There are cases where customers may wish to provide static authorization files (users.xml, authorizer.xml, authorizations.xml) instead of fetching the data dynamically (for instance, when collecting user and group data from AD/Entra). Statically provided user/group information and rough-granular permissions are honoured, but for process groups this is more involved as the rootGroupId is not known until the root flow file has been initialized, an action which itself requires the authorization data. If permissions are not assigned to the root flow file then this needs to be added maunually in the UI.

To get around this, it should be possible to patch Nifi such that a callback action is used to replace a placeholder value with the actual group ID, but only once the flow file has been initialized. A spike for this can be found in this branch: https://github.com/stackabletech/docker-images/tree/spike/nifi-patch-rootgroupid