It comes down to trust, right? There are some questions to answer:
1) Do you know who bob is?
2) Do you trust bob?
And for 2, what exactly do you trust bob to do? If you gave bob
access to the globus user's account, would he do something he
shouldn't do? This gets harder when you also want to add alice. Do
you trust bob and alice to both use the account how they're supposed
to, and not to interfere with each other?
Many people find the answer to "do I trust bob to use a shared
account" to be no. For this reason, most sites will only map bob's
DN to an account that bob already owns. Other people decide that
it's okay for bob not to have an account of his own, and there are
various technical solutions to the problem.
One solution to the problem is to create a pool of anonymous
accounts, and map incoming DNs you trust to the random pool. Another
solution might be to start each new job inside a virtual machine
sandbox to isolate it from other users and the real system underneath.
So the answer is that you can do with the tools whatever makes you
comfortable as a system owner. :-)
Charles
