Change administrator of shared endpoint
68 views
Skip to first unread message
John Saxton
Jun 7, 2022, 1:35:26 PM6/7/22
to Discuss
We have a lab with existing shared endpoints where the administrator who created them has moved on and thus lost permissions to the underlying data. They granted other lab members admin access to the shared endpoint, but connecting to it is still using the now-defunct user and failing since they lack the necessary rights.
Is there a way to change which user a shared endpoint attempts to connect as? We tried changing the "Advertised Owner" but that wasn't the answer.
Thanks,
Is there a way to change which user a shared endpoint attempts to connect as? We tried changing the "Advertised Owner" but that wasn't the answer.
What strategy do others use to get around this problem if there is no way to change it? A generic service account seems like one way forward.
Thanks,
John
Brigitte Raumann
Jun 10, 2022, 5:59:11 PM6/10/22
to John Saxton, Discuss
John,
By design, Globus sharing permissions are always an overlay over the local permissions. If the local user no longer has access to the data, then anyone with whom the local user has shared data can no longer access data either. In other words, there is no way for a sharee to retain access to data if the share owner can no longer access the data. Unfortunately, that can put people who rely on access to data via shares in a difficult position if the person that shared the data no longer has the right to access the data. In some cases, creating a new share with the same name and permissions as the old share is an adequate workaround. If you are interested in developing scripts that will create new shares with the same meta data and permissions, you can email sup...@globus.org for guidance.
By design, Globus sharing permissions are always an overlay over the local permissions. If the local user no longer has access to the data, then anyone with whom the local user has shared data can no longer access data either. In other words, there is no way for a sharee to retain access to data if the share owner can no longer access the data. Unfortunately, that can put people who rely on access to data via shares in a difficult position if the person that shared the data no longer has the right to access the data. In some cases, creating a new share with the same name and permissions as the old share is an adequate workaround. If you are interested in developing scripts that will create new shares with the same meta data and permissions, you can email sup...@globus.org for guidance.
I'm sorry I can't give you a better solution for your current situation. But for the future, as you suggested, a service account is a good option for ownership of shares or guest collections that should be owned by an organization rather than an individual. One option is to register an app at https://developers.globus.org/, and then map the app to the local account that owns the data (detailed mapping instructions are here https://docs.globus.org/globus-connect-server/v5.4/identity-mapping-guide/). The app credentials can then be used to create shares or guest collections using the Globus CLI.
Brigitte
--
You received this message because you are subscribed to the Google Groups "Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@globus.org.
Reply all
Reply to author
Forward
0 new messages