Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > PowerScale OneFS Authentication, Identity Management, and Authorization > SID history
OneFS 8.0.1 introduced support for SID history. SID history is an Active Directory attribute that maintains a history of previous SID values if an object is moved from another domain. SIDs are prefixed with a unique domain identifier. If users and groups are migrated from one Active Directory domain to another domain, each migrated object will have a new SID with a domain identifier of the new domain. When migrated users to the new domain attempt to access older files, access would be denied because the file permission would have the new SID. SID history retains the old SIDs, allowing them to be used for access checks.
Note: Historical SIDs cannot be used to add users to new groups or roles. Modify users or add them to a role or group only through the current object SID as defined by the domain.
Before OneFS 8.0.1, historical SIDs were not included in the access token because they were not recognized. In OneFS 8.0.1 and later versions, information from the Active Directory PAC is no longer discarded. For LDAP, OneFS queries the SIDHistory field to add the historical SIDs. If OneFS has a historical SID, then an RPC lookup is performed to find the current SID. Next, another RPC lookup is performed for SID to name resolution.
Historical SIDs may be viewed with the following commands:
isi auth users view <user>
isi auth groups view <group>
isi auth mapping token <user>
From an administrative perspective, additional configuration is not required. The SID history attribute is now recognized. Files that have historical SIDs can now be accessed by users with those historical SIDs. The previous domain users still have access to the file because the historical SIDs are left on disk.