When managing access to restricted data in guest collections, access control rules (ACLs) may assign access to groups as well as to individuals. Each group must be flagged as a high-assurance group.

To designate a high-assurance group, locate the group in the Groups section of the Globus web app. If the group isn’t listed on the main page, search for it by name.

Search for a group

Once you’ve located the group, click the group’s name to view its configuration, then click "Settings" to open the Settings tab. In the "Policies" section, click "Edit Policies."

Edit the group's policies

Near the end of the list of policies, find "Session enforcement for this group is." The two options are "not strict" (the default) and "strict." Change the policy to "strict" to designate that this is a high-assurance group. Change the authentication duration (defaults to 28800 seconds, or eight hours) to the value required by your institution. Click "Submit."

Set strict session enforcement

At this point, your group is now designated for high-assurance use.

When you return to the group settings page, you may see a notice that you must authenticate as a specific identity to make further changes to the group. Because the group is now using strict authentication, this is expected if you haven’t authenticated to the required identity in the current session. Follow the prompts to re-authenticate.

Required identity