diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index be2e684742..cd063ba629 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -415,7 +415,7 @@ Here is an example LDAP entry using the name John Smith:
 </authorizers>
 ----
 
-Here is a example Kerberos entry using the name John Smith and realm `NIFI.APACHE.ORG`:
+Here is an example Kerberos entry using the name John Smith and realm `NIFI.APACHE.ORG`:
 
 ----
 <authorizer>
@@ -433,7 +433,7 @@ Here is a example Kerberos entry using the name John Smith and realm `NIFI.APACH
 </authorizers>
 ----
 
-After you have edited and saved the 'authorizers.xml' file, restart NiFi.  The “Initial Admin Identity” user and administrative policies are added to the 'authorizations.xml' file during restart. Once NiFi starts, the “Initial Admin Identity” user is able to access the UI and begin managing users, groups, and policies.
+After you have edited and saved the 'authorizers.xml' file, restart NiFi.  The “Initial Admin Identity” user and administrative policies are added to the 'users.xml' and 'authorizations.xml' files during restart. Once NiFi starts, the “Initial Admin Identity” user is able to access the UI and begin managing users, groups, and policies.
 
 NOTE: For a brand new secure flow, providing the "Initial Admin Identity" gives that user access to get into the UI and to manage users, groups and policies.  But if that user wants to start modifying the flow, they need to grant themselves policies for the root process group. The system is unable to do this automatically because in a new flow the UUID of the root process group is not permanent until the flow.xml.gz is generated.  If the NiFi instance is an upgrade from an existing flow.xml.gz or a 1.x instance going from unsecure to secure, then the "Initial Admin Identity" user is automatically given the privileges to modify the flow.
 
@@ -458,7 +458,7 @@ Here is an example entry:
 </authorizers>
 ----
 
-After you have edited and saved the 'authorizers.xml' file, restart NiFi. Users and roles from the 'authorized-users.xml' file are converted and added as identities and policies in the 'authorizations.xml' file.  Once the application starts, users who previously had a legacy Administrator role can access the UI and begin managing users, groups, and policies.
+After you have edited and saved the 'authorizers.xml' file, restart NiFi. Users and roles from the 'authorized-users.xml' file are converted and added as identities and policies in the 'users.xml' and 'authorizations.xml' files.  Once the application starts, users who previously had a legacy Administrator role can access the UI and begin managing users, groups, and policies.
 
 Here is a summary of policies assigned to each legacy role if the NiFi instance has an existing flow.xml.gz:
 
@@ -648,6 +648,8 @@ You can override an inherited policy (as described in the <<moving-a-processor>>
 
 NOTE: “View the policies” and “modify the policies” component-level access policies are an exception to this inherited behavior. When a user is added to either policy, they are added to the current list of administrators. They do not override higher level administrators. For this reason, only component specific administrators are displayed for the “view the policies” and “modify the policies" access policies.
 
+NOTE:  You cannot modify the users/groups on an inherited policy.  Users and groups can only be added or removed from a parent policy or an override policy.
+
 [[access-policy-config-examples]]
 Access Policy Configuration Examples
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -679,8 +681,13 @@ To allow User2 to move the GenerateFlowFile processor in the dataflow and only t
   image:processor-modify-policy.png["Processor Modify Policy"]
   The “modify the component” policy that currently exists on the processor (child) is the “modify the component” policy inherited from the root process group (parent) on which User1 has privileges.
 [start=4]
-4. Select the Override link in the policy inheritance message to create a replacement policy.
-5. On the replacement policy that is created, select the Add User icon (image:iconAddUser.png["Add User Icon"]). Find or enter User1 in the User Identity field and select OK.  Select the Add User icon again, find or enter User2 and select OK.
+4. Select the Override link in the policy inheritance message.  When creating the replacement policy, you are given a choice to override with a copy of the inherited policy or an empty policy.
+
+image:override_policy_copy_empty.png["Create Override Policy"]
+
+Select the Override button to create a copy.
+[start=5]
+5. On the replacement policy that is created, select the Add User icon (image:iconAddUser.png["Add User Icon"]). Find or enter User2 in the User Identity field and select OK.
 
 image:processor-replacement-modify-policy.png["Processor Replacement Modify Policy"]
 
@@ -699,8 +706,8 @@ In the “Moving a Processor” example above, User2 was added to the “modify
   image:processor-view-policy.png["Processor View Policy"]
   The view the component” policy that currently exists on the processor (child) is the "view the component” policy inherited from the root process group (parent) on which User1 has privileges.
 [start=4]
-4. Select the Override link in the policy inheritance message to create a replacement policy.
-5. On the replacement policy that is created, select the Add User icon (image:iconAddUser.png["Add User Icon"]). Find or enter User1 in the User Identity field and select OK.  Select the Add User icon again, find or enter User2 and select OK.
+4. Select the Override link in the policy inheritance message, keep the default of Copy policy and select the Override button.
+5. On the override policy that is created, select the Add User icon (image:iconAddUser.png["Add User Icon"]). Find or enter User2 in the User Identity field and select OK.
 
 image:processor-replacement-view-policy.png["Processor Replacement View Policy"]
 
@@ -721,8 +728,8 @@ image:user2-no-connection.png["User2 No Connection"]
 
 This is because:
 
-* User2 does not have modify access on the process group and is therefore not able to create a connection.
-* Even though User2 has view and modify access to the source component (GenerateFlowFile), User2 does not have any access policy on the destination component (LogAttribute).
+* User2 does not have modify access on the process group.
+* Even though User2 has view and modify access to the source component (GenerateFlowFile), User2 does not have an access policy on the destination component (LogAttribute).
 
 To allow User2 to connect GenerateFlowFile to LogAttribute, as User1:
 
@@ -730,7 +737,7 @@ To allow User2 to connect GenerateFlowFile to LogAttribute, as User1:
 2. Select the Access Policies icon (image:iconAccessPolicies.png["Access Policies Icon"]) from the Operate palette and the Access Policies dialog opens.
 3. Select "modify the component” from the policy drop-down.
   image:process-group-modify-policy.png["Process Group Modify Policy"]
-  [start=4]
+[start=4]
 4. Select the Add User icon (image:iconAddUser.png["Add User Icon"]). Find or enter User2 and select OK.
 
 image:process-group-modify-policy-add-user2.png["Process Group Modify Policy Add User2"]
@@ -766,7 +773,7 @@ To allow User2 to connect GenerateFlowFile to ReplaceText, as User1:
 2. Select the Access Policies icon (image:iconAccessPolicies.png["Access Policies Icon"]).
 3. Select "view the component” from the policy drop-down.
   image:process-group-view-policy.png["Process Group View Policy"]
-  [start=4]
+[start=4]
 4. Select the Add User icon (image:iconAddUser.png["Add User Icon"]). Find or enter User2 and select OK.
 
