Assign User Permissions

You can control user permission levels by creating and assigning security roles. These roles regulate access to the Horizon web UI and the REST API to exchange monitoring and inventory information.

In a distributed installation, Minion instances require an account that is assigned the ROLE_MINION security role to interact with Horizon. You can create one account for all Minions to share, or one account per Minion.

Built-in security roles

The following security roles are built in to Horizon by default. Roles marked with an asterisk are the most commonly used.

Security Role Name Description

Security Role Name	Description
ROLE_ADMIN ^*	Permissions to create, read, update, and delete in the web UI and the REST API (see `ROLE_FILESYSTEM_EDITOR` for exceptions).
ROLE_ASSET_EDITOR	Permissions only to update asset records from nodes.
ROLE_FILESYSTEM_EDITOR	Permissions only to view and update file configuration data via the REST API. Note that `ROLE_ADMIN` users cannot view or edit configurations unless they also have the `ROLE_FILESYSTEM_EDITOR` role. Also, for a user with `ROLE_FILESYSTEM_EDITOR` to use the UI, they will also need the `ROLE_USER` or similar role.
ROLE_DASHBOARD	Permissions only to view the dashboard.
ROLE_DELEGATE	Permissions to perform actions (such as acknowledging an alarm) on behalf of another user.
ROLE_DEVICE_CONFIG_BACKUP	Permissions to view and trigger device configuration backups.
ROLE_FLOW_MANAGER	Permissions to edit flow classifications.
ROLE_JMX	Permissions to retrieve JMX metrics, but not to execute MBeans of the Horizon JVM, even if they just return simple values.
ROLE_MINION	Minimum required permissions for a Minion to operate.
ROLE_MOBILE	Permissions to use OpenNMS COMPASS mobile application to acknowledge alarms and notifications via the REST API.
ROLE_PROVISION	Permissions to use the provisioning system and configure SNMP in Horizon to access management information from devices.
ROLE_READONLY ^*	Permissions only to read information in the web UI; user cannot change alarm states or notifications.
ROLE_REPORT_DESIGNER	Permissions to manage reports in the web UI and REST API.
ROLE_REST	Permissions to interact with the entire Horizon REST API.
ROLE_RTC ^*	Permissions to exchange information with the Horizon Real-Time Console for availability calculations.
ROLE_USER ^*	Default permissions for a new user to interact with the web UI: can escalate and acknowledge alarms and notifications.

ROLE_ADMIN ^*

Permissions to create, read, update, and delete in the web UI and the REST API (see ROLE_FILESYSTEM_EDITOR for exceptions).

ROLE_ASSET_EDITOR

Permissions only to update asset records from nodes.

ROLE_FILESYSTEM_EDITOR

Permissions only to view and update file configuration data via the REST API.
Note that ROLE_ADMIN users cannot view or edit configurations unless they also have the ROLE_FILESYSTEM_EDITOR role. Also, for a user with ROLE_FILESYSTEM_EDITOR to use the UI, they will also need the ROLE_USER or similar role.

ROLE_DASHBOARD

Permissions only to view the dashboard.

ROLE_DELEGATE

Permissions to perform actions (such as acknowledging an alarm) on behalf of another user.

ROLE_DEVICE_CONFIG_BACKUP

Permissions to view and trigger device configuration backups.

ROLE_FLOW_MANAGER

Permissions to edit flow classifications.

ROLE_JMX

Permissions to retrieve JMX metrics, but not to execute MBeans of the Horizon JVM, even if they just return simple values.

ROLE_MINION

Minimum required permissions for a Minion to operate.

ROLE_MOBILE

Permissions to use OpenNMS COMPASS mobile application to acknowledge alarms and notifications via the REST API.

ROLE_PROVISION

Permissions to use the provisioning system and configure SNMP in Horizon to access management information from devices.

ROLE_READONLY ^*

Permissions only to read information in the web UI; user cannot change alarm states or notifications.

ROLE_REPORT_DESIGNER

Permissions to manage reports in the web UI and REST API.

ROLE_REST

Permissions to interact with the entire Horizon REST API.

ROLE_RTC ^*

Permissions to exchange information with the Horizon Real-Time Console for availability calculations.

ROLE_USER ^*

Default permissions for a new user to interact with the web UI: can escalate and acknowledge alarms and notifications.

Assign security roles

Follow the steps below to assign security roles to user accounts:

Click the gear symbol at the top-right of the screen.
Under Configure OpenNMS, click Configure Users, Groups and On-Call Roles Configure Users.
Find the user to whom you want to assign a security role and click Modify beside their name.
Select the role to add to the user account from the Available Roles list, and click Add.
- Follow this step to add as many roles as necessary to the account.
Click Finish to apply the changes.
Log out of Horizon and log back in to apply the new security role settings.

Create custom security roles

To create a custom security role, you need to define its name and specify the permissions it will provide. Follow the steps below to create a custom role:

Create ${OPENNMS_HOME}/etc/security-roles.properties in your OpenNMS directory.
Add a roles property, and enter a comma-separated list of the custom security roles for its value.
Example of a roles property
```
roles=operator,stage
```

To define permissions associated with a custom security role, you must manually update the application context of the Spiring security in ${OPENNMS_HOME}/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml.