGateway	StorageGateway One of { StorageGateway 1.0.0 , StorageGateway 1.1.0 }	A storage gateway provides the access policies for the endpoint’s connected storage systems. It is a named interface by which authorized users can create and manage collections on the connected storage system. A single storage system may be associated with multiple storage gateways, each with its own policies. Storage gateway policies describe what type connector the storage gateway uses, the paths it allows access to, the login requirements are for the storage gateway, and the algorithm to map Globus identities to the user namespace of the storage gateway (e.g. local accounts).

{
  "id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "display_name": "Posix Storage Gateway",
  "connector_id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "high_assurance": true,
  "require_high_assurance": true,
  "authentication_timeout_mins": 30,
  "authentication_assurance_timeout": 30,
  "allowed_domains": [
    "example.com"
  ],
  "identity_mappings": [
    {
      "DATA_TYPE": "external_identity_mapping#1.0.0",
      "command": [
        "/opt/globus/bin/python",
        "/opt/globus/map-globus-identity-data"
      ]
    }
  ],
  "users_allow": [
    "user1"
  ],
  "users_deny": [
    "user2"
  ],
  "restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "process_user": "gcsweb",
  "load_dsi_module": "google_drive",
  "policies": {
    "DATA_TYPE": "blackpearl_storage_policies#1.0.0",
    "s3_endpoint": "http://blackpearl.example.org:8080",
    "bp_access_id_file": "/etc/blackpearl/access-id-file"
  },
  "DATA_TYPE": "storage_gateway#1.0.0"
}

UserCredential Document

Credential information for an identity on a particular Storage Gateway and its related collections.

Name	Type	Description
DATA_TYPE	string `user_credential#1.0.0`	Type of this document
id	string <uuid>	Unique id string for this User Credential
identity_id	string <uuid>	Globus Auth identity id that this credential is associated with.
connector_id	string <uuid>	Connector that this credential is used with.
username	string	Connector-specific username that this credential is associated with. If the connector supports identity mapping, this matches the result of the mapping applied to identity_id.
display_name	string	Display name of the credential.
storage_gateway_id	string	Storage Gateway this credential is associated with.
home_directory	string	The home directory of this account associated with this credential.[Private]
invalid	boolean	Flag indicating that this credential is no longer valid.
provisioned	boolean	Flag indicating that this credential has been fully provisioned. If this is false and the invalid property is true, then the credential was created during login and patching it to add the missing data should be presented to the user as initializing the credential.
policies	One of { BlackPearlUserCredentialPolicies , object BoxUserCredentialPolicies , object CephUserCredentialPolicies , object GoogleDriveUserCredentialPolicies , GoogleCloudStorageUserCredentialPolicies , IrodsUserCredentialPolicies , PosixUserCredentialPolicies , PosixStagingUserCredentialPolicies , object S3UserCredential , object }	Connector-specific user credential policies.

{
  "DATA_TYPE": "user_credential#1.0.0",
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "connector_id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "username": "testuser",
  "display_name": "Test User",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "home_directory": "/home/user",
  "invalid": true,
  "provisioned": true,
  "policies": {
    "DATA_TYPE": "blackpearl_user_credential_policies#1.0.0",
    "access_id": "amFzb25hbHQ=",
    "secret_key": "K9YxrEaj"
  }
}

Account Document

User account information for a particular Storage Gateway.

Name	Type	Description
DATA_TYPE	string `account#1.0.0`	Type of this document.
username	string	Connector-specific local username.
storage_gateway_id	string <uuid>	Storage Gateway for which this account is valid.
identity_id	string <uuid>	Globus Auth identity which maps to this account.

{
  "DATA_TYPE": "account#1.0.0",
  "username": "testuser",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
}

Owner Document

Owner document.

Name	Type	Description
DATA_TYPE	string `endpoint_owner#1.0.0`	Type of this document
identity_id	string <uuid>	Auth identity ID of the endpoint owner

{
  "DATA_TYPE": "endpoint_owner#1.0.0",
  "identity_id": "011a42b9-62d7-49eb-8328-c2e454af88a1"
}

EndpointSubscription Document

Endpoint subscription request document

Name	Type	Description
DATA_TYPE	string `endpoint_subscription#1.0.0`	Type of this document
subscription_id	One of { string <uuid>, string `DEFAULT` }	Either the UUID of a Globus subscription or the special value "DEFAULT" if the caller has only one subscription associated with their identity set.

{
  "DATA_TYPE": "endpoint_subscription#1.0.0",
  "subscription_id": "2d99530d-3b20-44cb-94d3-61d8f85cd896"
}

Collection (v1.0.0) Properties Document

Common data for both mapped and guest collection documents.

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "string",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {}
}

Collection (v1.1.0) Properties Document

Added in API v1.1.0, this adds support for user_message, user_message_link, and conditionally disabling the HTTPS service for managed endpoints.

Name	Type	Description
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

{
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/"
}

Collection (v1.4.0) Properties Document

Added in API v1.7.0, this adds support for require_mfa.

Name	Type	Description
require_mfa	boolean	Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.
force_verify	boolean	Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.

{
  "require_mfa": true,
  "force_verify": false
}

Collection 1.5.0 Properties Document

Added in API v1.8.0, this adds support for disabling anonymous write acls.

Name	Type	Description
disable_anonymous_writes	boolean	Flag indicating if guest collections on this mapped collection will allow anonymous write ACLs. This defaults to true for high assurance collections and false for non high assurance collections. This flag can only be set on non high assurance mapped collections and is read-only on all other collection types. (Added in API 1.8.0)

{
  "disable_anonymous_writes": false
}

BaseCollection 1.0.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
DATA_TYPE	string `collection#1.0.0`

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "string",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "DATA_TYPE": "collection#1.0.0"
}

BaseCollection 1.1.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
DATA_TYPE	string `collection#1.1.0`

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "string",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "DATA_TYPE": "collection#1.1.0"
}

BaseCollection 1.2.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
DATA_TYPE	string `collection#1.2.0`

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "string",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "DATA_TYPE": "collection#1.2.0"
}

BaseCollection 1.4.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
require_mfa	boolean	Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.
force_verify	boolean	Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.
DATA_TYPE	string `collection#1.4.0`

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "string",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "require_mfa": true,
  "force_verify": false,
  "DATA_TYPE": "collection#1.4.0"
}

BaseCollection 1.5.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
require_mfa	boolean	Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.
force_verify	boolean	Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.
disable_anonymous_writes	boolean	Flag indicating if guest collections on this mapped collection will allow anonymous write ACLs. This defaults to true for high assurance collections and false for non high assurance collections. This flag can only be set on non high assurance mapped collections and is read-only on all other collection types. (Added in API 1.8.0)
DATA_TYPE	string `collection#1.5.0`

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "string",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "require_mfa": true,
  "force_verify": false,
  "disable_anonymous_writes": false,
  "DATA_TYPE": "collection#1.5.0"
}

Mapped Collection Properties Document

Name	Type	Description
collection_type	`mapped`
allow_guest_collections	boolean	Flag indicating if this Collection allows users to create guest collections on it. This is always false if this is a guest collection. If this is changed to false on a mapped collection with associated guest collections, those collections will no longer be accessible.
sharing_restrict_paths	One of { object PathRestrictions }	Restrictions on which paths may be shared in guest collections related to this mapped collection. On the mapped collection, these paths are relative to the root_path property of the mapped collection. On a guest collection, they are absolute paths from the storage root.[Private]

{
  "collection_type": "mapped",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  }
}

Mapped Collection 1.2.0 Properties Document

Added in API v1.2.0, this adds support for sharing_users_allow and sharing_users_deny.

Name	Type	Description
sharing_users_allow	array (string)	List of connector-specific usernames allowed to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]
sharing_users_deny	array (string)	List of connector-specific usernames denied access to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]

{
  "sharing_users_allow": [
    "user1"
  ],
  "sharing_users_deny": [
    "user2"
  ]
}

Mapped Collection 1.0.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string `mapped`	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
DATA_TYPE	string `collection#1.0.0`
allow_guest_collections	boolean	Flag indicating if this Collection allows users to create guest collections on it. This is always false if this is a guest collection. If this is changed to false on a mapped collection with associated guest collections, those collections will no longer be accessible.
sharing_restrict_paths	One of { object PathRestrictions }	Restrictions on which paths may be shared in guest collections related to this mapped collection. On the mapped collection, these paths are relative to the root_path property of the mapped collection. On a guest collection, they are absolute paths from the storage root.[Private]

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "mapped",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "DATA_TYPE": "collection#1.0.0",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  }
}

Mapped Collection 1.1.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string `mapped`	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
DATA_TYPE	string `collection#1.1.0`
allow_guest_collections	boolean	Flag indicating if this Collection allows users to create guest collections on it. This is always false if this is a guest collection. If this is changed to false on a mapped collection with associated guest collections, those collections will no longer be accessible.
sharing_restrict_paths	One of { object PathRestrictions }	Restrictions on which paths may be shared in guest collections related to this mapped collection. On the mapped collection, these paths are relative to the root_path property of the mapped collection. On a guest collection, they are absolute paths from the storage root.[Private]

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "mapped",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "DATA_TYPE": "collection#1.1.0",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  }
}

