Support Questions

Find answers, ask questions, and share your expertise

NiFi Registry: policies aren't inherited from group to user

New Contributor

Greetings, and thanks for great work!


We're trying to setup the secured NiFi Registry. Logins are synchronized from AD, while policies are stored in authorizers.xml. We've created a bunch of users in NiFi and added them to the "Administration" group, then copied users.xml to NiFi Registry and (from the initial admin identity) activated all policies on this group, including user management. However, members of this group still aren't able to add users themselves. Is this a bug, or some misconfiguration on our side?


upd: looks like the problem is deeper. We've added another user (through the initial admin identity) with explicitly added "user access". However, he is still not able to create new users and/or manage existing ones. What should we check, then?


upd2: after writing the previous text, I've refreshed the NiFi Registry page, and "Add user" button became active. Magic...


Master Guru



NiFi and NiFi-Registry user authorization is case sensitive.  User authentication is handled first and upon successful authentication the resulting user string returned during authentication is evaluated against any configured identity mappings configured in file.  If a mapping pattern matches the subsequent configured mapping value and transform is applied and that result is what is passed on for user authorization.

So if authentication results in user string "bob", that would be treated as a different user if the authorizer contains "Bob".


Not having access to, identity-providers.xml, and authorizers.xml files makes diagnosing the exact issue difficult.


Other important things to understand:
1. The only configuration file that is reprocessed regularly while NiFi or NiFi-Registry is already running is the logback.xml.   So if you modify the users.xml or authorizations.xml files and do not restart the service, those changes will not take affect.
2. The users.xml and authorizations.xml files are only created by the authorizers.xml providers if they do NOT already exist.  The authorizers.xml providers will not update/modify pre-existing files on startup.  This is by design to prevent unintentional adding of users back in to the service that may have been removed through the UI on restart.  The expectation is that once setup initially, all future local user additions are handled via the UI.   So changing the configured "initial admin identity" in either the file-user-group-provider or file-access-providers will have no affect on modifying your preexisting files.

3. If you have been accessing multiple NiFi-Registries from the same browser or have multiple tabs open connecting to the same NiFi-Registry within your browser, try clearing your browser cache and logging in again.



Hope this helps,


Community Manager

@kv_bagrov Can you confirm that this issue is resolved? If so please respond with the solution. You can then use the Accept as Solution button to mark that reply appropriately. This will assist others who may face a similar situation. 

Screen Shot 2019-08-06 at 1.54.47 PM.png



Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.