Mapping rule operators

The operator determines what a mapping rule does.

You can create user-mapping rules through either the web-administration interface, where the operators are spelled out in a list, or from the command-line interface.

When you create a mapping rule with the OneFS command-line interface (CLI), you must specify an operator with a symbol. The operator affects the direction in which the mapping service processes a rule. For more information about creating a mapping rule, see the white paper Managing identities with the Isilon OneFS user mapping service. The following table describes the operators that you can use in a mapping rule.

A mapping rule can contain only one operator.

Operator
Web interface
CLI
Direction
Description
append
Append fields from a user
++
Left-to-right
Modifies an access token by adding fields to it. The mapping service appends the fields that are specified in the list of options (user, group, groups) to the first identity in the rule. The fields are copied from the second identity in the rule. All appended identifiers become members of the additional groups list. An append rule without an option performs only a lookup operation; you must include an option to alter a token.
insert
Insert fields from a user
+=
Left-to-right
Modifies an existing access token by adding fields to it. Fields specified in the options list (user, group, groups) are copied from the new identity and inserted into the identity in the token. When the rule inserts a primary user or primary group, it become the new primary user and primary group in the token. The previous primary user and primary group move to the additional identifiers list. Modifying the primary user leaves the token’s username unchanged. When inserting the additional groups from an identity, the service adds the new groups to the existing groups.
replace
Replace one user with a different user
=>
Left-to-right
Removes the token and replaces it with the new token that is identified by the second username. If the second username is empty, the mapping service removes the first username in the token, leaving no username. If a token contains no username, OneFS denies access with a no such user error.
remove groups
Remove supplemental groups from a user
--
Unary
Modifies a token by removing the supplemental groups.
join
Join two users together
&=
Bidirectional
Inserts the new identity into the token. If the new identity is the second user, the mapping service inserts it after the existing identity; otherwise, the service inserts it before the existing identity. The location of the insertion point is relevant when the existing identity is already the first in the list because OneFS uses the first identity to determine the ownership of new file system objects.