Mapped Collection 1.2.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string `mapped`	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
DATA_TYPE	string `collection#1.2.0`
allow_guest_collections	boolean	Flag indicating if this Collection allows users to create guest collections on it. This is always false if this is a guest collection. If this is changed to false on a mapped collection with associated guest collections, those collections will no longer be accessible.
sharing_restrict_paths	One of { object PathRestrictions }	Restrictions on which paths may be shared in guest collections related to this mapped collection. On the mapped collection, these paths are relative to the root_path property of the mapped collection. On a guest collection, they are absolute paths from the storage root.[Private]
sharing_users_allow	array (string)	List of connector-specific usernames allowed to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]
sharing_users_deny	array (string)	List of connector-specific usernames denied access to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "mapped",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "DATA_TYPE": "collection#1.2.0",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "sharing_users_allow": [
    "user1"
  ],
  "sharing_users_deny": [
    "user2"
  ]
}

Mapped Collection 1.4.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string `mapped`	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
require_mfa	boolean	Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.
force_verify	boolean	Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.
DATA_TYPE	string `collection#1.4.0`
allow_guest_collections	boolean	Flag indicating if this Collection allows users to create guest collections on it. This is always false if this is a guest collection. If this is changed to false on a mapped collection with associated guest collections, those collections will no longer be accessible.
sharing_restrict_paths	One of { object PathRestrictions }	Restrictions on which paths may be shared in guest collections related to this mapped collection. On the mapped collection, these paths are relative to the root_path property of the mapped collection. On a guest collection, they are absolute paths from the storage root.[Private]
sharing_users_allow	array (string)	List of connector-specific usernames allowed to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]
sharing_users_deny	array (string)	List of connector-specific usernames denied access to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "mapped",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "require_mfa": true,
  "force_verify": false,
  "DATA_TYPE": "collection#1.4.0",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "sharing_users_allow": [
    "user1"
  ],
  "sharing_users_deny": [
    "user2"
  ]
}

Mapped Collection 1.5.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string `mapped`	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
require_mfa	boolean	Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.
force_verify	boolean	Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.
disable_anonymous_writes	boolean	Flag indicating if guest collections on this mapped collection will allow anonymous write ACLs. This defaults to true for high assurance collections and false for non high assurance collections. This flag can only be set on non high assurance mapped collections and is read-only on all other collection types. (Added in API 1.8.0)
DATA_TYPE	string `collection#1.5.0`
allow_guest_collections	boolean	Flag indicating if this Collection allows users to create guest collections on it. This is always false if this is a guest collection. If this is changed to false on a mapped collection with associated guest collections, those collections will no longer be accessible.
sharing_restrict_paths	One of { object PathRestrictions }	Restrictions on which paths may be shared in guest collections related to this mapped collection. On the mapped collection, these paths are relative to the root_path property of the mapped collection. On a guest collection, they are absolute paths from the storage root.[Private]
sharing_users_allow	array (string)	List of connector-specific usernames allowed to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]
sharing_users_deny	array (string)	List of connector-specific usernames denied access to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "mapped",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "require_mfa": true,
  "force_verify": false,
  "disable_anonymous_writes": false,
  "DATA_TYPE": "collection#1.5.0",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "sharing_users_allow": [
    "user1"
  ],
  "sharing_users_deny": [
    "user2"
  ]
}

Mapped Collection Document

A mapped collection allows access to data for users who have accounts in the storage gateway’s user space (or local account). The collection uses the identity mapping method configured on the storage gateway to map the Globus account of the user accessing the collection to an account in the Storage Gateway’s user space. All accesses to the data on the collection are performed using the local account and (if needed for the storage gateway) the account’s credentials.

Mapped collections can only be created by those with an administrator or owner role on the Endpoint, and can be created against any storage gateway that exists on the endpoint.

In addition, a mapped collection has optional properties to allow users to share data. The properties allow_guest_collections and sharing_restrict_paths configure the sharing option. These options are only allowed on endpoints covered under a subscription.

Globus Connect Server v5.4.18 introduces APIs to manage user-specific sharing path restrictions.

Name	Type	Description
MappedCollection	Mapped Collection One of { Mapped Collection 1.0.0 , Mapped Collection 1.1.0 , Mapped Collection 1.2.0 , Mapped Collection 1.4.0 , Mapped Collection 1.5.0 }	A mapped collection allows access to data for users who have accounts in the storage gateway’s user space (or local account). The collection uses the identity mapping method configured on the storage gateway to map the Globus account of the user accessing the collection to an account in the Storage Gateway’s user space. All accesses to the data on the collection are performed using the local account and (if needed for the storage gateway) the account’s credentials. Mapped collections can only be created by those with an `administrator` or `owner` role on the Endpoint, and can be created against any storage gateway that exists on the endpoint. In addition, a mapped collection has optional properties to allow users to share data. The properties allow_guest_collections and sharing_restrict_paths configure the sharing option. These options are only allowed on endpoints covered under a subscription. Globus Connect Server v5.4.18 introduces APIs to manage user-specific sharing path restrictions.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "mapped",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {
    "DATA_TYPE": "blackpearl_collection_policies#1.0.0"
  },
  "DATA_TYPE": "collection#1.0.0",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  }
}

Guest Collection Properties Document

Name	Type	Description
collection_type	`guest`
user_credential_id	string <uuid>	The ID of the User Credential which is used to access data on this collection. This credential must be owned by the collection’s identity_id.
mapped_collection_id	string <uuid>	Unique ID of the Mapped Collection which this guest collection is associated with. This is set on creation and may not be changed. For a Guest Collection, this must be set, and policies related sharing (`allow_guest_collections`, `sharing_restrict_paths`) will always reflect the values in the Mapped Collection definition and may not be changed on this Guest Collection.
policies	One of { BlackPearlCollectionPolicies , object BoxCollectionPolicies , object CephCollectionPolicies , object GoogleDriveCollectionPolicies , object GoogleCloudStorageCollectionPolicies , IrodsCollectionPolicies , PosixGuestCollectionPolicies , PosixStagingGuestCollectionPolicies , object S3CollectionPolicies , object }

{
  "collection_type": "guest",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185",
  "policies": {
    "DATA_TYPE": "blackpearl_collection_policies#1.0.0"
  }
}

Guest Collection 1.0.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string `guest`	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
DATA_TYPE	string `collection#1.0.0`
user_credential_id	string <uuid>	The ID of the User Credential which is used to access data on this collection. This credential must be owned by the collection’s identity_id.
mapped_collection_id	string <uuid>	Unique ID of the Mapped Collection which this guest collection is associated with. This is set on creation and may not be changed. For a Guest Collection, this must be set, and policies related sharing (`allow_guest_collections`, `sharing_restrict_paths`) will always reflect the values in the Mapped Collection definition and may not be changed on this Guest Collection.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "DATA_TYPE": "collection#1.0.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

Guest Collection 1.1.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string `guest`	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
DATA_TYPE	string `collection#1.1.0`
user_credential_id	string <uuid>	The ID of the User Credential which is used to access data on this collection. This credential must be owned by the collection’s identity_id.
mapped_collection_id	string <uuid>	Unique ID of the Mapped Collection which this guest collection is associated with. This is set on creation and may not be changed. For a Guest Collection, this must be set, and policies related sharing (`allow_guest_collections`, `sharing_restrict_paths`) will always reflect the values in the Mapped Collection definition and may not be changed on this Guest Collection.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "DATA_TYPE": "collection#1.1.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

Guest Collection 1.2.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string `guest`	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
DATA_TYPE	string `collection#1.2.0`
user_credential_id	string <uuid>	The ID of the User Credential which is used to access data on this collection. This credential must be owned by the collection’s identity_id.
mapped_collection_id	string <uuid>	Unique ID of the Mapped Collection which this guest collection is associated with. This is set on creation and may not be changed. For a Guest Collection, this must be set, and policies related sharing (`allow_guest_collections`, `sharing_restrict_paths`) will always reflect the values in the Mapped Collection definition and may not be changed on this Guest Collection.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "DATA_TYPE": "collection#1.2.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

Guest Collection 1.4.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string `guest`	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
require_mfa	boolean	Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.
force_verify	boolean	Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.
DATA_TYPE	string `collection#1.4.0`
user_credential_id	string <uuid>	The ID of the User Credential which is used to access data on this collection. This credential must be owned by the collection’s identity_id.
mapped_collection_id	string <uuid>	Unique ID of the Mapped Collection which this guest collection is associated with. This is set on creation and may not be changed. For a Guest Collection, this must be set, and policies related sharing (`allow_guest_collections`, `sharing_restrict_paths`) will always reflect the values in the Mapped Collection definition and may not be changed on this Guest Collection.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "require_mfa": true,
  "force_verify": false,
  "DATA_TYPE": "collection#1.4.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

