Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > Access Control Lists on Dell EMC PowerScale OneFS > OneFS user mapping
When OneFS authenticates a user, it generates an access token and triggers the user-mapping service on the cluster. The user-mapping service combines access tokens from different directory services into a single, final access token. By default, OneFS automatically maps user accounts with the exact same name from different directory services. For example, the user-mapping service maps a user DEMO\janed from Microsoft Active Directory to a user janed from LDAP and generates an access token that combines the user and group membership information from the two accounts.
A OneFS administrator can also define their own user-mapping rules to control the user-mapping behavior. It is important to know the following information when creating user-mapping rules:
There are five operations involved when creating user-mapping rules:
For details on configuring user-mapping rules, refer to the PowerScale OneFS Web Administration Guide.
The example in Figure 36 shows the result after joining two users together. In this example, user01 from PowerScale local is joined with demo\janed from Active Directory.
The next example in Figure 37 assumes there is a directory which does not allow user01 to access the directory, but allows demo\janed to read the directory.
Because there is a user-mapping rule to join the two users together, using the isi command to check permissions of user01 on the directory shows that user01 also has permission to read the directory (see Figure 38). This command result only evaluates the ACL permission and does not involve the share-level permissions.