How to add user mapping rule to an identity-assertion provider:
      The principal.mapping parameter of an
            identity-assertion provider determines the user name that the gateway
         asserts (uses as the authenticated user) for grouping, authorization, and to run the
         request on the cluster.- 
            Open the cluster topology descriptor file, $cluster-name.xml, in a
               text editor.
- 
            Add a Defaultidentity-assertion provider totopology/gatewaywith theprincipal.mappingparameter as follows:
               <provider>
    <role>identity-assertion</role>
    <name>Default</name>
    <enabled>true</enabled>
    <param>
        <name>principal.mapping</name>
        <value>$user_ids=$cluster_user;$user_ids=$cluster_user1;...</value>
    </param>
</provider>
 where the value contains a semi-colon-separated list of external to internal user
                  mappings, and the following variables match the names in your environment: 
                  - 
                     
                        $user_ids 
 is a comma-separated list of external users or the wildcard (*) indicates
                        all users. 
- 
                     
                        $cluster_user 
 is the cluster user name the gateway asserts, that is the
                        authenticated user name. 
 
 
- Save the file.
            The gateway creates a new WAR file with modified timestamp in
                  $gateway/data/deployments.