Guest Collection 1.5.0 Document

Name	Type	Description
id	string <uuid>	Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.
manager_url	string <uri>	URL of the GCS Manager API service for the endpoint hosting this collection.
domain_name	string <hostname>	DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with `m-` or `g-`.
high_assurance	boolean	Flag indicating if this collection is created on a high assurance Storage Gateway.
https_url	string <uri>	HTTPS URL for the data on this collection.
tlsftp_url	string <uri>	TLSFTP URL for the data on this collection.
collection_type	string `guest`	Type of collection. A `mapped` collection requires an account on the system to access the administrator-defined collection. A `guest` collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.
display_name	string	Friendly name for the collection. Unicode string, max 128 characters, no new lines (`\r` or `\n`).
connector_id	string <uuid>	Id of the connector type that is used by this collection.
identity_id	string <uuid>	Globus Auth identity to who acts as the owner of this collection. This identity is an `administrator` on the collection.
storage_gateway_id	string <uuid>	Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.
root_path	string `^\\/.*`	Absolute root path of the collection. All data access is done relative to this path.[Private]
collection_base_path	string `^\\/.*`	Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the `root_path` attribute on the mapped collection with the same Id as the `mapped_collection_id` property. This may not be changed once the collection is created.[Private]
default_directory	string `^(/.)\|($HOME(/.))`	Default directory when accessing the collection. This may include the special string `$USER` which is evaluated at access time to be the connector-specific username accessing the data. If the collection is mapped collection with a collection_base_path value of `/`, this value can also begin with the values `/~/` and `$HOME`, which are replaced by the user’s home directory, or `/` if the connector does not support the concept of a home directory.[Private]
public	boolean	Flag indicating whether this collection is visible to other Globus users.
force_encryption	boolean	Flag indicating whether all data transfers to and from this collection are always encrypted. New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.
disable_verify	boolean	Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.
organization	string	Organization that maintains the collection.
department	string	Department within organization that runs the server(s).
keywords	array (string)	List of search keywords for the collection.
description	string	A description of the endpoint.
contact_email	string <email>	Email address of the support contact for the collection.
contact_info	string	Other non-email contact information for the collection, e.g. phone and mailing address.
info_link	string <uri>	Link to a web page with more information about the endpoint.
authentication_timeout_mins	integer	Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.
policies	object	Connector-specific collection policies.
enable_https	boolean	Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)
user_message	string	A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
user_message_link	string <uri>	Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)
require_mfa	boolean	Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.
force_verify	boolean	Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.
disable_anonymous_writes	boolean	Flag indicating if guest collections on this mapped collection will allow anonymous write ACLs. This defaults to true for high assurance collections and false for non high assurance collections. This flag can only be set on non high assurance mapped collections and is read-only on all other collection types. (Added in API 1.8.0)
DATA_TYPE	string `collection#1.5.0`
user_credential_id	string <uuid>	The ID of the User Credential which is used to access data on this collection. This credential must be owned by the collection’s identity_id.
mapped_collection_id	string <uuid>	Unique ID of the Mapped Collection which this guest collection is associated with. This is set on creation and may not be changed. For a Guest Collection, this must be set, and policies related sharing (`allow_guest_collections`, `sharing_restrict_paths`) will always reflect the values in the Mapped Collection definition and may not be changed on this Guest Collection.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "require_mfa": true,
  "force_verify": false,
  "disable_anonymous_writes": false,
  "DATA_TYPE": "collection#1.5.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

Guest Collection Document

A guest collection is a collection that uses an existing mapped collection and adds the ability of a user to share access to their data on that collection. All access to the data is performed using the account of the user who created the guest collection. That user can also add entries to an access control list to allow others to access some parts of the guest collection owner’s data.

A guest collection document has additional properties mapped_collection_id and user_credential_id to describe the relationship between the collection and a mapped collection where it was created and the credential used for data access.

Name	Type	Description
GuestCollection	Guest Collection One of { Guest Collection 1.0.0 , Guest Collection 1.1.0 , Guest Collection 1.2.0 , Guest Collection 1.4.0 , Guest Collection 1.5.0 }	A guest collection is a collection that uses an existing mapped collection and adds the ability of a user to share access to their data on that collection. All access to the data is performed using the account of the user who created the guest collection. That user can also add entries to an access control list to allow others to access some parts of the guest collection owner’s data. A guest collection document has additional properties mapped_collection_id and user_credential_id to describe the relationship between the collection and a mapped collection where it was created and the credential used for data access.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {
    "DATA_TYPE": "blackpearl_collection_policies#1.0.0"
  },
  "DATA_TYPE": "collection#1.0.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

Collection Document

Collections are discoverable access points that allow data to be transferred through GridFTP or HTTPS.

A collection consists of metadata about the collection, a DNS domain for accessing data on the collection, and configuration on the Data Transfer Nodes to access the collection data. Globus Connect Server version 5 supports two types of collections: mapped and guest.

Name

Type

Description

Collection

anyOf {

Guest Collection , Mapped Collection }

Collections are discoverable access points that allow data to be transferred through GridFTP or HTTPS.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {
    "DATA_TYPE": "blackpearl_collection_policies#1.0.0"
  },
  "DATA_TYPE": "collection#1.0.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

ExternalIdentityMapping Document

The ExternalIdentityMapping defines the path and arguments of an external program to map an identity to a storage-gateway specific user account name. The specified command will be called to map Globus Auth identity data to a connector-specific list of account names.

Name	Type	Description
DATA_TYPE	string `external_identity_mapping#1.0.0`	Type of this document
command	array (string)	The mapping command and its command-line arguments. In addition to these arguments, the following will also be passed to the program. -c `CONNECTOR_ID` The ID of the connector that the mapping is being done in the context of. -s `STORAGE_GATEWAY_ID` The ID of the storage gateway that the mapping is being done in the context of. -a This option is a flag that indicates that the GCS Manager wants to receive output containing all mappings for the given identity set. If not present, the program will receive exactly one object in the identities array and may only return a single mapping for that identity.

{
  "DATA_TYPE": "external_identity_mapping#1.0.0",
  "command": [
    "/opt/globus/bin/python",
    "/opt/globus/map-globus-identity-data"
  ]
}

ExpressionIdentityMapping Document

The ExpressionIdentityMapping defines a set of identity mapping expressions to map Globus Auth identity data to a connector-specific list of account names.

Name	Type	Description
DATA_TYPE	string `expression_identity_mapping#1.0.0`	Type of this document
mappings	array (object) ( MappingExpression )	Array of expression-based identity mapping values.

{
  "DATA_TYPE": "expression_identity_mapping#1.0.0",
  "mappings": [
    {
      "source": "{username}",
      "match": "(.*)@globus\\.org",
      "output": "{0}",
      "ignore_case": false,
      "literal": false
    }
  ]
}

MappingExpression Document

The MappingExpression document type contains information about a mapping expression, including the input, match, output, and flags used to process this expression.

Name	Type	Description
source	string	A string comprised of text plus identity set data field names surrounded by curly brackets `{}` which are interpolated into the text.
match	string <regex>	An expression which is applied to the output performing interpolation on source for determining if this mapping applies. This requires a full string match on the source.
output	string	A string representing the result of the mapping if the match succeeded. References to the original identity_set data can be interpolated as in the source property. References to match groups from the match property can be interpolated with numbers (indices starting with 0) surrounded by curly brackets `{}`.
ignore_case	boolean	Flag indicating the match should be executed as a case insensitive comparison. If not present, this defaults to false.
literal	boolean	Flag indicating the match expression should be done as a literal match, ignoring any special regular characters. If not present, this defaults to false.

{
  "source": "{username}",
  "match": "(.*)@globus\\.org",
  "output": "{0}",
  "ignore_case": false,
  "literal": false
}

IdentityMapping Document

Globus Connect Server provides two ways for you to implement a custom Globus identity to account mapping: expression-based and external program

With expression-based mapping you can write rules that extract data from fields in the Globus identity document to form storage gateway-specific usernames. If there is a regular relationship between most of your users' Identity information to their account names, this is probably the most direct way to accomplish the mapping.

With external program mappings you can use any mechanism you like (static mapping, ldap, database, etc) to look up account information and return the mapped account user name. If you have an account system that has usernames without a simple relationship to your users' Globus identities, or that requires interfacing with an accounting system, this may be necessary.

Name	Type	Description
IdentityMapping	IdentityMapping One of { object ExternalIdentityMapping , object ExpressionIdentityMapping , object }	Globus Connect Server provides two ways for you to implement a custom Globus identity to account mapping: expression-based and external program With expression-based mapping you can write rules that extract data from fields in the Globus identity document to form storage gateway-specific usernames. If there is a regular relationship between most of your users' Identity information to their account names, this is probably the most direct way to accomplish the mapping. With external program mappings you can use any mechanism you like (static mapping, ldap, database, etc) to look up account information and return the mapped account user name. If you have an account system that has usernames without a simple relationship to your users' Globus identities, or that requires interfacing with an accounting system, this may be necessary.

{
  "DATA_TYPE": "external_identity_mapping#1.0.0",
  "command": [
    "/opt/globus/bin/python",
    "/opt/globus/map-globus-identity-data"
  ]
}

AuthenticationTimeout (v1.0.0) Properties Document

Name	Type	Description
identities	array (string)	List of identities that would have otherwise been authorized except that the authentication has timed out.
high_assurance	boolean	Boolean flag indicating whether the new authentication must be done within the same auth session as the application making the request.

{
  "identities": [
    "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
  ],
  "high_assurance": true
}

AuthenticationTimeout (v1.1.0) Properties Document

Name	Type	Description
require_mfa	boolean	Flag indicating that multi-factor authentication is required. Only occurs on high assurance storage gateways.

{
  "require_mfa": true
}

AuthenticationTimeout 1.0.0 Document

Name	Type	Description
identities	array (string)	List of identities that would have otherwise been authorized except that the authentication has timed out.
high_assurance	boolean	Boolean flag indicating whether the new authentication must be done within the same auth session as the application making the request.
DATA_TYPE	string `authentication_timeout#1.0.0`	Type of this document

{
  "identities": [
    "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
  ],
  "high_assurance": true,
  "DATA_TYPE": "authentication_timeout#1.0.0"
}

AuthenticationTimeout 1.1.0 Document

Name	Type	Description
identities	array (string)	List of identities that would have otherwise been authorized except that the authentication has timed out.
high_assurance	boolean	Boolean flag indicating whether the new authentication must be done within the same auth session as the application making the request.
require_mfa	boolean	Flag indicating that multi-factor authentication is required. Only occurs on high assurance storage gateways.
DATA_TYPE	string `authentication_timeout#1.1.0`	Type of this document

{
  "identities": [
    "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
  ],
  "high_assurance": true,
  "require_mfa": true,
  "DATA_TYPE": "authentication_timeout#1.1.0"
}

AuthenticationTimeout Document

Error details when a user must reauthenticate an identity in order to perform this operation.

