Restricted Controller Service Created in Process Group
Now, consider a second scenario where the controller service is created on the process group level.
Sys_admin creates a process group XYZ:
![](../images/nifi-xyz-process-group.png)
Sys_admin creates a KeytabCredentialsService controller service at the process group level:
![](../images/nifi-keytabCredentialsService-pg.png)
The same GetFile and PutHDFS flow is created in the process group:
![](../images/nifi-xyz-flow.png)
However, PutHDFS now references the process group level controller service:
![](../images/nifi-puthdfs-properties_2.png)
Sys_admin saves the process group as a versioned flow.
Test_user changes the flow by removing the KeytabCredentialsService controller service. However, with this configuration, if test_user attempts to revert this change:
![](../images/nifi-test_user-revert-local-changes-2.png)
the revert is unsuccessful because test_user does not have the 'access keytab' permissions required by the KeytabCredentialService controller service:
![](../images/nifi-revert-failure.png)
Similarly, if test_user tries to import the XYZ versioned flow:
![](../images/nifi-test_user-import-xyz-flow.png)
The import fails:
![](../images/nifi-import-xyz-flow-fails.png)