Skip to content
English
Customer portal
Contact us
  • There are no suggestions because the search field is empty.

00.01 Who This Guide Is For

The Administrator Guide is for the operator who installs, configures, and runs SimpleRisk for their organization. Here's how it differs from the User Guide, what knowledge it assumes, and how to navigate it.

Why this matters

This guide is for the human responsible for running SimpleRisk on behalf of their organization. That's a different job from the human using SimpleRisk to manage risks — and the documentation is split accordingly. The split keeps the User Guide focused on GRC practice (submitting risks, running tests, managing controls) without burying its readers in admin-only content; it keeps the Administrator Guide focused on operational concerns (installation, upgrades, integrations, reference) without watering down the operator's working surface with end-user concept material.

If your job is to install SimpleRisk on infrastructure your team controls, configure authentication so the right people can log in, set up integrations with the rest of your tech stack, monitor that the application is healthy, upgrade through new releases, and answer "is SimpleRisk doing what we need it to do?" — this guide is for you. If your job is to use SimpleRisk to record risks, run audits, or build a compliance program, the User Guide is for you. Many people will read both, but they're separate readings.

The other reason this split matters: the technical depth differs sharply. The User Guide assumes GRC literacy and minimal technical depth — risk submitters don't need to know about MySQL configuration or PHP-FPM tuning. The Admin Guide assumes the opposite: the reader knows what a database is, what TLS is, what a cron job is, what an Apache or Nginx config file looks like. That assumption shapes how the Admin Guide is written; it explains SimpleRisk-specific behavior the operator couldn't infer from the source code, but it doesn't explain how to use vim or what a hostname is.

What this guide covers

The Admin Guide is organized around the operator's workflow over time:

  • Installation and Deployment (chapter 01) — getting SimpleRisk onto infrastructure for the first time. Covers system requirements, the Linux install path, the Docker install path, cloud installation patterns, the initial configuration wizard, installing Extras, and HTTPS/TLS configuration.
  • Upgrades and Maintenance (chapter 02) — keeping SimpleRisk current. The upgrade process for both Docker and bare-metal, Extra upgrades, database backup and restore, log rotation, and the cron jobs.
  • Users and Permissions (chapter 03) — the user-management surface that makes SimpleRisk a multi-user system. Managing users, the permission model, the full permission reference, organizational hierarchy, separation-of-duties patterns, and team-based segregation.
  • Authentication (chapter 04) — how users prove they are who they say they are. Local authentication, MFA, the Authentication Extra overview, SAML SSO setup, OIDC setup, AD/LDAP integration, API key management, and session management.
  • Customization (chapter 05) — making SimpleRisk fit your organization. Custom fields, custom risk scoring, mitigation controls, dropdown values, the risk catalog, language and localization, and email-template customization.
  • Configuring Risk and Compliance (chapter 06) — the program-side configuration. Default scoring methods, the risk formula, review cadence, framework installation, and the SCF/UCF Extras.
  • Integrations (chapter 07) — connecting SimpleRisk to the rest of the tech stack. The Jira Extra, the Notification Extra, webhook integration, and using the API for integrations.
  • The API (chapter 08) — the v2 REST API in depth. API overview, authentication and keys, permissions, rate limiting, the OpenAPI documentation, the Postman collection, and building scripts against the API.
  • Encryption and Data Security (chapter 09) — protecting sensitive data. The Encryption Extra, enabling encryption, key management and rotation, securing the database, securing the web server.
  • Workflows and Automation (chapter 10) — the automation layer. The Workflows Extra, creating a workflow, common patterns, the AI Extra overview, and configuring AI providers.
  • Reporting and Auditing (chapter 11) — operational reporting. The audit trail, the debug log, compliance evidence export, and scheduled reports.
  • Operations (chapter 12) — running SimpleRisk in production. Monitoring, performance tuning, scaling considerations, troubleshooting common issues, and when to contact support.
  • Reference (chapter 13) — the quick-lookup material. Configuration settings reference, database schema overview, cron jobs reference, default roles and permissions, and known limitations.

The chapter ordering is roughly the operator's chronological work — install first, then secure, then customize, then operate. You don't need to read straight through; the chapters are independent enough to consult on demand.

What knowledge this guide assumes

The Admin Guide assumes baseline operator knowledge:

  • A general understanding of web-application architecture. What a web server, a database, and an application server are; how they interact. The Admin Guide describes SimpleRisk's specific configuration but doesn't explain LAMP-stack fundamentals from scratch.
  • Basic Linux administration. Editing config files, managing services, working with the shell. The Linux install paths assume the reader can install packages, edit /etc/ files, and run commands as root or with sudo.
  • Basic Docker familiarity. For the Docker install paths. The reader should know what docker compose up does and how to read a docker-compose.yml.
  • Networking basics. TLS certificates, firewall rules, reverse proxies. The HTTPS/TLS configuration article covers SimpleRisk-specific decisions but assumes the reader can install a certificate and configure a load balancer.
  • SQL fundamentals. Reading a SELECT, understanding tables and joins. The reference chapters describe the schema; the operator who needs to query it directly should already know how.
  • GRC vocabulary at a basic level. The Admin Guide uses terms like "risk," "control," "audit," "exception" without re-defining them; the User Guide is the conceptual reference for those terms. Reading the User Guide's Foundations chapter first gives the operator the right vocabulary even if their day job isn't GRC practice.