Name	Type	Description
AuthenticationTimeout	AuthenticationTimeout One of { AuthenticationTimeout 1.0.0 , AuthenticationTimeout 1.1.0 }	Error details when a user must reauthenticate an identity in order to perform this operation.

{
  "identities": [
    "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
  ],
  "high_assurance": true,
  "DATA_TYPE": "authentication_timeout#1.0.0"
}

ResourceConflict Document

Error details when the caller has attempted to update an object that results in a conflict with some other object.

Name	Type	Description
DATA_TYPE	string `resource_conflict#1.0.0`	Type of this document
resources	array (string)	List of other resources which conflict with this proposed change.

{
  "DATA_TYPE": "resource_conflict#1.0.0",
  "resources": [
    "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
  ]
}

CredentialNotFound Document

Error details when a user has attempted to use a credential when creating a collection or logging in, but there are multiple mapped identities and none of them have a valid credential.

Name	Type	Description
DATA_TYPE	string `credential_not_found#1.0.0`	Type of this document
accounts	array ( Account )	List of available accounts that do not have credentials registered.

{
  "DATA_TYPE": "credential_not_found#1.0.0",
  "accounts": [
    {
      "DATA_TYPE": "account#1.0.0",
      "username": "testuser",
      "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
      "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
    }
  ]
}

IdNotInIdentitySet Document

Error details when a user has authenticated but has requested to act as an identity not in the current identity set.

Name	Type	Description
DATA_TYPE	string `id_not_in_identity_set#1.0.0`	Type of this document
id	string	Requested identity ID.

{
  "DATA_TYPE": "id_not_in_identity_set#1.0.0",
  "id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
}

LimitExceeded Document

Error details when a user would be authorized, but the endpoint has reached a hard resource limit on the type of object being created.

Name	Type	Description
DATA_TYPE	string `limit_exceeded#1.0.0`	Type of this document

{
  "DATA_TYPE": "limit_exceeded#1.0.0"
}

MissingRequiredRole Document

Error details when a user has authenticated but lacks a role to be able to perform the requested operation.

Name	Type	Description
DATA_TYPE	string `missing_required_role#1.0.0`	Type of this document
roles	array (object)

{
  "DATA_TYPE": "missing_required_role#1.0.0",
  "roles": [
    {
      "role": "administrator",
      "collection": "18d367d5-45cf-4724-a53e-5a685e45c942"
    }
  ]
}

MissingRequiredScopes Document

Error details when a user has authenticated but lacks an OAuth scope to be able to perform the requested operation.

Name	Type	Description
DATA_TYPE	string `missing_required_scopes#1.0.0`	Type of this document
required_scopes	array (string)

{
  "DATA_TYPE": "missing_required_scopes#1.0.0",
  "required_scopes": [
    "https://auth.globus.org/scopes/7f862724-3cb1-4006-8744-d71bc8acf518/data_access"
  ]
}

NotFromAllowedDomain Document

Error details when a user has authenticated but does not have an identity from the required domain to perform the requested action.

Name	Type	Description
DATA_TYPE	string `not_from_allowed_domain#1.0.0`	Type of this document
allowed_domains	array (string)

{
  "DATA_TYPE": "not_from_allowed_domain#1.0.0",
  "allowed_domains": [
    "example.edu",
    "example.org"
  ]
}

NotResourceOwner Document

Error details when a user has authenticated but is not the owner of the resource being acted upon.

Name	Type	Description
DATA_TYPE	string `not_resource_owner#1.0.0`	Type of this document
id	string <uuid>	Identity ID of the owner of the resource.

{
  "DATA_TYPE": "not_resource_owner#1.0.0",
  "id": "d65768d9-f00a-4921-93be-a16c8f20200d"
}

InvalidInput Document

Error details when the caller has sent an invalid input document.

Name	Type	Description
DATA_TYPE	string `invalid_input#1.0.0`	Type of this document
errors	array (object)	Optional list of input schema violations, such as missing or unknown properties, or properties with invalid values.

{
  "DATA_TYPE": "invalid_input#1.0.0",
  "errors": [
    {
      "message": "Missing data for required field.",
      "property": "authentication_timeout_mins"
    }
  ]
}

InvalidCredential Document

Error details when the caller’s identity maps to an account with a user credential that is in an invalid state.

Name	Type	Description
DATA_TYPE	string `invalid_credential#1.0.0`	Type of this document
user_credential_id	string <uuid>	The ID of the User Credential which needs to be fixed before this resource can be accessed.

{
  "DATA_TYPE": "invalid_credential#1.0.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164"
}

InvalidUser Document

Error details when the caller’s identity does not map to valid local account.

Name	Type	Description
DATA_TYPE	string `invalid_user#1.0.0`	Type of this document
usernames	array (string)

{
  "DATA_TYPE": "invalid_user#1.0.0",
  "usernames": [
    "username@example.edu"
  ]
}

SubscriptionRequired Document

Error details when the caller has attempted to access a feature not supported by the endpoint’s subscription.

Name	Type	Description
DATA_TYPE	string `subscription_required#1.0.0`	Type of this document
subscription_level	string	Level of subscription required for this feature.
add_ons	array (string)	Subscription add-ons required for this feature.

{
  "DATA_TYPE": "subscription_required#1.0.0",
  "subscription_level": "standard",
  "add_ons": [
    "Google Drive"
  ]
}

Domain Properties Document

Base Domain

Name	Type	Description
DATA_TYPE	string	Type of this document
domain_name	string	DNS Domain name.
wildcard	boolean	Flag indicating whether this is a wildcard domain or not. When setting a custom domain for an endpoint a wildcard domain must be used. When setting a custom domain for a mapped collection, the domain may optionally be a wildcard domain. If it is a wildcard domain, the guest collections will be created as subdomains of the mapped collection domain; if not, guest collections will be created as subdomains of the endpoint domain.

{
  "DATA_TYPE": "string",
  "domain_name": "custom.domain.org",
  "wildcard": true
}

Managed Domain 1.0.0 Properties Document

Name	Type	Description
certificate	string `^(.\\n)?-----BEGIN CERTIFICATE-----.`	PEM-Encoded X.509 certificate for this domain.
certificate_chain	string `^(.\\n)?-----BEGIN CERTIFICATE-----.`	PEM-Encoded X.509 certificate chain for this domain. Only needed if there are intermediate certificates that must also be sent to clients to allow them to verify the certificate.
private_key	string `^(.\\n)?-----BEGIN PRIVATE KEY-----.`	PEM-Encoded private key for the certificate.

{
  "certificate": "string",
  "certificate_chain": "string",
  "private_key": "string"
}

Unmanaged Domain 1.0.0 Properties Document

Name	Type	Description
certificate_path	string `^/.*`	Path to a file containing the X.509 certificate for this domain. This file path must contain a valid certificate and be present on each data transfer node.
certificate_chain_path	string `^/.*`	Path to a file containing the X.509 certificate chain for this domain. This file path must contain a sequence of valid certificate and be present on each data transfer node.
private_key_path	string `^/.*`	Path to a file containing the private key for this domain. This file path must contain a valid key and be present on each data transfer node.

{
  "certificate_path": "string",
  "certificate_chain_path": "string",
  "private_key_path": "string"
}

Managed domain 1.0.0 Document

Custom managed domain

Name	Type	Description
DATA_TYPE	`domain#1.0.0`
domain_name	string	DNS Domain name.
wildcard	boolean	Flag indicating whether this is a wildcard domain or not. When setting a custom domain for an endpoint a wildcard domain must be used. When setting a custom domain for a mapped collection, the domain may optionally be a wildcard domain. If it is a wildcard domain, the guest collections will be created as subdomains of the mapped collection domain; if not, guest collections will be created as subdomains of the endpoint domain.
certificate	string `^(.\\n)?-----BEGIN CERTIFICATE-----.`	PEM-Encoded X.509 certificate for this domain.
certificate_chain	string `^(.\\n)?-----BEGIN CERTIFICATE-----.`	PEM-Encoded X.509 certificate chain for this domain. Only needed if there are intermediate certificates that must also be sent to clients to allow them to verify the certificate.
private_key	string `^(.\\n)?-----BEGIN PRIVATE KEY-----.`	PEM-Encoded private key for the certificate.

{
  "DATA_TYPE": "domain#1.0.0",
  "domain_name": "custom.domain.org",
  "wildcard": true,
  "certificate": "string",
  "certificate_chain": "string",
  "private_key": "string"
}

Unmanaged domain 1.0.0 Document

Custom unmanaged domain

Name	Type	Description
DATA_TYPE	`domain#1.0.0`
domain_name	string	DNS Domain name.
wildcard	boolean	Flag indicating whether this is a wildcard domain or not. When setting a custom domain for an endpoint a wildcard domain must be used. When setting a custom domain for a mapped collection, the domain may optionally be a wildcard domain. If it is a wildcard domain, the guest collections will be created as subdomains of the mapped collection domain; if not, guest collections will be created as subdomains of the endpoint domain.
certificate_path	string `^/.*`	Path to a file containing the X.509 certificate for this domain. This file path must contain a valid certificate and be present on each data transfer node.
certificate_chain_path	string `^/.*`	Path to a file containing the X.509 certificate chain for this domain. This file path must contain a sequence of valid certificate and be present on each data transfer node.
private_key_path	string `^/.*`	Path to a file containing the private key for this domain. This file path must contain a valid key and be present on each data transfer node.

