- Notes, cautions, and warnings
- Introduction to this guide
- PowerScale scale-out NAS
- Introduction to the OneFS command-line interface
- General cluster administration
- General cluster administration overview
- User interfaces
- Connecting to the cluster
- Licensing
- Certificates
- Cluster identity
- Cluster contact information
- Cluster date and time
- SMTP email settings
- Configuring the cluster join mode
- File system settings
- Data compression settings and monitoring
- Events and alerts
- Security hardening
- Cluster configuration backup and restore
- Cluster monitoring
- Monitoring cluster hardware
- Cluster maintenance
- SRS Summary
- Access zones
- Data Security overview
- Base directory guidelines
- Access zones best practices
- Access zones on a SyncIQ secondary cluster
- Access zone limits
- Quality of service
- Zone-based Role-based Access Control (zRBAC)
- Zone-specific authentication providers
- Managing access zones
- Create an access zone
- Assign an overlapping base directory
- Manage authentication providers in an access zone
- Associate an IP address pool with an access zone
- Modify an access zone
- Delete an access zone
- View a list of access zones
- Create one or more access zones
- Create local users in an access zone
- Access files through the RESTful Access to Namespace (RAN) in non-System zones
- Authentication
- Authentication overview
- Authentication provider features
- Security Identifier (SID) history overview
- Supported authentication providers
- Active Directory
- LDAP
- NIS
- Kerberos authentication
- File provider
- Local provider
- Multi-factor Authentication (MFA)
- Multi-instance active directory
- LDAP public keys
- Managing Active Directory providers
- Managing LDAP providers
- Managing NIS providers
- Managing MIT Kerberos authentication
- Managing file providers
- Managing local users and groups
- SSH Authentication and Configuration
- Administrative roles and privileges
- Identity management
- Home directories
- Home directories overview
- Home directory permissions
- Authenticating SMB users
- Home directory creation through SMB
- Home directory creation through SSH and FTP
- Home directory creation in a mixed environment
- Interactions between ACLs and mode bits
- Default home directory settings in authentication providers
- Supported expansion variables
- Domain variables in home directory provisioning
- Data access control
- File sharing
- File sharing overview
- SMB security
- NFS security
- FTP
- HTTP and HTTPS security
- File filtering
- Auditing and logging
- Auditing overview
- Syslog
- Protocol audit events
- Supported audit tools
- Delivering protocol audit events to multiple CEE servers
- Supported event types
- Sample audit log
- Audit log purging
- Managing audit settings
- Integrating with the Common Event Enabler
- Tracking the delivery of protocol audit events
- View the time stamps of delivery of events to the CEE server and syslog
- Display a global view of delivery of protocol audit events to the CEE server and syslog
- Move the log position of the CEE forwarder
- View the rate of delivery of protocol audit events to the CEE server
- Automatic deletion
- Manual deletion
- Snapshots
- Snapshots overview
- Data protection with SnapshotIQ
- Snapshot disk-space usage
- Snapshot schedules
- Snapshot aliases
- File and directory restoration
- Best practices for creating snapshots
- Best practices for creating snapshot schedules
- File clones
- Snapshot locks
- Snapshot reserve
- SnapshotIQ license functionality
- Creating snapshots with SnapshotIQ
- Managing snapshots
- Restoring snapshot data
- Managing snapshot schedules
- Managing snapshot aliases
- Managing with snapshot locks
- Configure SnapshotIQ settings
- Set the snapshot reserve
- Managing changelists
- Deduplication with SmartDedupe
- Inline Data Deduplication
- Inline Data Deduplication overview
- Inline deduplication interoperability
- Considerations for using inline deduplication
- Enable inline deduplication
- Verify inline deduplication is enabled
- View inline deduplication reports
- Disable or pause inline deduplication
- Remove deduplication
- Troubleshoot index allocation issues
- Data replication with SyncIQ
- SyncIQ data replication overview
- Replication policies and jobs
- Replication snapshots
- Data failover and failback with SyncIQ
- Recovery times and objectives for SyncIQ
- Replication policy priority
- SyncIQ license functionality
- Replication for nodes with multiple interfaces
- Restrict SyncIQ source nodes
- Creating replication policies
- Managing replication to remote clusters
- Initiating data failover and failback with SyncIQ
- Performing disaster recovery for older SmartLock directories
- Managing replication policies
- Managing replication to the local cluster
- Managing replication performance rules
- Managing replication reports
- Managing failed replication jobs
- Restrict SyncIQ to use the interfaces in the IP address pool
- Modify the Restrict Target Network value
- Data Encryption with SyncIQ
- Data Compression
- Data layout with FlexProtect
- Large file size support
- Administering NDMP
- NDMP backup and recovery overview
- NDMP two-way backup
- NDMP three-way backup
- Support for NDMP sessions on Generation 6 hardware
- Setting preferred IPs for NDMP three-way operations
- NDMP multi-stream backup and recovery
- Snapshot-based incremental backups
- NDMP backup and restore of SmartLink files
- NDMP protocol support
- Supported DMAs
- NDMP hardware support
- NDMP backup limitations
- NDMP performance recommendations
- Excluding files and directories from NDMP backups
- Configuring basic NDMP backup settings
- Managing NDMP user accounts
- Managing NDMP backup devices
- Managing NDMP Fibre Channel ports
- Managing NDMP preferred IP settings
- Managing NDMP sessions
- Managing NDMP restartable backups
- NDMP restore operations
- Managing default NDMP variables
- Managing snapshot based incremental backups
- Managing cluster performance for NDMP sessions
- Managing CPU usage for NDMP sessions
- View NDMP backup logs
- File retention with SmartLock
- SmartLock overview
- Compliance mode
- Enterprise mode
- SmartLock directories
- Replication and backup with SmartLock
- SmartLock license functionality
- SmartLock considerations
- Delete WORM domain and directories
- Set the compliance clock
- View the compliance clock
- Creating a SmartLock directory
- Managing SmartLock directories
- Managing files in SmartLock directories
- Set a retention period through a UNIX command line
- Set a retention period through Windows Powershell
- Commit a file to a WORM state through a UNIX command line
- Commit a file to a WORM state through Windows Explorer
- Override the retention period for all files in a SmartLock directory
- Delete a file committed to a WORM state
- View WORM status of a file
- Data Removal with Instant Secure Erase (ISE)
- Protection domains
- Data-at-rest-encryption
- Data-at-rest encryption overview
- Self-encrypting drives
- Data security on self-encrypting drives
- Data migrations and upgrades to a cluster with self-encrypting drives
- Enabling external key management
- Migrate nodes and SEDs to external key management
- Chassis and drive states
- Smartfailed drive REPLACE state
- Smartfailed drive ERASE state
- SmartQuotas
- SmartQuotas overview
- Quota types
- Default quota type
- Usage accounting and limits
- Disk-usage calculations
- Quota notifications
- Quota notification rules
- Quota reports
- Creating quotas
- Managing quotas
- Search for quotas
- Manage quotas
- Export a quota configuration file
- Import a quota configuration file
- Managing quota notifications
- Email quota notification messages
- Managing quota reports
- Basic quota settings
- Advisory limit quota notification rules settings
- Soft limit quota notification rules settings
- Hard limit quota notification rules settings
- Limit notification settings
- Quota report settings
- Storage Pools
- Storage pools overview
- Storage pool functions
- Autoprovisioning
- Node pools
- Virtual hot spare
- Spillover
- Suggested protection
- Protection policies
- SSD strategies
- Other SSD mirror settings
- Global namespace acceleration
- L3 cache overview
- Tiers
- File pool policies
- Managing node pools through the command-line interface
- Delete an SSD compatibility
- Create a node pool manually
- Add a node to a manually managed node pool
- Add a new node type to an existing node pool
- Remove a node type from a node pool
- Change the name or protection policy of a node pool
- Remove a node from a manually managed node pool
- View node pool settings
- Modify default storage pool settings
- SmartPools settings
- Managing L3 cache from the command-line interface
- Managing tiers
- Creating file pool policies
- Managing file pool policies
- Monitoring storage pools
- Pool-based tree reporting in FSAnalyze (FSA)
- System jobs
- S3 support
- Small Files Storage Efficiency for archive workloads
- Networking
- Networking overview
- About the internal network
- About the external network
- Managing internal network settings
- Managing groupnets
- Managing external network subnets
- Managing Multi-SSIP
- Managing IP address pools
- Managing SmartConnect Settings
- Managing connection rebalancing
- Managing network interface members
- Managing node provisioning rules
- Managing routing options
- Managing DNS cache settings
- NFS3oRDMA
- Partitioned Performance Performing for NFS
- IPMI
- Antivirus
- Antivirus overview
- On-access scanning
- ICAP Antivirus policy scanning
- Individual file scanning using ICAP
- WORM files and antivirus
- Antivirus scan reports
- ICAP servers
- CAVA servers
- ICAP threat responses
- CAVA threat responses
- Configuring global antivirus settings
- Managing ICAP servers
- Managing CAVA servers
- Add and connect to a CAVA server
- Modify CAVA connection settings
- List or view CAVA servers
- Disable connection to a CAVA server
- Delete a CAVA server configuration
- Create an IP pool in a CAVA server
- Create a dedicated Access Zone on a CAVA server
- Create an Active Directory authentication provider for the AvVendor access zone
- Update the role in the access zone
- Scan CloudPool files in a CAVA server
- View CloudPool scan timeout
- Manage CAVA filters
- Manage CAVA jobs
- Create an ICAP antivirus policy
- Managing ICAP antivirus policies
- Managing antivirus scans
- Managing antivirus threats
- Managing antivirus reports
PowerScale OneFS 9.2.1.0 CLI Administration Guide
Mapping rule options
Mapping rules can contain options that target the fields of an access token.
A field represents an aspect of a cross-domain access token, such as the primary UID and primary user SID from a user that you select. You can see some of the fields in the OneFS web administration interface. User in the web administration interface is the same as username. You can also see fields in an access token by running the command isi auth mapping token.
When you create a rule, you can add an option to manipulate how OneFS combines aspects of two identities into a single token. For example, an option can force OneFS to append the supplement groups to a token.
A token includes the following fields that you can manipulate with user mapping rules:
- username
- unix_name
- primary_uid
- primary_user_sid
- primary_gid
- primary_group_sid
- additional_ids (includes supplemental groups)
Options control how a rule combines identity information in a token. The break option is the exception: It stops OneFS from processing additional rules.
Although several options can apply to a rule, not all options apply to all operators. The following table describes the effect of each option and the operators that they work with.
| Option | Operator | Description |
|---|---|---|
| user | insert, append | Copies the primary UID and primary user SID, if they exist, to the token. |
| groups | insert, append | Copies the primary GID and primary group SID, if they exist, to the token. |
| groups | insert, append | Copies all the additional identifiers to the token. The additional identifiers exclude the primary UID, the primary GID, the primary user SID, and the primary group SID. |
| default_user | all operators except remove groups | If the mapping service fails to find the second user in a rule, the service tries to find the username of the default user. The name of the default user cannot include wildcards. When you set the option for the default user in a rule with the command-line interface, you must set it with an underscore: default_user. |
| break | all operators | Stops the mapping service from applying rules that follow the insertion point of the break option. The mapping service generates the final token at the point of the break. |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\