Link Search Menu Expand Document
OpenRMF Professional Help

Roles and Permissions Introduction

Roles in OpenRMF® Professional give you generic access to call the API endpoints. Then group permissions take over once you are actually inside the API to restrict data access. Having roles on the API endpoints allows security at the endpoint before any data is access or security checked at all. The security model in OpenRMF® Professional means you have to have the right user authentication first, then role authorization, then group permission to get to the data you are requesting.

Group Permissions give you access at particular levels into the system package listings of checklists, POAM data, reports, patch scan data and the like. It is the combination of roles to get to API endpoints and the specific group access for your permissions to view and edit data.

OpenRMF® Professional Roles

Administrator - allows adding new System Packages. It also allows access to licensing, settings, and audit filtering. It does not allow access into any particular system package for checklists, POAM, etc. This role should only be used by those administering OpenRMF® Professional, adding global templates, global mitigation statements, global overlays, and applying settings to the application.

SystemPackageAdministrator - allows creating and modifying system packages at the installation level as the only “Administrator” type of function. It does not allow any other administrator feature, only adding and updating System Package information. This can be used with the new v2.7 API call to create system packages without giving out Administrative privileges to an API (not recommended).

TemplateAdministrator - allows uploading DISA templates, uploading and creating/copying Organization templates as well as creating/copying System Package templates throughout the application. The Template Administrator can also create and update Custom Checklist Templates created within OpenRMF® Professional as well.

AuditAdministrator - allows viewing of Auditing data at the installation level across all system packages. Also allows exporting to XLSX.

Reader - allows general read-only access into the application.

Editor - allows access to update and delete endpoints as well as reader access.

Creator - allows access to create and update data such as checklists and templates as well as reader access.

Owner - allows access to create, update, and delete data endpoints as well as system package level auditing information.

ExternalAPI - any external API user calling the 50+ APIs external from OpenRMF® Professional must have this as a role for any API call to work correctly.

System Package Group Permissions

Note that any permission below given by access in any of the system package groups (i.e. “systemkeyname_ChecklistCreator”) in essence creates a “reader” group permission in that system package. Users must be able to read data in a system package in order to do any other function. These group permissions in combination with the roles above turn things on and off in the OpenRMF® Professional user interface as well as API call availability when operating inside a system package’s information.

Reader - read only access into a system package and its data.

  • Must have the general Reader role as well

Checklist Creator - allows you to create and edit a checklist in a system package as well as read data.

  • Must have the general Creator or Owner role as well

Checklist Editor - allows you to edit a checklist, update or upgrade a checklist in a system package as well as read data.

  • Must have the general Editor or Owner role as well

Create Issue - allows you to create issues / tasks for the integrated Jira, GitLab, GitHub or ServiceNow integrated management systems from within a system package.

  • Must have at least the general Creator, Editor or Owner role as well

Inherit Security Controls - allows you to list and select controls and subcontrols from a system package whose controls you inherit. This does not allow you to view the system package you wish to inherit. It only allows you to list the saved compliance of controls and subcontrols to inherit.

  • Must have at least the general Reader role as well

Patch Administrator - allows you to upload patch scans, edit the server listing of patch vulnerabilities, edit the hardware and software listing, edit the PPSM listing, and remove a patch report accidentally uploaded.

  • Must have the general Creator, Editor or Owner role as well

POAM Editor - allows you to edit POAM item entries.

  • Must have the general Editor or Owner role as well

System Owner - Allows you to do all the other permissions above as well as tailor controls, delete checklists, upload checklists and SCAP scans, upload Patch scans, edit the hardware and software listing, edit the PPSM listing, and mark a system package as read-only. You also can edit the tailored list of controls, create and add mitigation statements, and create and add overlays.

  • Must have the general Owner role as well

Security Administrator - allows you to view audit information as well as read data.

  • Must have the general Reader or Owner role as well

Template Creator - allows you to create a system package template by uploading, or copying a DISA or Company template into a system package, as well as read data.

  • Must have the general Creator or Owner role as well

Template Editor - allows you to edit any system package template, as well as read data.

  • Must have the general Creator, Editor or Owner role as well

Vulnerability Administrator - allows you to upload technology vulnerability scans, edit the category/source/project listing of technology vulnerabilities, and remove a source/projet accidentally uploaded.

  • Must have the general Creator, Editor or Owner role as well

Team Subpackage Group Permissions

Note that any permission below given by access in any of the system package groups (i.e. “systemkeyname.teamkey_ChecklistEditor”) in essence creates a “reader” group permission in that system package. Users must be able to read data in a system package in order to do any other function. These group permissions in combination with the roles above turn things on and off in the OpenRMF® Professional user interface as well as API call availability when operating inside a system package’s information.

Reader - read only access into a system package and its data.

  • Must have the general Reader role as well

Checklist Creator

  • allows you to update an existing checklist or create and add (not already elsewhere in the system package) a checklist to the team subpackage, whether through uploading or using the Create Checklist from a Template
  • Must have the general Creator, Editor or Owner role as well

Checklist Editor - allows you to edit a checklist, update or upgrade a checklist in a system package as well as read data.

  • Must have the general Editor or Owner role as well

Patch Administrator - allows you to upload patch scans for existing or new devices (not already elsewhere in the system package), edit the server listing, edit the hardware and software listing, edit the PPSM listing, and remove a patch report accidentally uploaded.

  • Must have the general Creator, Editor or Owner role as well

Patch Editor - allows you to upload patch scans for existing hardware devices in your Team Subpackage, add/edit the server listing, edit the hardware and software listing, edit the PPSM listing.

  • Must have the general Creator, Editor or Owner role as well

POAMEditor - allows you to edit and bulk edit POAM items associated with this Team Subpackage.

  • Must have the general Creator, Editor or Owner role as well

Copyright © 2021 - 2025 Soteria Software LLC.
Do The Work. Automate the Paperwork!SM