@data-light  NiFi nodes will always be authenticated via the clientAuth certificate they present.  The Owner DN from the node's PrivateKeyEntry in the keystore file is what is used.  What is important to know is that NiFi provides a mechanism that can trim/modify those full DNs through the uses of identity mapping properties [1]that users can configure in the nifi.properties file.  After a mapping is applied against an identity string the resulting mapped value is what is actually passed to the configured NiFi Authorizer. So within the authorizer, that now mapped value is what the authorization policies need to be mapped to. The nifi-user.log will show the mapped value (case sensitive) that is being used during authorization.  So if you see only "Nifi-node-0" in the nifi-user.log, then that exact string is what needs to exist in your authorizer and have policy assigned to it.  If the nifi-user.log was showing "cn=Nifi-node-0, ou=mycompany, ou=nifi", then that full DN would need to be present in your authorizer with assigned policies. So you will want to get a verbose output of your nodes keystore files, your nifi.properties file to see what identity mapping patterns have been set, and the authorizers.xml to see how your authorization setup is done, and the nifi-user.log.  [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties Hope this helps address your question. IF so, please take a moment to login and click "Accept" on this solution.   Thank you, Matt ... View more