User Guide
Also available as:
PDF
loading table of contents...

Accessing the UI with Multi-Tenant Authorization

Multi-tenant authorization enables multiple groups of users (tenants) to command, control, and observe different parts of the dataflow, with varying levels of authorization. When an authenticated user attempts to view or modify a NiFi resource, the system checks whether the user has privileges to perform that action. These privileges are defined by policies that you can apply system wide or to individual components. What this means from a Dataflow Manager perspective is that once you have access to the NiFi canvas, a range of functionality is visible and available to you, depending on the privileges assigned to you.

The available global access policies are:

Policy

Privilege

view the UI

Allows users to view the UI

access the controller

Allows users to view and modify the controller including reporting tasks, Controller Services, and nodes in the cluster

query provenance

Allows users to submit a provenance search and request even lineage

access restricted components

Allows users to create/modify restricted components assuming otherwise sufficient permissions

access all policies

Allows users to view and modify the policies for all components

access users/groups

Allows users view and modify the users and user groups

retrieve site-to-site details

Allows other NiFi instances to retrieve Site-To-Site details

view system diagnostics

Allows users to view System Diagnostics

proxy user requests

Allows proxy machines to send requests on the behalf of others

access counters

Allows users to view and modify counters

The available component-level access policies are:

Policy

Privilege

view the component

Allows users to view component configuration details

modify the component

Allows users to modify component configuration details

view the data

Allows users to view metadata and content for this component through provenance data and flowfile queues in outbound connection

modify the data

Allows users to empty flowfile queues in outbound connections and to submit replays

view the policies

Allows users to view the list of users who can view and modify a component

modify the policies

Allows users to modify the list of users who can view and modify a component

retrieve data via site-to-site

Allows a port to receive data from NiFi instances

send data via site-to-site

Allows a port to send data from NiFi instances

If you are unable to view or modify a NiFi resource, contact your System Administrator or see Configuring Users and Access Policies in the System Administrator's Guide for more information.