Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > PowerScale OneFS Authentication, Identity Management, and Authorization > Access checks with tokens and file permissions
When a user tries to access a file, OneFS compares the identities in the user’s access token with the file permissions. If the file permission contains an allow Access Control Entry (ACE) for the identity and does not contain a deny ACE for the identity, OneFS grants access to the identity. As an example, the token and a file permission are displayed here:
isi auth mapping token --user=MAINE-UNO\jsmith
User
Name : MAINE-UNO\jsmith
UID : 1000000
SID : S-1-5-21-3542649673-1571749849-686233814-1117
On Disk : S-1-5-21-3542649673-1571749849-686233814-1117
ZID: 1
Zone: System
Privileges: -
Primary Group
Name : MAINE-UNO\domain users
GID : 1000000
SID : SID:S-1-5-21-3542649673-1571749849-686233814-513
Supplemental Identities
Name : MAINE-UNO\marketing
GID : 1000001
SID : SID:S-1-5-21-3542649673-1571749849-686233814-1109
Name : Users
GID : 1545
SID : S-1-5-32-545
------------------
Here is the file permission for a file on the cluster:
-rwxr--r-- + 1 MAINE-UNO\jsmith MAINE-UNO\marketing 2056 Feb 2 10:18
adocs.txt
OWNER: user:MAINE-UNO\jsmith
GROUP: group:MAINE-UNO\marketing
0: user:MAINE-UNO\jsmith allow
file_gen_read,file_gen_write,file_gen_execute,std_write_dac
1: group:MAINE-UNO\marketing allow file_gen_read
2: everyone allow file_gen_read
The following items 1 through 4 refer to the labels in the preceding examples: