@pacman
In addition to what @ckumar already shared:
NiFI purposely leaves components visible to all on the canvas. but unless authorized to view those components, they will display as "ghost" implementations. "Ghosted" components will not show any component names or classes on them. They will only show stats. Unauthorized users will be unable to view or modify the configuration. User will also be unable to list or view data in connections (only see numbers of FlowFiles queued on a connection).
The reason NiFi shows these ghosted components is to prevent multiple users from building their dataflows on top of one another. It is very common for users to have multiple teams building their own dataflows, but then also have monitoring teams that may be authorized as "operators" across all dataflows.
Or they may have some users that are members of multiple teams. That means these users who can see more, would be left with potentially components layered on top of one another making management very difficult.
The stats are there so even if a user can not view or modify a component, they can see where FlowFile backlogs are happening. Since NiFi operates within a single JVM and every dataflow, no matter which user/team built them, is executed as the NiFi service user, everything must share the same system resources (various repos, Heap memory, disk I/O, cpu, etc). These stats provide useful information that one team can use to communicate to another team should resource utilization become an issue.
NiFi's authorization model allows users to make very granular access decisions for every component. Authorizations are inherited from the parent process group unless more granular policies are setup on a child component (processor, controller service, input/output port, sub-process group, etc..).
Hope this helps,
Matt
