Globus Connect Server Auth Policy

Overview

The auth-policy commands manage authentication policies which can be used to enhance data access controls on GCS guest collections. Authentication policies are stored within the Globus Auth service and can be shared between GCS endpoints.

As of GCS 5.4.57, mapped collection admins may assign authentication policies to mapped collections in order to restrict which identity provider domains can be used to access guest collections. In this way, the mapped collection admin can place boundaries on whom guest collection owners may share data. Note that this does not prevent guest collection owners from setting permissions for these domains. Instead, it filters which permissions (including guest collection owner or admin permissions) are considered when authorizing a user to access the guest collection.

An authentication policy defines these criteria which a user must meet in order to satisfy the authentication policy so that the user may be granted access to the data. Authentication policies are stored within the Globus Auth service and can be shared between GCS endpoints.

Included Domains (Optional): List of identity provider domains allowed for guest collection permissions. Users accessing the guest collection must have an identity from at least one of the included domains and that identity must have a valid guest collection permission. If Included Domains is empty, all of the user’s guest collection permissions are considered. The domains may include wildcards, ie '*.edu'.
Excluded Domains (Optional): List of identity provider domains not allowed for guest collection permissions. Any of the user’s guest collection permissions from Excluded Domains will not be considered for guest collection access. Any domain listed in both Included Domains and Excluded Domains will not be able to access the guest collection. The domains may include wildcards, ie '*.edu'.

The following option indicates the type of collection the policy will be used on.

High Assurance (Optional): When a policy is set as high assurance, only permissions for identities from included identity provider domains which have been authenticated within the current session will be considered for guest collection access. A policy is required to be configured as high assurance in order to be placed on high assurance collections. Likewise, if the policy is not high assurance, it can only be used with regular collections. This setting is immutable.

Commands

globus-connect-server auth-policy create: Create a new authentication policy.
globus-connect-server auth-policy update: Update information about an authentication policy.
globus-connect-server auth-policy list: List authentication policies.
globus-connect-server auth-policy show: Show information about an authentication policy.
globus-connect-server auth-policy delete: Delete an authentication policy.