Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > PowerScale OneFS User Mapping: Mapping Identities Across Authentication Providers > Denying access with the default UNIX user parameter
This scenario shows you how to deny access to a cluster if a user does not have an account in both Active Directory and NIS. The scenario includes two rules. The first rule replaces the primary group GID of an Active Directory user with the GID of the corresponding UNIX user in NIS. The second rule maps a user who does not have an account in NIS to a nonexistent user, thereby denying access to the cluster.
Here is how to add the first rule:
isi zone zones modify System --add-user-mapping-rules='*\* += * [group]'
After you set this rule, when a user connects to the cluster with an Active Directory account, OneFS looks up the user in NIS. When OneFS finds the user, it replaces the user’s primary group GID from Active Directory with the GID of the UNIX user from NIS. By default, OneFS has already mapped the AD user account to its matching NIS user account.
Here is how to add the second rule. (When you set the rule from the command-line interface, the rule should appear on a single line.)
isi zone zones modify System --user-mapping- rules='<default_unix_user=this-user-does-not-exist>'
This rule uses the default UNIX user parameter to map a user without both a matching UNIX user account and primary group to a nonexistent user with the following name:
this-user-does-not-exist
With such a rule in place, if a user does not exist in NIS, OneFS looks up the default_unix_user to obtain its GID. Since the default_unix_user maps to a nonexistent user, an attempt to look up the user fails, and as a result authentication also fails. The rule guarantees that primary UID and primary GID assignment either works correctly across both Active Directory and NIS or fails entirely.