{
  "DATA_TYPE": "domain#1.0.0",
  "domain_name": "custom.domain.org",
  "wildcard": true,
  "certificate_path": "string",
  "certificate_chain_path": "string",
  "private_key_path": "string"
}

Domain 1.0.0 Document

Custom domain definition.

Name	Type	Description
Domain_1_0_0	Domain 1.0.0 One of { object Managed domain 1.0.0 , object Unmanaged domain 1.0.0 }	Custom domain definition.

{
  "DATA_TYPE": "string",
  "domain_name": "custom.domain.org",
  "wildcard": true,
  "certificate": "string",
  "certificate_chain": "string",
  "private_key": "string"
}

Domain Document

Custom domain definition.

Name	Type	Description
Domain	Domain One of { object Domain 1.0.0 }	Custom domain definition.

{
  "DATA_TYPE": "domain#1.0.0",
  "domain_name": "custom.domain.org",
  "wildcard": true,
  "certificate_path": "/etc/grid-security/endpoint_cert.pem",
  "private_key_path": "/etc/grid-security/endpoint_key.pem"
}

AzureBlobStoragePolicies Document

This type describes the public and private policies for a Azure Blob Storage Gateway.

Name	Type	Description
DATA_TYPE	string `azure_blob_storage_policies#1.0.0`	Type of this document
client_id	string	Client ID registered with the Azure console to access Azure Blob.[Private]
secret	string	Secret created in the Azure console to access Azure Blob with the client_id in this policy.[Private]
tenant	string	Tenant ID of the Microsoft organization.[Private]
auth_type	string	The method of authentication to Azure. 'user' prompts the user to log in to their Microsoft account via an oauth2 flow. 'service_principal' uses the configured client_id and client_secret values to authenticate as an Azure service principal.
account	string	Azure Storage account to access with this storage gateway.[Private]
adls	boolean	Flag indicating the Azure storage account has enabled Azure Data Lake Gen2 hierarchical namespace support.[Private]
auth_callback	string <uri>	URL of the auth callback that must be registered on the Azure console for the application client_id in order to process Microsoft credentials.

{
  "DATA_TYPE": "azure_blob_storage_policies#1.0.0",
  "client_id": "string",
  "secret": "string",
  "tenant": "string",
  "auth_type": "string",
  "account": "string",
  "adls": true,
  "auth_callback": "https://example.globus.org/api/v1/authcallback"
}

AzureBlobCollectionPolicies Document

The AzureBlobCollectionPolicies document describes Azure Blob-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name	Type	Description
DATA_TYPE	string `azure_blob_collection_policies#1.0.0`	Type of this document

{
  "DATA_TYPE": "azure_blob_collection_policies#1.0.0"
}

AzureBlobUserCredentialPolicies Document

The AzureBlobUserCredentialPolicies document describes the Azure Blob-specific policy information included in a UserCredential. This document contains read-only data about the user’s credentials.

Name	Type	Description
DATA_TYPE	string `azure_blob_user_credential_policies#1.0.0`	Type of this document
sub	string	OAuth subject identifier claim.
email	string <email>	OAuth email claim.
access_token	string	OAuth access token.
refresh_token	string	OAuth refresh token.
scopes	array (string)	OAuth scopes associated with this access token.
token_expiry	string <date-time>	OAuth access token expiration time.

{
  "DATA_TYPE": "azure_blob_user_credential_policies#1.0.0",
  "sub": "string",
  "email": "user@example.com",
  "access_token": "string",
  "refresh_token": "string",
  "scopes": [
    "openid",
    "email",
    "profile",
    "offline_access",
    "user_impersonation"
  ],
  "token_expiry": "2020-02-04T21:44:12Z"
}

BlackPearlStoragePolicies Document

The BlackPearlStoragePolicies document describes Black Pearl-specific policies. This document contains policies to locate the Black Pearl S3 endpoint and map account names to API keys.

Name	Type	Description
DATA_TYPE	string `blackpearl_storage_policies#1.0.0`	Type of this document
s3_endpoint	string <uri>	The URL of the S3 endpoint of the BlackPearl appliance to use to access collections on this Storage Gateway.
bp_access_id_file	string	Path to the file which provides mappings from usernames within the configured identity domain to the ID and secret associated with the user’s BlackPearl account

{
  "DATA_TYPE": "blackpearl_storage_policies#1.0.0",
  "s3_endpoint": "http://blackpearl.example.org:8080",
  "bp_access_id_file": "/etc/blackpearl/access-id-file"
}

BlackPearlCollectionPolicies Document

The BlackPearlCollectionPolicies document describes Black Pearl-specific policies. Currently this document contains no connector-specific policy information.

Name	Type	Description
DATA_TYPE	string `blackpearl_collection_policies#1.0.0`

{
  "DATA_TYPE": "blackpearl_collection_policies#1.0.0"
}

BlackPearlUserCredentialPolicies Document

The BlackPearlUserCredentialPolicies document describes Black Pearl-specific policies. Currently this document contains read-only information about the access_id and key associated with an account.

Name	Type	Description
DATA_TYPE	string `blackpearl_user_credential_policies#1.0.0`
access_id	string	BlackPearl access ID
secret_key	string	BlackPearl secret key[Private]

{
  "DATA_TYPE": "blackpearl_user_credential_policies#1.0.0",
  "access_id": "amFzb25hbHQ=",
  "secret_key": "K9YxrEaj"
}

BoxStoragePolicies Document

The BoxStoragePolicies document describes box-specific configuration policies. These contain data needed to interact with the Box service via its API.

Name	Type	Description
DATA_TYPE	string `box_storage_policies#1.0.0`	Type of this document
enterpriseID	string	Identifies which Box Enterprise this Storage Gateway is authorized access to.[Private]
boxAppSettings	object	Values that the Storage Gateway uses to identify and authenticate the with the Box API.[Private]

{
  "DATA_TYPE": "box_storage_policies#1.0.0",
  "enterpriseID": "123456",
  "boxAppSettings": {
    "clientID": "pahZae7RaiX8thooOu2ooquo",
    "clientSecret": "ahNgik3uveiW4uiZYuquee3IFune6goo",
    "appAuth": {
      "publicKeyID": "xa6Ecas0",
      "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQItFqhI7c+9m0CAggA\nMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBBollBX+MTwIorhEBGMAGUYBIIE\n0PyvnRMb3diA+wB1GIJqLzBk4KqyKcWbP4NukwxWYvr8ZmC5MuaZQKsC0YqjZNMw\niTYaOUmjoA6HQYJr+Yt7wuU9g07N2isl+RnlZEUSrTUYVMu1NLb7A4zkCKFlV/dC\nTSb3IED//ne+i3+oaQImrO86ppGcNoaYmx4kCf9o9Etre040a7lLNQs9SB5ukHMZ\nfXGb1X5n0jXCqfJ4SYcSefK3fOVawbIg0ocMg99TZaBWvWb0C3w/+cn8MqT5FmOW\ncqMZSHtqq8/DdfNpfA7CLd6e5st2yKEnbYma2m7HR+SsCAhhOYligiMlwGCKw/JT\nYmKIB2wRu54dJOdvZVF/7kJkw5igooGxrBKXmlxVO+2TDs8fjx7F42W00XoOLTIy\nGGabLkAPQXOO5XOJsMaX/A3u9YUezoG7BZKsuPHlIxsJjylJqM0uA1nUObRxI77W\nyWEz1aHvDnEEvF/rBrNGV8ARiTNo02AKtvMLiW8H4d+G+8tlwCUB8CAkgOXwQpP5\nnqeibn4Y88GqE1z2EF7YGTjrTre/qvPJOIvYDYVONmc9DblitOMLerQdodgNC+3q\nrTDxPET9xGJ2Gg+TYWXYiEkQJMotpWR+zDB0uJVsBqfAVFvn6WFa8hp1m4Il2vNK\nCSFi8yUegK3vJiw1ZFUx42v9m8nyTiVJ/LvZYVkr2SxjI4mk2jCEP7YctTpT2Fpd\nYCXe6LGxzIh1QcEsz6ETaBtcQ2ZGoZYqURIoH3OoJ+Bqp2tsK8E/JJ5A5rSWRfeb\nssIG62iy/nDseq9sp1J5LfdOE45k5AQ0+48Box+b/j1Gdn30ckT+ffjO2HwGwAbG\nNpwgC/yJ8xyrgHGlRRULeu2zRndCcSsrRr0l9hYPiD4+JYPvaVPNf1O/Ry/OIFQZ\n+0VeWEHOziS4sheMTp6rof68zdND9NabhrUL/bjMnu6jZxFfLjj8ecVIq4TNoPRL\nHfnIEYb8z2bfMzv3raOa49Z6hgbkrQwmt/aAwp2tk9gx7FmIWghS4EktgXKYaYiG\ndPJWWnFSXOSYveF5otryISbwqZU4EDsPk8S/Yd9VTF9t/YxWpMGfsP/UKWILR3Lq\nF86JpuKgSB8eMrKDX4zTxgOqpPFaoxQYcQcM1X8BaYlfnHTtOS9gDYXyfVbxmnu9\nXTOjPdwI+enqWYADZ0HDsEghujxFOQKtefBq0isgzvMNmIB/II/09eCSPqk38oKO\nDIVPVrYqB1FtGMINDzyljCI5q9Z1Duw+9M0IYCv4k1v0fVsowNHfTGc1PcMHGZXs\nudejICJ02UZjvhW9GCE0Gswk1Td64f8afqDYvXviCI3545HZy3UZqMGNNT7nx2zY\n9Vih8pl0027MXj1IScCuC90YZr0TyhpfZadfQJB27Bh8bBaS+Jal3+vfgXTNwXLm\nTGN9EdRKaSZS7CFAmgwDEQ1wkO5v0yvOBWVgw9QcFigu9y7hPAGu91bDb8t5EEMR\nsIklo0H7U2yx2eiEB5aFbb6ufKC4+WShDvYkSEhpalqUL7wplV7lR4ZyuwLa4PG/\nShgYXEgibyksa7ggI7wJwe85laWkycrOn5/lvRUNrvSvDoQJlMsQD5h/Bscvw1K8\nNWXaierPdI1GtR0zWujxbVi29fafqwJSP6V3dTSLLbAI\n-----END ENCRYPTED PRIVATE KEY-----",
      "passphrase": "Aip4eengaeQuoib2Eme3thei"
    }
  }
}

