- Always use SSL. Tapis services will force SSL if you don't specify it, but it's best to protect your application with SSL as a best practice.
- Use restricted SSH keys whenever possible.
- Open SSH keys are not supported.
- Use SSH keys rather than passwords whenever possible.
- Use a MyProxy Gateway service whenever available rather than a stock MyProxy service to avoid password exposure.
- Always configure a default storage system for your organization. This provides tremendous benefit to users who don't want to think about the makeup of your infrastructure.
- Use contextual naming for systems.
nryan-vm-sftp-prodis favorable to
my-vm. DNS is also a good approach to naming, but you will still need to contextualize it with something like a username since multiple users may want to register the same system.
- Grant the minimum sufficient role for a user that enables them to do what you want them to do. Don't grant a PUBLISHER role when a GUEST role will suffice. Don't grant an ADMIN role when a USER role will get the job done.
- Always explicitly specify a
scratchDirfor your execution systems. This will allow you easily see where your job data will go and avoids systems where your home directory has a smaller quota than other areas of your system.
- Always favor the full canonical URL over assuming default systems. Default systems may change on a user-to-user basis, but canonical URLs will always be the same.
- Error on the side of privacy by granting permissions to single users and groups over making data public.
- Avoid over-sharing by granting permissions on specific files or minimum subtrees rather than sharing entire home folders.
- Always limit the lifetime of a postit by specifying either the maximum number of uses or an expiration date. This will prevent people from accessing resources long after you intended for them to do so.