Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > PowerScale OneFS User Mapping: Mapping Identities Across Authentication Providers > Operators
The following table describes the operators that can occur in a rule. When you create a rule with the OneFS command-line interface, you must specify an operator with a symbol. The operator affects the direction in which the mapping service processes a rule; the direction of a rule is discussed later. A rule can contain only one operator.
Operator | Symbol | Direction | Description |
Append | ++ | Left to right | Modifies an access token by adding fields to it. The mapping service appends the fields that are specified in the list of options (user, group, groups) to the first identity in the rule. The fields are copied from the second identity in the rule. All appended identifiers become members of the additional groups list. An append rule without an option performs only a lookup operation; you must include an option to alter a token. Options are discussed later. |
Insert | += | Left to right | Modifies an existing token by adding fields to it. Fields specified in the options list (user, group, groups) are copied from the new identity and inserted into the identity in the token. When the rule inserts a primary user or primary group, it becomes the new primary user or primary group in the token. The previous primary user or primary group moves to the additional identifiers list. Modifying the primary user leaves the token’s username unchanged. When inserting the additional groups from an identity, the service adds the new groups to the existing groups. |
Replace | => | Left to right | Removes the token and replaces it with the new token that is identified by the second username. If the second username is left blank, the mapping service removes the first username in the token, leaving no username, and then login fails with a no such user error. |
Remove Groups | -- | Unary | Modifies a token by removing the supplemental groups. |
Join | &= | Bidirectional | Merges the new identity into the token. If the new identity is the second user, the mapping service inserts it after the existing identity; otherwise, the service inserts it before the existing identity. The location of the insertion point is relevant when the existing identity is already the first in the list because OneFS uses the first identity to determine the ownership of new file system objects. A join rule is bidirectional; if the first username matches the token, the mapping service evaluates the rule as a left to right rule. If the second username matches the token, the service expands the wildcards in the first user and resolves the first user before applying the rule. |