Skip to content
English
Customer portal
Contact us
  • There are no suggestions because the search field is empty.

13.01 Settings Reference

SimpleRisk stores configuration in the settings table — hundreds of key-value rows controlling everything from session timeouts to risk-scoring methodology to per-Extra activation flags. This reference covers the most-touched settings grouped by domain. Use the Configure → Settings UI for routine changes; this catalog is for the operator who needs to query or manipulate settings directly.

Why this is a reference article

This article catalogs the settings table keys that operators most commonly need to know about. The full settings table contains hundreds of rows, including many that are internal-only or specific to inactive Extras. The catalog below covers the most-referenced settings; for a full listing, query the database (SELECT name, value FROM settings ORDER BY name;).

The settings table is one of the most-used surfaces for SimpleRisk operators. Most settings have a UI surface (under various Configure → Settings paths), but direct database manipulation is sometimes faster or necessary for bulk changes.

Authentication and password policy

pass_policy_enabled

  • Type: boolean
  • Purpose: Master toggle for password policy enforcement.

pass_policy_min_chars

  • Type: int
  • Purpose: Minimum password length. Default 8.

pass_policy_alpha_required

  • Type: boolean
  • Purpose: Require at least one alphabetic character.

pass_policy_upper_required

  • Type: boolean
  • Purpose: Require at least one uppercase.

pass_policy_lower_required

  • Type: boolean
  • Purpose: Require at least one lowercase.

pass_policy_digits_required

  • Type: boolean
  • Purpose: Require at least one digit.

pass_policy_special_required

  • Type: boolean
  • Purpose: Require at least one non-alphanumeric.

pass_policy_max_age

  • Type: int
  • Purpose: Days before password expiration; 0 disables.

pass_policy_reuse_limit

  • Type: int
  • Purpose: Number of prior passwords to remember and reject reuse.

pass_policy_attempt_lockout

  • Type: int
  • Purpose: Failed attempts before account lockout. 0 disables lockout.

pass_policy_attempt_lockout_time

  • Type: int
  • Purpose: Minutes until auto-unlock. 0 means permanent until admin unlock.

mfa_required

  • Type: boolean
  • Purpose: Force MFA enrollment for all users.

session_activity_timeout

  • Type: int
  • Purpose: Idle session timeout in seconds. Default 3600.

session_absolute_timeout

  • Type: int
  • Purpose: Absolute session lifetime in seconds. Default 28800.

See Local Authentication and Password Policies, Multi-Factor Authentication, Session Management and Timeout.

API

api

  • Type: boolean ('true'/'false')
  • Purpose: Master API toggle.

api_v1

  • Type: boolean
  • Purpose: Legacy v1 API enable. Default off on fresh installs.

api_salt

  • Type: string
  • Purpose: Per-install salt for hashing API keys.

See Authentication and API Keys.

Risk scoring

risk_model

  • Type: int (1-6)
  • Purpose: System default scoring methodology. 1 = Classic, 2 = CVSS, 3 = DREAD, 4 = OWASP, 5 = Custom, 6 = Contributing Risk.

need_risk_score_normalization

  • Type: boolean
  • Purpose: Normalize raw scores to 0-10 for display. Default true.

default_risk_score

  • Type: int
  • Purpose: Fallback for invalid inputs. Default 10.

count_of_likelihoods

  • Type: int
  • Purpose: Likelihood scale max. Typically 5.

count_of_impacts

  • Type: int
  • Purpose: Impact scale max. Typically 5.

next_review_date_uses

  • Type: string
  • Purpose: inherent or residual — which score drives review cadence.

sla_threshold_very_high

  • Type: int
  • Purpose: Days for Very High risks. Default 30.

sla_threshold_high

  • Type: int
  • Purpose: Days for High. Default 60.

sla_threshold_medium

  • Type: int
  • Purpose: Days for Medium. Default 90.

sla_threshold_low

  • Type: int
  • Purpose: Days for Low. Default 180.

sla_threshold_insignificant

  • Type: int
  • Purpose: Days for Insignificant. Default 180.

See Default Risk Scoring Method, The Risk Formula, Risk Review Cadence.

Localization

default_language

  • Type: string
  • Purpose: System default locale code (e.g., en, fr, de).

default_date_format

  • Type: string
  • Purpose: Date display pattern (e.g., YYYY-MM-DD).

See Language and Localization.

Email and notifications

phpmailer_transport

  • Type: string
  • Purpose: smtp or sendmail.

phpmailer_host

  • Type: string
  • Purpose: SMTP server hostname.

phpmailer_port

  • Type: int
  • Purpose: SMTP port (587 for STARTTLS, 465 for implicit TLS).

phpmailer_encryption

  • Type: string
  • Purpose: tls, ssl, or none.

phpmailer_auth

  • Type: boolean
  • Purpose: SMTP authentication required.

phpmailer_username

  • Type: string
  • Purpose: SMTP username.

phpmailer_password

  • Type: string (encrypted)
  • Purpose: SMTP password.

mail_from

  • Type: string
  • Purpose: Sender email address.

