After OneFS applies user mapping rules, it transforms the list of identities into a final access token. OneFS creates the final access token in the following sequence:
- OneFS combines identities by processing the user mapping rules. OneFS selects the first identity in the list as the primary identity. OneFS adds the identifiers from the additional identities to the first identity’s list of additional IDs. If there are no rules, OneFS combines identities by applying its default rules.
- After OneFS processes the rules and combines the identities, it checks whether the default UNIX user parameter is set. If the parameter is set and the token does not include a primary UID and GID yet, OneFS assigns to the token the primary UID and GID of the default UNIX user.
- OneFS generates a UID and a GID. If the primary user does not have a UID or the primary group does not have a GID, OneFS generates them.
- OneFS selects the identity to store as the on-disk identity.
The final access token conforms to the following conditions:
- The token contains no duplicate identifiers. For instance, the token may not duplicate one of the primary identifiers in the list of additional identifiers.
- Although the list of additional identifiers may be empty, all the primary identifiers must exist.
OneFS uses the primary identifiers when it creates file system objects like directories and files. The permissions of files and directories may include UIDs and GIDs as well as SIDs. The on-disk identity determines which identifiers to include in permissions for directories and files. To control access to a file, OneFS compares all the identifiers in a token to a file’s ACL and POSIX mode bits.