Restricted Controller Service Created in Root Process Group
In this first example, sys_admin creates a KeytabCredentialsService controller service at the root process group level.
![](../images/nifi-keytabCredentialsService-rpg.png)
KeytabCredentialService controller service is a restricted component that requires 'access keytab' permissions:
![](../images/nifi-keytabcredentialsservice-permissions.png)
Sys_admin creates a process group ABC containing a flow with GetFile and PutHDFS processors:
![](../images/nifi-abc-restricted-component-flow.png)
GetFile processor is a restricted component that requires 'write filesystem' and 'read filesystem' permissions:
![](../images/nifi-getfile-permissions.png)
PutHDFS is a restricted component that requires 'write filesystem' permissions:
![](../images/nifi-puthdfs-permissions.png)
The PutHDFS processor is configured to use the root process group level KeytabCredentialsService controller service:
![](../images/nifi-puthdfs-properties.png)
Sys_admin saves the process group as a versioned flow:
![](../images/nifi-abc-versioned-flow.png)
Test_user changes the flow by removing the KeytabCredentialsService controller service:
![](../images/nifi-puthdfs-no-kerberosCS.png)
If test_user chooses to revert this change:
![](../images/nifi-test_user-revert-local-changes.png)
the revert is successful:
![](../images/nifi-revert-success.png)
Additionally, if test_user chooses to import the ABC versioned flow:
![](../images/nifi-test_user-import-abc-flow.png)
The import is successful:
![](../images/nifi-test_user-import-success.png)