BoxCollectionPolicies Document

The BoxCollectionPolicies document describes box-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name	Type	Description
DATA_TYPE	string `box_collection_policies#1.0.0`	Type of this document

{
  "DATA_TYPE": "box_collection_policies#1.0.0"
}

BoxUserCredentialPolicies Document

The BoxUserCredentialPolicies document describes box-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name	Type	Description
DATA_TYPE	string `box_user_credential_policies#1.0.0`

{
  "DATA_TYPE": "box_user_credential_policies#1.0.0"
}

CephStoragePolicies Document

The CephStoragePolicies document describes ceph-specific configuration policies. These policies contain information about how to contact the Ceph storage API and also restrictions on which Ceph buckets are available for access via this storage gateway.

Name	Type	Description
DATA_TYPE	string `ceph_storage_policies#1.0.0`	Type of this document
s3_endpoint	string <uri>	URL of the S3 API endpoint
s3_buckets	array (string)	List of buckets not owned by the collection owner that will be shown in the root of collections created at the base of this Storage Gateway.
ceph_admin_key_id	string	Administrator key id used to authenticate with the ceph admin service to obtain user credentials.[Private]
ceph_admin_secret_key	string	Administrator secret key used to authenticate with the ceph admin service to obtain user credentials.[Private]

{
  "DATA_TYPE": "ceph_storage_policies#1.0.0",
  "s3_endpoint": "https://s3.amazonaws.com",
  "s3_buckets": [
    "publicbucket1"
  ],
  "ceph_admin_key_id": "string",
  "ceph_admin_secret_key": "string"
}

CephCollectionPolicies Document

The CephCollectionPolicies document describes ceph-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name	Type	Description
DATA_TYPE	string `ceph_collection_policies#1.0.0`	Type of this document

{
  "DATA_TYPE": "ceph_collection_policies#1.0.0"
}

CephUserCredentialPolicies Document

The CephCollectionPolicies document describes ceph-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name	Type	Description
DATA_TYPE	string `ceph_user_credential_policies#1.0.0`	Type of this document

{
  "DATA_TYPE": "ceph_user_credential_policies#1.0.0"
}

GoogleCloudStorageProject Document

A Google Cloud Platform project resource.

Name	Type	Description
projectId	string	Google-issued id of a Google Cloud Platform project.
name	string	The name of the project.

{
  "projectId": "strawberry-delta-129193",
  "name": "Globus Data Project"
}

GoogleCloudStoragePolicies Document

This type describes the public and private policies for a Google Cloud Storage Gateway.

Name	Type	Description
DATA_TYPE	string `google_cloud_storage_policies#1.0.0`	Type of this document
client_id	string	Client ID registered with the Google Application console to access Google Cloud Storage.[Private]
secret	string	Secret created to access access Google Cloud Storage with the client_id in this policy.[Private]
service_account_key	object	Service account key to use when authenticating all storage access.[Private]
buckets	array (string)	The list of Google Cloud Storage buckets which the Storage Gateway is allowed to access, as well as the list of buckets that will be shown in root level directory listings. If this list is unset, bucket access is unrestricted and all non public credential accessible buckets will be shown in root level directory listings. The value is a list of bucket names.
auth_callback	string <uri>	URL of the auth callback that must be registered on the Google API console for the application client_id in order to process Google credentials.
projects	array (string)	The list of Google Cloud Storage project ids which the Storage Gateway is allowed to access. If this list is unset, project access is unrestricted. The value is a list of project id strings.

{
  "DATA_TYPE": "google_cloud_storage_policies#1.0.0",
  "client_id": "string",
  "secret": "string",
  "service_account_key": {},
  "buckets": [
    "string"
  ],
  "auth_callback": "https://example.globus.org/api/v1/authcallback_google",
  "projects": [
    "strawberry-delta-129193"
  ]
}

GoogleCloudStorageCollectionPolicies Document

The GoogleCloudStorageCollectionPolicies document describes google-specific policies for a collection.

Name	Type	Description
DATA_TYPE	string `google_cloud_storage_collection_policies#1.0.0`	Type of this document
project	string	Google Cloud Platform project ID value that is associated with this collection.

{
  "DATA_TYPE": "google_cloud_storage_collection_policies#1.0.0",
  "project": "strawberry-delta-129193"
}

GoogleCloudStorageUserCredentialPolicies Document

Name	Type	Description
DATA_TYPE	string `google_cloud_storage_user_credential_policies#1.0.0`	Type of this document
sub	string	OpenID Connect subject property of this credential. [read-only]
email	string <email>	OpenID Connect email property of this credential. [read-only]
access_token	string	Access token to interact with the Google Cloud Storage API. [read-only][Private]
refresh_token	string	Refresh token to generate new access tokens to use with the Google Cloud Storage API. [read-only][Private]
scopes	array (string)	List of OAuth 2 scopes associated with the tokens in this credential. [read-only]
projects	array ( GoogleCloudStorageProject )	List of Google Cloud Platform projects available for use with this credential. [read-only]
token_expiry	string <date-time>	Time when he access token expires. [read-only]

{
  "DATA_TYPE": "google_cloud_storage_user_credential_policies#1.0.0",
  "sub": "string",
  "email": "user@example.com",
  "access_token": "string",
  "refresh_token": "string",
  "scopes": [
    "string"
  ],
  "projects": [
    {
      "projectId": "strawberry-delta-129193",
      "name": "Globus Data Project"
    }
  ],
  "token_expiry": "2020-02-04T21:44:12Z"
}

GoogleDriveStoragePolicies Document

This type describes the public and private policies for a Google Drive Storage Gateway.

Name	Type	Description
DATA_TYPE	string `google_drive_storage_policies#1.0.0`	Type of this document
client_id	string	Client ID registered with the Google Application console to access Google Drive.[Private]
secret	string	Secret created to access access Google Drive with the client_id in this policy.[Private]
user_api_rate_quota	integer	User API Rate quota associated with this client ID.[Private]
auth_callback	string <uri>	URL of the auth callback that must be registered on the Google API console for the application client_id in order to process Google credentials.

{
  "DATA_TYPE": "google_drive_storage_policies#1.0.0",
  "client_id": "string",
  "secret": "string",
  "user_api_rate_quota": 1000,
  "auth_callback": "https://example.globus.org/api/v1/authcallback_google"
}

GoogleDriveCollectionPolicies Document

The GoogleDriveCollectionPolicies document describes Google drive -specific configuration policies. Currently this document type contains no connector-specific policy information.

Name	Type	Description
DATA_TYPE	string `google_drive_collection_policies#1.0.0`	Type of this document

{
  "DATA_TYPE": "google_drive_collection_policies#1.0.0"
}

GoogleDriveUserCredentialPolicies Document

The GoogleDriveUserCredentialPolicies document describes the google-specific policy information included in a UserCredential. This document contains read-only data about the user’s Google OAuth tokens.

Name	Type	Description
DATA_TYPE	string `google_drive_user_credential_policies#1.0.0`	Type of this document
sub	string	OAuth subject identifier claim.
email	string <email>	OAuth email claim.
access_token	string	OAuth access token.
refresh_token	string	OAuth refresh token.
scopes	array (string)	OAuth scopes associated with this access token.
token_expiry	string <date-time>	OAuth access token expiration time.

{
  "DATA_TYPE": "google_drive_user_credential_policies#1.0.0",
  "sub": "string",
  "email": "user@example.com",
  "access_token": "string",
  "refresh_token": "string",
  "scopes": [
    "email",
    "profile",
    "https://www.googleapis.com/auth/drive",
    "https://www.googleapis.com/auth/drive.appfolder"
  ],
  "token_expiry": "2020-02-04T21:44:12Z"
}

IrodsStoragePolicies Document

This document contains one of the versioned iRODS specific storage gateway policies.

Name	Type	Description
IrodsStoragePolicies	IrodsStoragePolicies One of { IrodsStoragePolicies 1.0.0 }	This document contains one of the versioned iRODS specific storage gateway policies.

