nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Bean <mark.o.b...@gmail.com>
Subject Re: global and component access policies
Date Fri, 22 Feb 2019 21:07:11 GMT
Fair enough as long as it was a deliberate choice. In practice, it seems
the "one administrator to rule them all" will/should always have access to
all policies - even all component policies.

Thanks for the response.

-Mark

On Fri, Feb 22, 2019 at 3:46 PM Matt Gilman <matt.c.gilman@gmail.com> wrote:

> Mark,
>
> You are correct that this behavior differs from the policies on the
> components themselves. The behavior there always for overriding the allowed
> users of an ancestor resource. The policies on the policies themselves are
> inherited and not overridden. This is noted in the UI since the behavior is
> different from how component policies override ancestor policies. This
> choice was made since it allowed for folks to define an administrator for
> all things and local/component level administrators.
>
> Matt
>
> On Fri, Feb 22, 2019 at 3:03 PM Mark Bean <mark.o.bean@gmail.com> wrote:
>
> > There is a global level access policy for 'access all policies' (view and
> > modify). These access policies apply to components (e.g. processor) as
> well
> > as the controller. Even if a user is explicitly excluded from the
> component
> > level access policy 'view/modify the policies', the user still has access
> > due to the global level policy.
> >
> > Is this correct/desired behavior?
> >
> > It seems to me the component level access policies should allow the
> ability
> > for a global level policy to be overridden for a given component(s).
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message