 image:process-group-view-policy-add-user2.png["Process Group View Policy Add User2"]
diff --git a/nifi-docs/src/main/asciidoc/images/access-policy-config-start.png b/nifi-docs/src/main/asciidoc/images/access-policy-config-start.png
index da3d54babb..8d89171e24 100644
Binary files a/nifi-docs/src/main/asciidoc/images/access-policy-config-start.png and b/nifi-docs/src/main/asciidoc/images/access-policy-config-start.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/group-creation-dialog.png b/nifi-docs/src/main/asciidoc/images/group-creation-dialog.png
index 5a23b88748..9b7ed2d17c 100644
Binary files a/nifi-docs/src/main/asciidoc/images/group-creation-dialog.png and b/nifi-docs/src/main/asciidoc/images/group-creation-dialog.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/override_policy_copy_empty.png b/nifi-docs/src/main/asciidoc/images/override_policy_copy_empty.png
new file mode 100644
index 0000000000..5aaa665b51
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/override_policy_copy_empty.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/process-group-modify-policy-add-user2.png b/nifi-docs/src/main/asciidoc/images/process-group-modify-policy-add-user2.png
index aa4225be2f..1119f8a424 100644
Binary files a/nifi-docs/src/main/asciidoc/images/process-group-modify-policy-add-user2.png and b/nifi-docs/src/main/asciidoc/images/process-group-modify-policy-add-user2.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/process-group-modify-policy.png b/nifi-docs/src/main/asciidoc/images/process-group-modify-policy.png
index db1395b57a..f1af9e0a75 100644
Binary files a/nifi-docs/src/main/asciidoc/images/process-group-modify-policy.png and b/nifi-docs/src/main/asciidoc/images/process-group-modify-policy.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/process-group-view-policy-add-user2.png b/nifi-docs/src/main/asciidoc/images/process-group-view-policy-add-user2.png
index 0e1cf6ad45..4079c1cdb5 100644
Binary files a/nifi-docs/src/main/asciidoc/images/process-group-view-policy-add-user2.png and b/nifi-docs/src/main/asciidoc/images/process-group-view-policy-add-user2.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/process-group-view-policy.png b/nifi-docs/src/main/asciidoc/images/process-group-view-policy.png
index 79bda56787..40d9ee4225 100644
Binary files a/nifi-docs/src/main/asciidoc/images/process-group-view-policy.png and b/nifi-docs/src/main/asciidoc/images/process-group-view-policy.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/processor-inherited-modify-policy.png b/nifi-docs/src/main/asciidoc/images/processor-inherited-modify-policy.png
index b503e25d1b..faa3eb1c70 100644
Binary files a/nifi-docs/src/main/asciidoc/images/processor-inherited-modify-policy.png and b/nifi-docs/src/main/asciidoc/images/processor-inherited-modify-policy.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/processor-modify-policy.png b/nifi-docs/src/main/asciidoc/images/processor-modify-policy.png
index 2efb4fbfac..ec11a2293e 100644
Binary files a/nifi-docs/src/main/asciidoc/images/processor-modify-policy.png and b/nifi-docs/src/main/asciidoc/images/processor-modify-policy.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/processor-replacement-modify-policy.png b/nifi-docs/src/main/asciidoc/images/processor-replacement-modify-policy.png
index 398da252ec..4af2876e53 100644
Binary files a/nifi-docs/src/main/asciidoc/images/processor-replacement-modify-policy.png and b/nifi-docs/src/main/asciidoc/images/processor-replacement-modify-policy.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/processor-replacement-view-policy.png b/nifi-docs/src/main/asciidoc/images/processor-replacement-view-policy.png
index 5fb9968ee6..fa701c66f1 100644
Binary files a/nifi-docs/src/main/asciidoc/images/processor-replacement-view-policy.png and b/nifi-docs/src/main/asciidoc/images/processor-replacement-view-policy.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/processor-view-policy.png b/nifi-docs/src/main/asciidoc/images/processor-view-policy.png
index 14f3c7ca9e..8bebd11ecf 100644
Binary files a/nifi-docs/src/main/asciidoc/images/processor-view-policy.png and b/nifi-docs/src/main/asciidoc/images/processor-view-policy.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/replacetext-processor-added.png b/nifi-docs/src/main/asciidoc/images/replacetext-processor-added.png
index a0ea098a69..7b4fcdee45 100644
Binary files a/nifi-docs/src/main/asciidoc/images/replacetext-processor-added.png and b/nifi-docs/src/main/asciidoc/images/replacetext-processor-added.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/user1-create-connection.png b/nifi-docs/src/main/asciidoc/images/user1-create-connection.png
index d12d8cd2cb..6e062c68b2 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user1-create-connection.png and b/nifi-docs/src/main/asciidoc/images/user1-create-connection.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/user1-edit-connection.png b/nifi-docs/src/main/asciidoc/images/user1-edit-connection.png
index 842a8b18f3..dc3db6c1e6 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user1-edit-connection.png and b/nifi-docs/src/main/asciidoc/images/user1-edit-connection.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/user1-full-access.png b/nifi-docs/src/main/asciidoc/images/user1-full-access.png
index a977d9a3df..d364a8c98b 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user1-full-access.png and b/nifi-docs/src/main/asciidoc/images/user1-full-access.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/user2-can-connect.png b/nifi-docs/src/main/asciidoc/images/user2-can-connect.png
index c2a58b7313..37ec232627 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-can-connect.png and b/nifi-docs/src/main/asciidoc/images/user2-can-connect.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/user2-connected-processors.png b/nifi-docs/src/main/asciidoc/images/user2-connected-processors.png
index ff207f221a..d8c7bb5685 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-connected-processors.png and b/nifi-docs/src/main/asciidoc/images/user2-connected-processors.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/user2-edit-connection.png b/nifi-docs/src/main/asciidoc/images/user2-edit-connection.png
index 23584bbb3a..a367aea3ca 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-edit-connection.png and b/nifi-docs/src/main/asciidoc/images/user2-edit-connection.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/user2-edit-processor.png b/nifi-docs/src/main/asciidoc/images/user2-edit-processor.png
index 430a2febfd..11e88cbf3a 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-edit-processor.png and b/nifi-docs/src/main/asciidoc/images/user2-edit-processor.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/user2-moved-processor.png b/nifi-docs/src/main/asciidoc/images/user2-moved-processor.png
index 1dac9f4f9b..a5998d2cf1 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-moved-processor.png and b/nifi-docs/src/main/asciidoc/images/user2-moved-processor.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/user2-no-connection.png b/nifi-docs/src/main/asciidoc/images/user2-no-connection.png
index 3717f047f1..500f86aac3 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-no-connection.png and b/nifi-docs/src/main/asciidoc/images/user2-no-connection.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/user2-no-edit-connection.png b/nifi-docs/src/main/asciidoc/images/user2-no-edit-connection.png
index d28127a8fc..6412fd9b6b 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-no-edit-connection.png and b/nifi-docs/src/main/asciidoc/images/user2-no-edit-connection.png differ
diff --git a/nifi-docs/src/main/asciidoc/images/user2-restricted-access.png b/nifi-docs/src/main/asciidoc/images/user2-restricted-access.png
index c2455caf03..9e170c1a75 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-restricted-access.png and b/nifi-docs/src/main/asciidoc/images/user2-restricted-access.png differ