You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by Mark Bean <ma...@gmail.com> on 2019/02/22 20:03:40 UTC
global and component access policies
There is a global level access policy for 'access all policies' (view and
modify). These access policies apply to components (e.g. processor) as well
as the controller. Even if a user is explicitly excluded from the component
level access policy 'view/modify the policies', the user still has access
due to the global level policy.
Is this correct/desired behavior?
It seems to me the component level access policies should allow the ability
for a global level policy to be overridden for a given component(s).
Re: global and component access policies
Posted by Mark Bean <ma...@gmail.com>.
Fair enough as long as it was a deliberate choice. In practice, it seems
the "one administrator to rule them all" will/should always have access to
all policies - even all component policies.
Thanks for the response.
-Mark
On Fri, Feb 22, 2019 at 3:46 PM Matt Gilman <ma...@gmail.com> wrote:
> Mark,
>
> You are correct that this behavior differs from the policies on the
> components themselves. The behavior there always for overriding the allowed
> users of an ancestor resource. The policies on the policies themselves are
> inherited and not overridden. This is noted in the UI since the behavior is
> different from how component policies override ancestor policies. This
> choice was made since it allowed for folks to define an administrator for
> all things and local/component level administrators.
>
> Matt
>
> On Fri, Feb 22, 2019 at 3:03 PM Mark Bean <ma...@gmail.com> wrote:
>
> > There is a global level access policy for 'access all policies' (view and
> > modify). These access policies apply to components (e.g. processor) as
> well
> > as the controller. Even if a user is explicitly excluded from the
> component
> > level access policy 'view/modify the policies', the user still has access
> > due to the global level policy.
> >
> > Is this correct/desired behavior?
> >
> > It seems to me the component level access policies should allow the
> ability
> > for a global level policy to be overridden for a given component(s).
> >
>
Re: global and component access policies
Posted by Matt Gilman <ma...@gmail.com>.
Mark,
You are correct that this behavior differs from the policies on the
components themselves. The behavior there always for overriding the allowed
users of an ancestor resource. The policies on the policies themselves are
inherited and not overridden. This is noted in the UI since the behavior is
different from how component policies override ancestor policies. This
choice was made since it allowed for folks to define an administrator for
all things and local/component level administrators.
Matt
On Fri, Feb 22, 2019 at 3:03 PM Mark Bean <ma...@gmail.com> wrote:
> There is a global level access policy for 'access all policies' (view and
> modify). These access policies apply to components (e.g. processor) as well
> as the controller. Even if a user is explicitly excluded from the component
> level access policy 'view/modify the policies', the user still has access
> due to the global level policy.
>
> Is this correct/desired behavior?
>
> It seems to me the component level access policies should allow the ability
> for a global level policy to be overridden for a given component(s).
>