diff --git a/README.md b/README.md
index 20ba410..6ac2bdb 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,7 @@ This ansible role installs and configures [Open OnDemand](https://openondemand.o
     - [ood_apps](#ood_apps)
   - [Open ID Connect](#open-id-connect)
     - [Install Dex](#install-dex)
+  - [OnDemand.d Configurations](#ondemandd-configurations)
 - [Contributing](#contributing)
 
 ## Version compatibility
@@ -294,6 +295,51 @@ See [auth\_openidc](https://github.com/zmartzone/mod_auth_openidc) for more info
 
 To install dex for OIDC use set the flag `install_ondemand_dex` to true and it will install the package.
 
+### OnDemand.d Configurations
+
+In the 4.0 release of this role, configurations for `ondemand.d` files was changed.
+While this role will continue to support the old way of specifing each
+variable and writing them all out to a single `ondemand.d/ondemand.yml` file,
+users should begin to migrate to the new way to write these files.
+
+4.0 introduced `ood_ondemand_d_configs` which will in turn write out as many files
+as you've provided.
+
+Each configuration at a minimum needs `content` which will be the content of
+the file that's begin written. It can additionally accept ``group`` and ``mode``
+to set the file's group ownership and file access mode. These files are always
+owned by the ``root`` user.
+
+In this example, we're writing out two files, ``motd.yml`` and ``globus.yml``.
+These filenames are given by the top level keys under ``ood_ondemand_d_configs``.
+
+``content`` specifies the content of the file that's going to be written out.
+This should be in YAML and will be written out in YAML.
+
+In this configuration ``motd.yml`` will be written out with ``644 root:root``
+permissions.  ``globus.yml`` on the other hand will be written out with
+``640 root:specialusers`` permissions so it'll only be available for certain
+users.
+
+```yaml
+ood_ondemand_d_configs:
+  motd:
+    content:
+      motd_render_html: true
+  globus:
+    content:
+      globus_endpoints:
+        - path: "<%= CurrentUser.home %>"
+          endpoint: "716de4ac-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          endpoint_path: "/"
+
+        - path: "/project"
+          endpoint: "9f1fe759-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          endpoint_path: "/"
+    group: specialusers
+    mode: 640
+```
+
 ## Contributing
 
 If you run into an issue or have a feature request or fixed some issue, let us know! PRs welcome! Even if you
diff --git a/molecule/default/fixtures/ondemand.d/globus.yml b/molecule/default/fixtures/ondemand.d/globus.yml
new file mode 100644
index 0000000..8ededae
--- /dev/null
+++ b/molecule/default/fixtures/ondemand.d/globus.yml
@@ -0,0 +1,7 @@
+globus_endpoints:
+-   endpoint: 716de4ac-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+    endpoint_path: /
+    path: <%= CurrentUser.home %>
+-   endpoint: 9f1fe759-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+    endpoint_path: /
+    path: /project
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
index a537994..e5f8ea3 100644
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -15,3 +15,8 @@
       - ca-certificates
       - systemd
       - git
+
+    - name: Create secondary group
+      ansible.builtin.group:
+        name: specialusers
+        state: present
diff --git a/molecule/default/tasks/verify_custom.yml b/molecule/default/tasks/verify_custom.yml
index 982c2f5..12ec90a 100644
--- a/molecule/default/tasks/verify_custom.yml
+++ b/molecule/default/tasks/verify_custom.yml
@@ -12,6 +12,7 @@
     - { src: "fixtures/config/auth_openidc.conf", dest: "auth_openidc.conf" }
     - { src: "fixtures/ondemand.d/ondemand_custom.yml", dest: "ondemand.yml" }
     - { src: "fixtures/ondemand.d/motd.yml", dest: "motd.yml" }
+    - { src: "fixtures/ondemand.d/globus.yml", dest: "globus.yml" }
 
 - name: Verify config files
   ansible.builtin.command: "diff /tmp/{{ item.left }} {{ item.right }}"
@@ -25,6 +26,7 @@
     - { left: "auth_openidc.conf", right: "{{ apache_conf_dir }}/auth_openidc.conf" }
     - { left: "ondemand.yml", right: "{{ ood_base_conf_dir }}/ondemand.d/ondemand.yml" }
     - { left: "motd.yml", right: "{{ ood_base_conf_dir }}/ondemand.d/motd.yml" }
+    - { left: "globus.yml", right: "{{ ood_base_conf_dir }}/ondemand.d/globus.yml" }
   changed_when: false
 
 - name: Verify sys/jupyter was installed correctly
@@ -41,4 +43,25 @@
     dest: '/var/www/ood/apps/dev/customdir'
     clone: no
     update: no
-    version: v1.0.1
\ No newline at end of file
+    version: v1.0.1
+
+- name: Get globus.yml file stats.
+  stat:
+    path: /etc/ood/config/ondemand.d/globus.yml
+  register: globus_perms
+
+- debug: var=globus_perms
+
+- name: Assert that globus.yml has correct permissions
+  assert:
+    that:
+      - "globus_perms.stat.mode == '0640'"
+    success_msg: 'globus.yml has correct permissions.'
+    fail_msg: "globus.yml permissions are {{ globus_perms.stat.mode }} when they should be '0640'"
+
+- name: Assert that globus.yml has correct group ownership
+  assert:
+    that:
+      - "globus_perms.stat.gr_name == 'specialusers'"
+    success_msg: 'globus.yml has correct group ownership.'
+    fail_msg: "globus.yml group ownership is {{ globus_perms.stat.gr_name }} when they should be 'specialusers'"
diff --git a/molecule/default/vars/ondemand.yml b/molecule/default/vars/ondemand.yml
index 68a715b..627e0d1 100644
--- a/molecule/default/vars/ondemand.yml
+++ b/molecule/default/vars/ondemand.yml
@@ -71,3 +71,15 @@ ood_ondemand_d_configs:
   motd:
     content:
       motd_render_html: true
+  globus:
+    content:
+      globus_endpoints:
+        - path: "<%= CurrentUser.home %>"
+          endpoint: "716de4ac-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          endpoint_path: "/"
+
+        - path: "/project"
+          endpoint: "9f1fe759-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+          endpoint_path: "/"
+    group: specialusers
+    mode: 640