{
  "irods_environment_file": "/var/irods/irods_environment.json",
  "irods_authentication_file": "/var/irods/.irodsA",
  "environment": [
    {
      "name": "VOLUME",
      "value": "/vol/0"
    }
  ],
  "DATA_TYPE": "irods_storage_policies#1.0.0"
}

IrodsStoragePolicies 1.0.0 Document

This document contains version 1.0.0 of the iRODS storage gateway policies with an explicit DATA_TYPE value.

Name	Type	Description
irods_environment_file	string	Path to the irods environment file.[Private]
irods_authentication_file	string	Path to the irods authentication file.[Private]
environment	array (object)	Variables to set in the iRODS client environment.[Private]
DATA_TYPE	string `irods_storage_policies#1.0.0`	Type of this document

{
  "irods_environment_file": "/var/irods/irods_environment.json",
  "irods_authentication_file": "/var/irods/.irodsA",
  "environment": [
    {
      "name": "VOLUME",
      "value": "/vol/0"
    }
  ],
  "DATA_TYPE": "irods_storage_policies#1.0.0"
}

IrodsStoragePolicies_1_0_0_Properties Document

The IrodsStoragePolicies document describes the extensions to support the iRODS connector’s configuration policies.

Name	Type	Description
irods_environment_file	string	Path to the irods environment file.[Private]
irods_authentication_file	string	Path to the irods authentication file.[Private]
environment	array (object)	Variables to set in the iRODS client environment.[Private]

{
  "irods_environment_file": "/var/irods/irods_environment.json",
  "irods_authentication_file": "/var/irods/.irodsA",
  "environment": [
    {
      "name": "VOLUME",
      "value": "/vol/0"
    }
  ]
}

IrodsUserCredentialPolicies Document

This document contains one of the versioned iRODS-specific user credential policies.

Name	Type	Description
IrodsUserCredentialPolicies	IrodsUserCredentialPolicies One of { object IrodsUserCredential 1.0.0 Policies }	This document contains one of the versioned iRODS-specific user credential policies.

{
  "DATA_TYPE": "irods_user_credential_policies#1.0.0"
}

IrodsUserCredential 1.0.0 Policies Document

This document contains version 1.0.0 of the iRODS user credential policies with an explicit DATA_TYPE value.

Name	Type	Description
DATA_TYPE	string `irods_user_credential_policies#1.0.0`

{
  "DATA_TYPE": "irods_user_credential_policies#1.0.0"
}

IrodsCollectionPolicies 1.0.0 Document

This document contains version 1.0.0 of the iRODS collection policies with an explicit DATA_TYPE value.

Name	Type	Description
DATA_TYPE	string `irods_collection_policies#1.0.0`	Type of this document

{
  "DATA_TYPE": "irods_collection_policies#1.0.0"
}

IrodsCollectionPolicies Document

This document contains one of the versioned iRODS-specific collection policies.

Name	Type	Description
IrodsCollectionPolicies	IrodsCollectionPolicies One of { IrodsCollectionPolicies 1.0.0 }	This document contains one of the versioned iRODS-specific collection policies.

{
  "DATA_TYPE": "irods_collection_policies#1.0.0"
}

OneDriveStoragePolicies Document

This type describes the public and private policies for a OneDrive Storage Gateway.

Name	Type	Description
DATA_TYPE	string `onedrive_storage_policies#1.0.0`	Type of this document
client_id	string	Client ID registered with the Azure console to access OneDrive.[Private]
secret	string	Secret created in the Azure console to access OneDrive with the client_id in this policy.[Private]
tenant	string	Tenant ID of the Microsoft organization. Required when Supported Account Types of the Azure application is set to Single tenant.[Private]
user_api_rate_limit	integer	User API Rate Limit associated with this client ID in operations per second per user.[Private]
auth_callback	string <uri>	URL of the auth callback that must be registered on the Azure console for the application client_id in order to process Microsoft credentials.

{
  "DATA_TYPE": "onedrive_storage_policies#1.0.0",
  "client_id": "string",
  "secret": "string",
  "tenant": "string",
  "user_api_rate_limit": 1000,
  "auth_callback": "https://example.globus.org/api/v1/authcallback"
}

OneDriveUserCredentialPolicies Document

The OneDriveUserCredentialPolicies document describes the OneDrive-specific policy information included in a UserCredential. This document contains read-only data about the user’s credentials.

Name	Type	Description
DATA_TYPE	string `onedrive_user_credential_policies#1.0.0`	Type of this document
sub	string	OAuth subject identifier claim.
email	string <email>	OAuth email claim.
access_token	string	OAuth access token.
refresh_token	string	OAuth refresh token.
scopes	array (string)	OAuth scopes associated with this access token.
token_expiry	string <date-time>	OAuth access token expiration time.

{
  "DATA_TYPE": "onedrive_user_credential_policies#1.0.0",
  "sub": "string",
  "email": "user@example.com",
  "access_token": "string",
  "refresh_token": "string",
  "scopes": [
    "openid",
    "email",
    "profile",
    "offline_access",
    "files.readwrite.all"
  ],
  "token_expiry": "2020-02-04T21:44:12Z"
}

OneDriveCollectionPolicies Document

The OneDriveCollectionPolicies document describes OneDrive-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name	Type	Description
DATA_TYPE	string `onedrive_collection_policies#1.0.0`	Type of this document

{
  "DATA_TYPE": "onedrive_collection_policies#1.0.0"
}

PosixStoragePolicies Document

This document contains one of the versioned POSIX-specific storage gateway policies. This document includes settings for access restrictions for based on POSIX group membership.

Name	Type	Description
PosixStoragePolicies	PosixStoragePolicies One of { PosixStoragePolicies_1_0_0 }	This document contains one of the versioned POSIX-specific storage gateway policies. This document includes settings for access restrictions for based on POSIX group membership.

{
  "DATA_TYPE": "posix_storage_policies#1.0.0",
  "groups_allow": [
    "globus"
  ],
  "groups_deny": [
    "nonglobus"
  ]
}

PosixStoragePolicies_1_0_0 Document

This document contains version 1.0.0 of the POSIX storage gateway policies with an explicit DATA_TYPE value.

Name	Type	Description
DATA_TYPE	string `posix_storage_policies#1.0.0`	Type of this document
groups_allow	array (string)	List of POSIX group IDs allowed to access this Storage Gateway.[Private]
groups_deny	array (string)	List of POSIX group IDs denied access this Storage Gateway.[Private]

{
  "DATA_TYPE": "posix_storage_policies#1.0.0",
  "groups_allow": [
    "globus"
  ],
  "groups_deny": [
    "nonglobus"
  ]
}

PosixStoragePolicies 1.0.0 Properties Document

This document contains the properties for version 1.0.0 of the POSIX storage gateway policy document.

Name	Type	Description
DATA_TYPE	string	Type of this document
groups_allow	array (string)	List of POSIX group IDs allowed to access this Storage Gateway.[Private]
groups_deny	array (string)	List of POSIX group IDs denied access this Storage Gateway.[Private]

{
  "DATA_TYPE": "string",
  "groups_allow": [
    "globus"
  ],
  "groups_deny": [
    "nonglobus"
  ]
}

PosixUserCredentialPolicies Document

This document contains one of the versioned POSIX-specific user credential policies.

Name	Type	Description
PosixUserCredentialPolicies	PosixUserCredentialPolicies One of { object PosixUserCredential 1.0.0 Policies }	This document contains one of the versioned POSIX-specific user credential policies.

{
  "DATA_TYPE": "posix_user_credential_policies#1.0.0"
}

PosixUserCredential 1.0.0 Policies Document

This document contains version 1.0.0 of the POSIX storage gateway policies with an explicit DATA_TYPE value.

Name	Type	Description
DATA_TYPE	string `posix_user_credential_policies#1.0.0`

{
  "DATA_TYPE": "posix_user_credential_policies#1.0.0"
}

PosixGuestCollectionPolicies Document

This document contains one of the versioned POSIX-specific guest collection policies.

Name	Type	Description
PosixGuestCollectionPolicies	PosixGuestCollectionPolicies One of { object PosixCollectionPolicies 1.0.0 , PosixGuestCollectionPolicies 1.1.0 }	This document contains one of the versioned POSIX-specific guest collection policies.

{
  "DATA_TYPE": "posix_collection_policies#1.0.0"
}

PosixMappedCollectionPolicies Document

This document contains one of the versioned POSIX-specific guest collection policies.

Name	Type	Description
PosixMappedCollectionPolicies	PosixMappedCollectionPolicies One of { object PosixCollectionPolicies 1.0.0 , PosixMappedCollectionPolicies 1.1.0 }	This document contains one of the versioned POSIX-specific guest collection policies.

{
  "DATA_TYPE": "posix_collection_policies#1.0.0"
}

PosixCollectionPolicies 1.0.0 Document

This document contains version 1.0.0 of the POSIX collection policies with an explicit DATA_TYPE value. There are no differences between policies supported by mapped and guest collections.

Name	Type	Description
DATA_TYPE	string `posix_collection_policies#1.0.0`	Type of this document

{
  "DATA_TYPE": "posix_collection_policies#1.0.0"
}

PosixGuestCollectionPolicies 1.1.0 Document

This document contains version 1.1.0 of the POSIX collection policies with an explicit DATA_TYPE value.

