Assigning User Permissions

Create user permissions by assigning security roles. These roles regulate access to the web UI and the REST API to exchange monitoring and inventory information. In a distributed installation the Minion instance requires the ROLE_MINION permission to interact with Horizon.

Table 1. Built-in security roles (those with an asterisk are the most commonly used)
Security Role Name Description

ROLE_ADMIN*

Permissions to create, read, update, and delete in the web UI and the REST API (except see ROLE_FILESYSTEM_EDITOR below).

ROLE_ASSET_EDITOR

Permissions only to update the asset records from nodes.

ROLE_FILESYSTEM_EDITOR

Permissions only to view and update file configuration data via the REST API (and consequently, from the UI Preview). Note that even ROLE_ADMIN cannot view or edit configurations unless they also have the ROLE_FILESYSTEM_EDITOR role. Also, for a user with ROLE_FILESYSTEM_EDITOR to use the UI, they will also need the ROLE_USER or similar role.

ROLE_DASHBOARD

Allow user access only to the dashboard.

ROLE_DELEGATE

Allow actions (such as acknowledging an alarm) to be performed on behalf of another user.

ROLE_DEVICE_CONFIG_BACKUP

Allow user to view and trigger device configuration backups.

ROLE_FLOW_MANAGER

Allow user to edit flow classifications.

ROLE_JMX

Allow retrieving JMX metrics but do not allow executing MBeans of the Horizon JVM, even if they just return simple values.

ROLE_MINION

Minimum required permissions for a Minion to operate.

ROLE_MOBILE

Allow user to use OpenNMS COMPASS mobile application to acknowledge alarms and notifications via the REST API.

ROLE_PROVISION

Allow user to use the provisioning system and configure SNMP in Horizon to access management information from devices.

ROLE_READONLY*

User limited to reading information in the web UI; unable to change alarm states or notifications.

ROLE_REPORT_DESIGNER

Permissions to manage reports in the web UI and REST API.

ROLE_REST

Allow users to interact with the entire Horizon REST API.

ROLE_RTC*

Exchange information with the Horizon Real-Time Console for availability calculations.

ROLE_USER*

Default permissions for a new user to interact with the web UI: can escalate and acknowledge alarms and notifications.

Assigning roles to users

  1. Log in as a user with administrative permissions.

  2. Click the gear icon in the top right.

  3. Choose Configure OpenNMS  Configure Users, Groups and On-Call Roles  Configure Users.

  4. Click the modify icon next to the user you want to update.

  5. Select the role from Security Roles  Available Roles.

  6. Click Add to assign the security role to the user.

  7. Click Finish to apply the changes.

  8. Log out and log in to apply the new security role settings.

Creating custom security roles

To create a custom security role you need to define the name and specify the security permissions.

  • Create a file called $OPENNMS_HOME/etc/security-roles.properties.

  • Add a property called roles, and for its value, a comma-separated list of the custom security roles, for example:

roles=operator,stage

To define permissions associated with the custom security role, manually update the application context of the Spring security here:

/opt/opennms/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml