galaxyproject · nsoranzo · Jul 4, 2022 · Jul 1, 2022 · Jul 1, 2022 · Jul 1, 2022
diff --git a/doc/source/admin/production.md b/doc/source/admin/production.md
@@ -152,6 +152,26 @@ To get started with setting up local data, please see [Data Integration](https:/
 
 File sizes have grown very large thanks to rapidly advancing sequencer technology, and it is not always practical to upload these files through the browser. Thankfully, a simple solution is to allow Galaxy users to upload them via FTP and import those files in to their histories. Configuration for FTP is explained on the [File Upload via FTP](special_topics/ftp.md) page.
 
+### Protect Galaxy against data loss due to misbehaving tools
+
+Tools have access to the paths of input and output data sets which are stored in
+``file_path`` and by default the credentials used for running tools are the same
+as for running Galaxy. Thus its possible that tools modify data in Galaxy's
+``file_path``. Examples for such changes are:
+
+- Addition of additional files, e.g. indices, which is a problem for cleaning up data, because Galaxy does not know about these files.
+- Removal of input or output files of the tools. This will create problems with other tools using these data sets (note that most tool repositories use CI tests to to avoid this, but the problem may still occur).
+
+Note that the tool only knows the paths to inputs and outputs, but if using the default configuration for other paths (e.g. configuration directory) also these paths are easily accessible.
+
+There are three approaches to protect Galaxy against this:
+
+- Use different credentials for running tools. This can be configured using the ``real_system_username`` config variable.
+- Configure Galaxy to run jobs in a container and enable ``outputs_to_working_directory``. Then the tool will in an environment that allows write access only for the job working dir. All other paths will be accessible read only. 
+- Use pulsar to stage inputs and outputs
+
+For both more information can be found in the [job configuration](jobs.md) documentatiion and see also [using a compute cluster](cluster.md).
-For both more information can be found in the [job configuration](jobs.md) documentatiion and see also [using a compute cluster](cluster.md).
+More information on pulsar configuration can be found in the [job configuration](jobs.md) documentation, and the other two are explained in [using a compute cluster](cluster.md).
-For both more information can be found in the [job configuration](jobs.md) documentatiion and see also [using a compute cluster](cluster.md).
+More information on pulsar configuration can be found in the [job configuration](jobs.md) documentation, and the other two are explained in [using a compute cluster](cluster.md).
+
 ## Advanced configuration
 
 ### Load balancing and web application scaling