Name	Type	Description
DATA_TYPE	string `posix_collection_policies#1.1.0`	Type of this document

{
  "DATA_TYPE": "posix_collection_policies#1.1.0"
}

PosixMappedCollectionPolicies 1.1.0 Document

This document contains version 1.1.0 of the POSIX collection policies with an explicit DATA_TYPE value. This document type contains policies to perform group-level sharing restrictions.

Name	Type	Description
sharing_groups_allow	array (string)	List of POSIX group IDs allowed to create shares on this collection.[Private]
sharing_groups_deny	array (string)	List of POSIX group IDs denied access to create shares on this collection.[Private]
DATA_TYPE	string `posix_collection_policies#1.1.0`	Type of this document

{
  "sharing_groups_allow": [
    "globus"
  ],
  "sharing_groups_deny": [
    "nonglobus"
  ],
  "DATA_TYPE": "posix_collection_policies#1.1.0"
}

PosixMappedCollectionPolicies 1.1.0 Properties Document

This document contains the POSIX-specific properties for version 1.1.0 of the POSIX mapped collection policies document. This document type contains policies to perform group-level sharing restrictions.

Name	Type	Description
sharing_groups_allow	array (string)	List of POSIX group IDs allowed to create shares on this collection.[Private]
sharing_groups_deny	array (string)	List of POSIX group IDs denied access to create shares on this collection.[Private]

{
  "sharing_groups_allow": [
    "globus"
  ],
  "sharing_groups_deny": [
    "nonglobus"
  ]
}

PosixStagingStoragePolicies Document

This document contains one of the versioned POSIX staging specific storage gateway policies.

Name	Type	Description
PosixStagingStoragePolicies	PosixStagingStoragePolicies One of { PosixStagingStoragePolicies 1.0.0 }	This document contains one of the versioned POSIX staging specific storage gateway policies.

{
  "DATA_TYPE": "posix_staging_storage_policies#1.0.0",
  "groups_allow": [
    "globus"
  ],
  "groups_deny": [
    "nonglobus"
  ],
  "stage_app": "/usr/local/bin/globus-stage-data",
  "environment": [
    {
      "name": "VOLUME",
      "value": "/vol/0"
    }
  ]
}

PosixStagingStoragePolicies 1.0.0 Document

This document contains version 1.0.0 of the POSIX staging storage gateway policies with an explicit DATA_TYPE value.

Name	Type	Description
DATA_TYPE	string `posix_staging_storage_policies#1.0.0`	Type of this document
groups_allow	array (string)	List of POSIX group IDs allowed to access this Storage Gateway.[Private]
groups_deny	array (string)	List of POSIX group IDs denied access this Storage Gateway.[Private]
stage_app	string	Path to the stage app.[Private]
environment	array (object)	Variables to set in the environment when executing the stage_app.[Private]

{
  "DATA_TYPE": "posix_staging_storage_policies#1.0.0",
  "groups_allow": [
    "globus"
  ],
  "groups_deny": [
    "nonglobus"
  ],
  "stage_app": "/usr/local/bin/globus-stage-data",
  "environment": [
    {
      "name": "VOLUME",
      "value": "/vol/0"
    }
  ]
}

PosixStagingStoragePolicies_1_0_0_Properties Document

The PosixStagingStoragePolicies document describes the extensions to support the posix staging connector’s configuration policies.

Name	Type	Description
stage_app	string	Path to the stage app.[Private]
environment	array (object)	Variables to set in the environment when executing the stage_app.[Private]

{
  "stage_app": "/usr/local/bin/globus-stage-data",
  "environment": [
    {
      "name": "VOLUME",
      "value": "/vol/0"
    }
  ]
}

PosixStagingUserCredentialPolicies Document

This document contains one of the versioned POSIX staging-specific user credential policies.

Name	Type	Description
PosixStagingUserCredentialPolicies	PosixStagingUserCredentialPolicies One of { object PosixStagingUserCredential 1.0.0 Policies }	This document contains one of the versioned POSIX staging-specific user credential policies.

{
  "DATA_TYPE": "posix_staging_user_credential_policies#1.0.0"
}

PosixStagingUserCredential 1.0.0 Policies Document

This document contains version 1.0.0 of the POSIX staging user credential policies with an explicit DATA_TYPE value.

Name	Type	Description
DATA_TYPE	string `posix_staging_user_credential_policies#1.0.0`

{
  "DATA_TYPE": "posix_staging_user_credential_policies#1.0.0"
}

PosixStagingMappedCollectionPolicies 1.0.0 Document

This document contains version 1.0.0 of the POSIX staging mapped collection policies with an explicit DATA_TYPE value.

Name	Type	Description
sharing_groups_allow	array (string)	List of POSIX group IDs allowed to create shares on this collection.[Private]
sharing_groups_deny	array (string)	List of POSIX group IDs denied access to create shares on this collection.[Private]
DATA_TYPE	string `posix_staging_collection_policies#1.0.0`	Type of this document

{
  "sharing_groups_allow": [
    "globus"
  ],
  "sharing_groups_deny": [
    "nonglobus"
  ],
  "DATA_TYPE": "posix_staging_collection_policies#1.0.0"
}

PosixStagingGuestCollectionPolicies 1.0.0 Document

This document contains version 1.0.0 of the POSIX staging mapped collection policies with an explicit DATA_TYPE value.

Name	Type	Description
DATA_TYPE	string `posix_staging_collection_policies#1.0.0`	Type of this document

{
  "DATA_TYPE": "posix_staging_collection_policies#1.0.0"
}

PosixStagingGuestCollectionPolicies Document

This document contains one of the versioned POSIX staging-specific guest collection policies.

Name	Type	Description
PosixStagingGuestCollectionPolicies	PosixStagingGuestCollectionPolicies One of { PosixStagingGuestCollectionPolicies 1.0.0 }	This document contains one of the versioned POSIX staging-specific guest collection policies.

{
  "DATA_TYPE": "posix_staging_collection_policies#1.0.0"
}

PosixStagingMappedCollectionPolicies Document

This document contains one of the versioned POSIX staging-specific guest collection policies.

Name	Type	Description
PosixStagingMappedCollectionPolicies	PosixStagingMappedCollectionPolicies One of { PosixStagingMappedCollectionPolicies 1.0.0 }	This document contains one of the versioned POSIX staging-specific guest collection policies.

{
  "sharing_groups_allow": [
    "globus"
  ],
  "sharing_groups_deny": [
    "nonglobus"
  ],
  "DATA_TYPE": "posix_staging_collection_policies#1.0.0"
}

S3StoragePolicies Document

The S3StoragePolicies document describes S3-specific configuration policies. These policies contain information about how to contact the S3 API and also restrictions on which S3 buckets are available for access via this storage gateway.

Name	Type	Description
DATA_TYPE	string `s3_storage_policies#1.0.0`	Type of this document
s3_endpoint	string <uri>	URL of the S3 API endpoint
s3_buckets	array (string)	List of buckets not owned by the collection owner that will be shown in the root of collections created at the base of this Storage Gateway.
s3_user_credential_required	boolean	Flag indicating if a Globus User must register a user credential in order to create a Guest Collection on this Storage Gateway.

{
  "DATA_TYPE": "s3_storage_policies#1.0.0",
  "s3_endpoint": "https://s3.amazonaws.com",
  "s3_buckets": [
    "awsexamplebucket1"
  ],
  "s3_user_credential_required": true
}

S3CollectionPolicies Document

The S3CollectionPolicies document describes s3-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name	Type	Description
DATA_TYPE	string `s3_collection_policies#1.0.0`	Type of this document

{
  "DATA_TYPE": "s3_collection_policies#1.0.0"
}

S3UserCredential Document

The S3UserCredential document describes s3-specific configuration policies. Currently this contains the key information needed to contact the S3 API for this account.

Name	Type	Description
DATA_TYPE	string `s3_user_credential_policies#1.0.0`	Type of this document
s3_key_id	string	Access Key ID to use with the S3 API to access your buckets and objects.
s3_secret_key	string	Secret Key to use with the S3 API to access your buckets and objects.

{
  "DATA_TYPE": "s3_user_credential_policies#1.0.0",
  "s3_key_id": "AKIAIOSFODNN7EXAMPLE",
  "s3_secret_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}

Sharing policies for a mapped collection. This document type allows endpoint and collection administrators to optionally constrain sharing path policies for particular users. The sharing_restrict_paths property has a similar meaning to that of the sharing_restrict_paths in the collection document; however, it is in effect only for specific users.

If the users property is null, then the restriction applies to all users. If it is non-null, then this restriction applies only to accounts which have been mapped to the enumerated storage gateway user accounts.

Multiple sharing policies can be defined for a mapped collection. When a guest collection is created or accessed, only the policies relevant to the user which created the account are enforced.

Name	Type	Description
DATA_TYPE	string `sharing_policy#1.0.0`	Type of this document
id	string <uuid>	ID for this sharing policy
collection_id	string <uuid>	ID of the mapped collection which this policy is associated with.
sharing_restrict_paths	One of { object PathRestrictions }	Restrictions on which paths may be shared in guest collections related to this mapped collection. These paths are relative to the root_path property of the mapped collection.
users	array (string)	List of local user accounts that this policy applies to. If omitted or null, this restriction applies to all local user accounts.

{
  "DATA_TYPE": "sharing_policy#1.0.0",
  "id": "97d6ec0b-a3c2-4723-a1a0-285b2b8f015a",
  "collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185",
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "users": [
    "username"
  ]
}