Data Sharing with Globus
Overview
Globus is a file transfer service that provides reliable data transfer between workstations, HPC (High-Performance Computer) servers, data repositories, user devices, and endpoints. Endpoints are data storage systems with Globus software installed. Endpoints can be an instutionally managed DTN (Data Transfer Node), a laptop or desktop, a cloud service, or google drive. Globus also enables data sharing with external institutions.
With Globus, users can share data directly from any of the types of endpoints listed above. Once configured, you can select directory paths to be securely shared with offsite collaborators and grant them read-only or read-write access. In addition, Globus lets you share your data without requiring temporary accounts for your collaborators on the system where the data resides. These sharing features require a Globus Plus subscription, which is made available as a resource to all UTK users at no additional charge.
Why Use Globus to Share Data?
- Enhance collaboration with other researchers without requiring them to have accounts on your system.
- Save money and improve security by avoiding duplicating your (potentially sensitive) data on cloud storage.
- Save time by letting Globus optimize and monitor transfers between collaborators’ systems—using fast research networks when available.
Key Data Sharing Features:
- Shared endpoint creation requires user authentication– Cannot be completely automated– Must be a managed endpoint.
- Roles for management of endpoint and tasks– Grant rights to other users, groups, or applications
- Access manager role grants others the rights to manage permissions – Granted to users, groups, and applications.
- Permissions are per folder on a shared endpoint– Any folder within the shared endpoint.
Sharing Policies
Shareable collections are designated as read-only or read-write when they are created. Guest collections created on a shareable collection will inherit these restrictions. Access to the guest collection will prompt for the credentials of the guest user, but access to the underlying files will be performed using the credentials of the user who created the guest collection. In this way, a guest collection allows non-UTK users to simulate having access to your account, but only for the purposes of access to a specific directory through Globus.
Getting Started
All users of university information technology data, technology, and user certificates, whether individuals or entities affiliated with the university, are responsible for and must comply with all applicable university administrative policies and procedures, as well as state and federal laws, rules, and regulations. These policies include information security, data privacy, commercial use, and not jeopardizing the availability, integrity, confidentiality, and security of data, technology, and user credentials.
To share data, users must create a guest collection and grant users’ collaborators access, as described in the instructions below. Users can designate other Globus users as “access managers” for the guest collection, allowing them to grant or revoke access privileges for other Globus users.
Important Note
A project PI (Principal Investigator) must submit a help ticket to request Globus sharing for a subdirectory of their project directory.
Sensitive data cannot be transferred on Globus without a subscription. The subscription allows the use of Globus with data that requires additional protection, including Personally Identifiable Information (PII), Protected Health Information (PHI), and Controlled Unclassified Information (CUI). Subscribers may identify storage systems with sensitive data that require higher levels of assurance, and Globus will ensure that stricter access policies are enforced as required by the institution. Access to protected data endpoints may require a user to authenticate within a session using an identity from a specific identity provider. Institutions define the identity required and the length of time before the user is asked to re-authenticate. Globus enforces institutional policy to ensure that correct and valid credentials are presented. Because data sharing undermines the additional protections provided for sensitive data, HPSC staff will not enable sharing on any of the sensitive data collections it manages, including all collections associated with the Secure Enclave. If you need to grant an external collaborator access to a sensitive data collection, the external user will need a sponsored NetID. The responsible PI will need to request to sponsor a person for OIT services.
We also recommend following the Globus documentation “How to Share Data using Globus“.
Guidelines
The following is guidance on how to share data using Globus account.
First, log into Globus with the existing organizational network.
Second, there are two ways to create a guest collection:
- In the file manager, click on the checkbox next to the folder you want to share, and click on ‘share’.
- On the left, click on the tab ‘collections’, search for your collection and click on it, and click ‘create a guest collection’ under the subtab ‘Collections’.
With both methods, you will arrive at the page ‘Create New Guest Collection’.
Once you have created your guest collection, you will be transported to a page to set permissions.
To add new permissions, click ‘Add Permissions –Share With’. You will get to the following screen:
Then, you will need to select the path within your guest collection to which the permission applies. If you leave this empty, Permission will apply from the root of your guest collection.
In addition, you will need to select the user or group that gets access.
If you want to give access to a user, you can either provide a username (if the user has already used Globus) or an e-mail address. Other options are:
- Providing all users with a Globus login access
- Providing public (anonymous) access
Note that if you give access to a group, you get a search bar to search for publicly available groups. You do not need to be a member of a group to share data with them.
Lastly, you should choose whether you want to give read or write access.
If you give user-level permissions, Globus will by default inform the user via mail about their new permissions. You can leave this setting on, optionally adding a message or switching it off.
Once you have created permission, it will appear in your guest collection’s ‘permissions’ overview.
You can also allow other users to manage your guest collection, by assigning them a role. To do so, go to the ‘roles’ subtab and click on ‘Assign New Role’.
On this page, choose a role, and the user/group to assign the role.
There are four roles for guest collections:
- Administrator: can assign roles to others and modify or delete the guest collection.
- If you create a guest collection, you are the administrator by default.
- Access manager: can create new permissions on the endpoint (from the root down).
- Activity manager: can view and control tasks involving the guest collection.
- Activity monitor: can view tasks involving the guest collection.
Your collaborators receive an email with a link to the shared directory paths and can then use Globus to transfer data from/to your storage system directly without taking a detour through a third-party cloud storage provider.