Create a custom access policy

If the user cannot access the component through an inherited Ranger access policy, then you must create a custom Ranger access policy for the specific component and add the user to this policy. If all the users in a group require the same access, you can add the user group to the Ranger access policy.

A user might need access to specific NiFi or NiFi Registry resources such as a processor, processor group, remote process group, funnel, label, controller service, or bucket. Each custom Ranger access policy provides access to a specific component.

First determine which NiFi or NiFi Registry components a user needs access to. Then create a new policy for each component and add the user or user group to the new policy.

When you create a new policy, you must specify the ID of the component that the user requires access to.

From the NiFi canvas, copy the ID of the process group, SSL Context Service, or controller service for reporting tasks that the user needs access to.
To locate the ID for a process group:
1. Click the process group.
  The ID appears in the Operate pane.
2. Copy the ID.
To locate the ID of the SSL Context Service:
1. Click the settings icon on the process group.
  The NiFi Flow Configuration appears.
2. Click the Controller Services tab.
3. Click the Settings icon for the Default NiFi SSL Context Service.
  The Controller Service Details window appears.
4. From the Settings tab, copy the ID from the Id field.
To locate the ID of a controller service for reporting tasks:
1. Click the process group.
2. Click the menu on the top right of the UI and select Controller Settings.
  
  The NiFi Settings page appears.
3. Click the Reporting Tasks Controller Services tab.
4. Click the Settings icon for the controller service.
  
  The Controller Service Details page appears.
5. From the Settings tab, copy the ID from the Id field.
Go back to the Ranger List of Policies page.
Click Add New Policy.

The Create Policy page appears.
Enter a unique name for the policy.
Optionally, enter a keyword in the Policy Label field to aid in searching for a policy.
Enter the resource descriptor and the resource ID in the NiFi Resource Identifier or NiFi Registry Resource Identifier field in the following format: <resource descriptor>/<resource ID>
To determine a NiFi resource descriptor, see Predefined Ranger access policies for Apache NiFi.
To determine a NiFi Registry resource descriptor, see Predefined Ranger access policies for Apache NiFI Registry.
Optionally, enter a description.
Add a user or a group.

note
If a user requires permission to view or modify the data for a specific component, you must create a data policy with /data/<component-type>/<component-UUID> as the resource identifier. Then add the user and the nifi group to the policy to authorize the NiFi and Knox nodes to access data on behalf of the user.
Set the permission level for the user or group.
Click Add.

The user or group of users can now access the component specified in the custom policy.