Assigning User Permissions

Create user permissions by assigning security roles. These roles regulate access to the web UI and the REST API to exchange monitoring and inventory information. In a distributed installation the Minion instance requires the ROLE_MINION permission to interact with Horizon.

Table 1. Built-in security roles (those with an asterisk are the most commonly used)
Security Role Name Description


Permissions to create, read, update, and delete in the web UI and the REST API (except see ROLE_FILESYSTEM_EDITOR below).


Permissions only to update the asset records from nodes.


Permissions only to view and update file configuration data via the REST API (and consequently, from the UI Preview). Note that even ROLE_ADMIN cannot view or edit configurations unless they also have the ROLE_FILESYSTEM_EDITOR role. Also, for a user with ROLE_FILESYSTEM_EDITOR to use the UI, they will also need the ROLE_USER or similar role.


Allow user access only to the dashboard.


Allow actions (such as acknowledging an alarm) to be performed on behalf of another user.


Allow user to view and trigger device configuration backups.


Allow user to edit flow classifications.


Allow retrieving JMX metrics but do not allow executing MBeans of the Horizon JVM, even if they just return simple values.


Minimum required permissions for a Minion to operate.


Allow user to use OpenNMS COMPASS mobile application to acknowledge alarms and notifications via the REST API.


Allow user to use the provisioning system and configure SNMP in Horizon to access management information from devices.


User limited to reading information in the web UI; unable to change alarm states or notifications.


Permissions to manage reports in the web UI and REST API.


Allow users to interact with the entire Horizon REST API.


Exchange information with the Horizon Real-Time Console for availability calculations.


Default permissions for a new user to interact with the web UI: can escalate and acknowledge alarms and notifications.

Assigning roles to users

  1. Log in as a user with administrative permissions.

  2. Click the gear icon in the top right.

  3. Choose Configure OpenNMS  Configure Users, Groups and On-Call Roles  Configure Users.

  4. Click the modify icon next to the user you want to update.

  5. Select the role from Security Roles  Available Roles.

  6. Click Add to assign the security role to the user.

  7. Click Finish to apply the changes.

  8. Log out and log in to apply the new security role settings.

Creating custom security roles

To create a custom security role you need to define the name and specify the security permissions.

  • Create a file called $OPENNMS_HOME/etc/

  • Add a property called roles, and for its value, a comma-separated list of the custom security roles, for example:


To define permissions associated with the custom security role, manually update the application context of the Spring security here: