The Knox Gateway uses group membership for Service Level Authorization only. The gateway does not propagate the user's group when communicating with the Hadoop cluster.
 The group.principal.mapping
        parameter of the identity-assertion provider determines the user's group membership.
        The gateway evaluates this parameter after the principal.mapping
        parameter using the authenticated user. Unlike principal.mapping, the
        group mapping applies all the matching values. A user is a member of all matching groups. 
| ![[Note]](../common/images/admon/note.png) | Note | 
|---|---|
| Although user and group mappings are often used together, the instructions in this section only explain how to add group mappings. | 


