Globus Connect Server Administration Guides
  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Command summary
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Cleanup
      • Key Convert
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Disable
      • Enable
      • New Secret
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Batch Delete
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription Admin Verified Collection Property
      • Update
      • Delete
      • Domain
      • Check
      • Role
    • Auth Policy
      • Create
      • List
      • Show
      • Update
      • Delete
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • OAuth Create
      • Delete
      • List
      • S3 Create
      • S3 Keys Add
      • S3 Keys Delete
      • S3 Keys Update
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
  • API Access for Portals
  • Automated Endpoint Deployment
  • Data Access Application Guide
  • Application Migration Guide
  • Change Log
Skip to main content
Globus Docs
  • APIs
    Auth Flows Groups Search Timers Transfer Globus Connect Server Compute Helper Pages
  • Applications
    Globus Connect Personal Globus Connect Server Premium Storage Connectors Compute Command Line Interface Python SDK JavaScript SDK
  • Guides
  • Support
    FAQs Mailing Lists Contact Us Check Support Tickets
  1. Home
  2. Globus Connect Server
  3. v5.4
  4. Command-Line Reference
  5. Collection
  6. Role
  7. Create

Globus Connect Server Collection Role Create

Name

globus-connect-server collection role create - Create a role assignment

Synopsis

globus-connect-server collection role create COLLECTION_ID ROLE PRINCIPAL [OPTIONS]…​

Description

The globus-connect-server collection role create command creates a new role association to manage a collection. This is a premium feature---the endpoint must be managed by a subscription in order to create and use role-based authorization with a Globus Connect Server v5 endpoint.

When creating a collection role, this command takes three positional arguments: COLLECTION_ID, ROLE and PRINCIPAL.

The meaning of these arguments are

COLLECTION_ID

The ID of the collection being granted access to.

ROLE

The type of role to grant access.

PRINCIPAL

The principal being granted the role’s access. This may be a user identity or a globus group.

Collection Roles

administrator

A principal with this role on a collection has the following capabilities

  • view, modify, or delete the collection even if it is not public

  • view, add, update, and delete role assignments on the collection

  • all capabilities of the access_manager for this collection on the endpoint

  • all capabilities of the activity_manager for all collection on the endpoint

  • all capabilities of the activity monitor for the collection

Additionally, the collection administrator has the administrator role on the Transfer API for the collection, so it may interact with parts of the Transfer Management API.

access_manager

A principal with this role on a guest collection has the following capabilities

  • View, add, and delete permissions on a guest collection.

Additionally, the collection administrator has the access_manager role on the Transfer API for the collection, so it may interact with parts of the Transfer Management API.

activity_manager

A principal with this role on a collection has the following capabilities.

  • View the collection document even if it is not public

  • View and control tasks and other endpoint activity to or from the collection. This includes all operations in the Advanced Endpoint Management API (view, pause/resume, cancel).

  • View events, task pause info, pause rules, and permissions for storage gateways and collections on this endpoint.

Additionally, the collection administrator has the activity_manager role on the Transfer API for the collection, so it may interact with parts of the Transfer Management API.

activity_monitor

A principal with this role on a collection has the following capabilities for that collection

  • View the collection document even if it is not public

Additionally, the collection administrator has the activity_monitor role on the Transfer API for the collections, so it may interact with parts of the Transfer Management API.

Role Principals

A role may be assigned to either a Globus user identity or to a Globus group. You may choose which type of principal to use by including the --principal-type command line option with the argument identity or group. If not explicitly chosen, this command assumes that the principal is for an identity.

When assigning a role to a single user, the PRINCIPAL value may be either the ID of the user’s Globus identity, or the username property of that identity. In the latter case, the identity is resolved by querying the Globus Auth service and the ID is stored as the role assignment.

Options

-h, --help

Show help message and exit.

--version

Show the version and exit.

--principal-type "identity"|"group"

The type of principal to assign

-F, --format "text"|"json"

Output format for this command. If the format is json, then the resulting role document is displayed.

--use-explicit-host IP_ADDRESS (new in 5.4.23)

IP address of the GCS node to use for this request. If not specified, any available GCS node in the endpoint will be used.

Example

This example creates a new administrator role for a group by its ID:

globus-connect-server collection role create d7d5cf80-d4c9-4039-81cc-ddc11fdbf1c2 \
    --principal-type group \
    administrator 35081edc-475d-4bfe-b230-c55c6ce160e5

This example creates a new activity_monitor role for a user and displays the resulting document:

globus-connect-server collection role create d7d5cf80-d4c9-4039-81cc-ddc11fdbf1c2 \
    activity_monitor admin@example.edu -F json
Example JSON Output
{
  "DATA_TYPE": "role#1.0.0",
  "id": "251cba70-8568-11ea-ab13-0aeadf0d30f1",
  "principal": "urn:globus:auth:identity:0723a736-7f6c-4284-b436-def991a7d330",
  "role": "activity_monitor",
  "resource": "d7d5cf80-d4c9-4039-81cc-ddc11fdbf1c2"
}
  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Command summary
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Cleanup
      • Key Convert
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Disable
      • Enable
      • New Secret
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Batch Delete
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription Admin Verified Collection Property
      • Update
      • Delete
      • Domain
      • Check
      • Role
    • Auth Policy
      • Create
      • List
      • Show
      • Update
      • Delete
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • OAuth Create
      • Delete
      • List
      • S3 Create
      • S3 Keys Add
      • S3 Keys Delete
      • S3 Keys Update
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
  • API Access for Portals
  • Automated Endpoint Deployment
  • Data Access Application Guide
  • Application Migration Guide
  • Change Log
© 2010- The University of Chicago Legal Privacy Accessibility