Globus Groups service
The Globus Groups service enables access permissions to be assigned to user-defined groups of identities. Administrators may manage group policies and user roles to implement arbitrarily complex access control. Developers can leverage Globus group invitation workflows to create groups, invite users to a group via their Globus identity or email, and make changes to groups that are instantly reflected and enforced by other Globus platform services, for example to allow or restrict access to a dataset. Other interesting applications of the Groups service include controlling visibility of certain search index metadata (e.g. personally identifiable information) while allowing access to the indexed data collections themselves, and restricting the ability to run Globus Flows to subsets of authorized users.
Many authorization decisions are made on the basis of group membership, which greatly reduces the burden of managing permissions for individual users on system administrators. For example, removing use access to all Globus collections managed by an institution can be as simple as removing revoking the user’s membership in a Globus group. While ad hoc administrative tasks can be performed via the Globus web app, the API exposed by the Groups service is critical to enabling diverse data management tasks in data portals, science gateways and data commons being developed by the research community.