As noted in the Apache NiFi Admin Guide – Initial Admin Identity, when a user configures a new secure NiFi instance, they must populate an Initial Admin Identity in authorizers.xml. However, if this is a instance, the IAI user does not have any access to the flow itself.
For a brand new secure flow, providing the "Initial Admin Identity" gives that user access to get into the UI and to manage users, groups and policies. But if that user wants to start modifying the flow, they need to grant themselves policies for the root process group. The system is unable to do this automatically because in a new flow the UUID of the root process group is not permanent until the flow.xml.gz is generated. If the NiFi instance is an upgrade from an existing flow.xml.gz or a 1.x instance going from unsecure to secure, then the "Initial Admin Identity" user is automatically given the privileges to modify the flow.
I believe there can be a workaround to determine the root process group UUID and grant the IAI user access automatically on startup. When starting a new instance, I can see the flow.xml.gz file persisted to disk with a generated root process group ID before granting the IAI user any additional permissions.
Once the empty flow.xml.gz is persisted to disk and the root process group ID determined, the IAI user should be automatically granted write permissions to that group.