The guide does not assume:

  • PHP development experience. SimpleRisk is written in PHP, but the operator doesn't need to read or modify PHP code to operate it. When an article references PHP files, it's for context (so you know where the behavior lives) rather than for editing instructions.
  • Custom-development experience. The Customization Extra and the Workflows Extra both support customization without code; the Admin Guide describes the configuration surfaces, not custom-development workflows.
  • Specific security-clearance background. The guide is for commercial-context operators; federal-context operators (FedRAMP, FISMA contexts) have additional concerns the guide notes but doesn't cover in depth.

How this guide relates to the User Guide

The two guides are companion volumes; together they're the complete documentation for SimpleRisk.

  • The User Guide (user_guide/) is structured around GRC discipline — chapters on risk management, compliance, governance, asset inventory, vulnerability management, assessments, incident management, audit and reporting, day-to-day usage, and continuous improvement. It reads as a "book on GRC, using SimpleRisk as the platform." Most articles are concept (what the discipline is) or how-to (how to perform a workflow).
  • The Admin Guide (this volume) is structured around operator workflow — chapters on installation, upgrades, users and permissions, authentication, customization, configuration, integrations, the API, encryption, automation, reporting, operations, and reference. It reads as an operator's runbook for deploying and running the platform. Most articles are how-to (specific configuration tasks) or reference (lookups).

When an article in this guide cites a User Guide concept (for example, when configuring frameworks the article references the conceptual material on what a framework is), the cross-link points into the User Guide. When a User Guide article cites an Admin concern (for example, when explaining permission gates), it points into this guide. The two are interlinked; neither stands alone for a user serious about both running and using SimpleRisk.

How to navigate this guide

Three patterns work well, depending on what you're doing:

  • First-time install — read in order through chapters 01 (Installation), 04 (Authentication), 03 (Users), 05 (Customization), and 06 (Configuring Risk and Compliance). Skip the chapters you're not using yet (no need to read about the Encryption Extra if you're not installing it). The chronological reading sets up the program with reasonable defaults.
  • Operational task — go to the relevant chapter, find the specific article. Each how-to article is self-contained enough to consult without reading the surrounding chapter. The cross-links handle the related-context navigation.
  • Reference lookup — chapter 13 (Reference) holds the quick-lookup material; if you need to know what a specific config_settings key controls or what a permission name gates, the reference chapter is faster than the article-level material.

For each article, the structure is:

  • Why this matters — the operational context for the configuration or task.
  • Before you start — the prerequisites the operator should have in place.
  • Step-by-step — the actual procedure, with code-grounded references to UI labels, file paths, and config_settings keys.
  • Common pitfalls — what goes wrong, with specific guidance on how to recover.
  • Reference (B+ template articles) — the closing block with permission required, API endpoints, implementing files, database tables, and config_settings keys for the workflow.

The Reference block at the end of each how-to and reference article is the operator's quick-lookup index — even if you skim the rest of the article, the Reference block tells you which permissions to grant, which files implement the behavior, and which settings to verify.

Common pitfalls

A handful of patterns recur with first-time admin-guide readers.

  • Reading the Admin Guide without reading the User Guide's Foundations chapter. The Admin Guide assumes basic GRC vocabulary. An operator who hasn't read the User Guide's Foundations chapter often gets confused when articles reference "the risk register" or "control families" without defining them. Read the Foundations chapter first; it's short and pays back across every subsequent admin task.

  • Trying to skip the install chapter on a fresh deploy. The Installation chapter covers SimpleRisk-specific decisions (database setup, web server configuration, the initial wizard) that operators sometimes try to skip in favor of just "running the install script." The script handles much of the work but the decisions it makes silently (which database the wizard creates, what permissions the web user needs, where logs land) matter operationally. The chapter explains what the script does so the operator can recover when something goes wrong.

  • Treating the Reference chapter as a substitute for the rest. The Reference chapter is for lookups, not for first-time learning. An operator who reads only the configuration-settings reference and not the surrounding articles ends up changing settings without understanding the side effects. Use the Reference chapter as a quick-lookup; use the article-level content for understanding.

  • Assuming the Admin Guide covers customer-of-customer scenarios. SimpleRisk Core is single-tenant — one installation, one organization. Programs running multi-tenant scenarios (managed-services providers running SimpleRisk for multiple end customers) need the Customization Extra and substantial custom development; the Admin Guide doesn't cover the multi-tenant patterns specifically.

  • Expecting the Admin Guide to cover every Extra in depth. The major Extras have their own articles in the relevant chapters (Authentication Extra in chapter 04, Encryption Extra in chapter 09, Workflows and AI Extras in chapter 10). The smaller Extras get briefer treatment, and the Admin Guide doesn't always cover the User-side workflow for an Extra (for that, the User Guide is the right reference). When an Extra has both an Admin chapter and a User chapter, the two cross-link.

Related