Hi Phil, You might have uncovered a gap in the permission policy. Have you tried using the “modify the data” permission [1]? If a user does not have write permission to the queue, I think they can empty it but not modify/delete the queue itself.
I am speculating here because I haven’t had a chance to verify, but I suspect that the same write permission which allows a user to clear the queue would allow them to delete it as well. This may be something we could mitigate by using the “operate” permission, but I would have to validate this behavior first. Hope this helps for now. [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies Andy LoPresto [email protected] [email protected] He/Him PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jun 3, 2020, at 4:08 PM, Phil H <[email protected]> wrote: > > Hi there, > > I am trying to stratify my userbase. I need to allow certain users/groups > the ability to clear queues, but cannot find the right policy to allow that > without also allowing them to delete queues, which I absolutely don’t want > to do. > > Am currently using 1.9.2 (putting off the upgrade process!) > > Regards, > Phil
