Matheswaran, The Initial Admin grants the user with that identity the required permissions to administer that instance including adding/updating/removing users, groups, and policies. The policies are granted at a resource level. This means that you can introduce new administers at a Process Group level if you desire. The Initial Admin is not considered a special user. If they add another user and assign that user to the same policies, the new user will have equivalent permissions.
That said, I think it may make sense to prevent a user from removing themselves from the global/top level admin policies. I'll file a JIRA to this effect later today. I saw your other email and SO post. If you don't have users/groups/policies that you had previously set up, you can just delete your <NIFI_HOME>/conf/authorizations.xml and restart. The Initial Admin policies will be restored. If you do have other users/groups/policies that you don't want to lose, I can help you restore the lost permissions by hand editing the authorizations.xml. Just let me know. Thanks. Matt On Tue, Jun 27, 2017 at 6:53 AM, mathes waran <[email protected]> wrote: > Hi, > > I am using nifi -1.2.0, enabled Kerberos authentication. I set the admin > user in initial admin Identity property of authorizers.xml file. By > Default, admin have full permission in NiFi. But admin can able to delete > his own permission. > > Once access policy removed for the admin user, then policies cannot be set > to any other users by admin. This behaviour looks odd. Policy for admin > should not be removed in any cases as we set admin user in authorizers.xml > file. > > Why nifi shouldn't restricted policy removal for admin user? Is there any > need to delete permission for admin user itself. > > Help me to understand the security flow. > > Please let me know if you have any queries, > > Thanks, > Matheswaran. S >