NOTIFY_ON_NEW_RISK

  • Type: boolean
  • Purpose: Send notifications on new risk submission.

NOTIFY_ON_RISK_UPDATE

  • Type: boolean
  • Purpose: Send notifications on risk update.

NOTIFY_ON_NEW_MITIGATION

  • Type: boolean
  • Purpose: Send notifications on new mitigation.

NOTIFY_ON_MITIGATION_UPDATE

  • Type: boolean
  • Purpose: Send notifications on mitigation update.

NOTIFY_ON_RISK_REVIEW

  • Type: boolean
  • Purpose: Send notifications on risk review.

NOTIFY_ON_RISK_CLOSE

  • Type: boolean
  • Purpose: Send notifications on risk closure.

NOTIFY_ON_RISK_COMMENT

  • Type: boolean
  • Purpose: Send notifications on risk comment.

NOTIFY_ON_AUDIT_INITIATE

  • Type: boolean
  • Purpose: Send notifications on audit cycle initiation.

NOTIFY_ON_AUDIT_COMMENT

  • Type: boolean
  • Purpose: Send notifications on audit comment.

NOTIFY_ON_AUDIT_STATUS_CHANGE

  • Type: boolean
  • Purpose: Send notifications on audit status change.

See Email and the Notification Extra.

Encryption

encryption

  • Type: boolean
  • Purpose: Encryption Extra activation flag.

The master key isn't a setting — it lives in simplerisk/extras/encryption/includes/init.php. See The Encryption Extra Overview.

Authentication Extra (SAML / LDAP)

custom_auth

  • Type: boolean
  • Purpose: Authentication Extra activation flag.

custom_auth_method

  • Type: string
  • Purpose: Active auth method (typically local, saml, or ldap).

AUTHENTICATION_ADD_NEW_USERS

  • Type: boolean
  • Purpose: Auto-provision unknown SSO users.

LDAPHOST, LDAPPORT, LDAP_VERSION

  • Type: mixed
  • Purpose: LDAP connection details.

TLS, SASL

  • Type: boolean
  • Purpose: LDAP transport security and auth mode.

BIND_FIRST, BIND_ACCOUNT, BIND_ACCOUNT_PASS

  • Type: mixed
  • Purpose: LDAP service account binding.

USERDN, LDAP_USER_FILTER, AUTHENTICATION_LDAP_USER_ATTRIBUTE

  • Type: mixed
  • Purpose: LDAP user search.

GROUPDN, LDAP_GROUP_ATTRIBUTE, LDAP_MEMBER_ATTRIBUTE, LDAP_FILTER_FOR_GROUP, LDAP_MANAGER_ATTRIBUTE

  • Type: mixed
  • Purpose: LDAP group mapping.

SAML_METADATA_URL, SAML_METADATA_XML, SAML_METADATA_CACHE_TTL

  • Type: mixed
  • Purpose: SAML IdP metadata.

USERNAME_ATTRIBUTE, SAML_DISPLAY_NAME_ATTRIBUTE, SAML_EMAIL_ATTRIBUTE, SAML_ROLE_ATTRIBUTE, SAML_TEAMS_ATTRIBUTE

  • Type: mixed
  • Purpose: SAML attribute mapping.

SAML_SIGN_AUTHN_REQUESTS, SAML_WANT_ASSERTIONS_SIGNED, SAML_REQUIRE_ENCRYPTED_ASSERTIONS

  • Type: boolean
  • Purpose: SAML cryptographic options.

See The Authentication Extra Overview, Configuring SAML SSO, Active Directory and LDAP.

Customization Extra

customization

  • Type: boolean
  • Purpose: Customization Extra activation flag.

Custom field definitions and templates live in dedicated tables (custom_fields, custom_data, custom_template), not the settings table. See Custom Fields.

Separation Extra

team_separation

  • Type: boolean
  • Purpose: Separation Extra activation flag.

allow_owner_to_risk

  • Type: boolean
  • Purpose: Risk owners see their own risks.

allow_ownermanager_to_risk

  • Type: boolean
  • Purpose: Owner's manager sees the risk.

allow_submitter_to_risk

  • Type: boolean
  • Purpose: Submitter sees what they submitted.

allow_team_member_to_risk

  • Type: boolean
  • Purpose: Team members see the team's risks.

allow_stakeholder_to_risk

  • Type: boolean
  • Purpose: Additional stakeholders see the risk.

allow_all_to_risk_noassign_team

  • Type: boolean
  • Purpose: Unassigned-team risks visible to all.

Plus parallel allow_* settings for tests/audits and documents. See Separation of Duties.

Organizational Hierarchy Extra

organizational_hierarchy

  • Type: boolean
  • Purpose: Extra activation flag.

default_business_unit_id

  • Type: int
  • Purpose: The default business unit ID created at activation.

See Organizational Hierarchy.

UCF Extra

ucf: boolean

  • Purpose: UCF Extra activation flag.

UCF API URL and credentials are typically settings as well; see Control Mapping with the UCF Extra.

ComplianceForge SCF Extra

extra_scf

  • Type: boolean
  • Purpose: SCF Extra activation flag.

extra_scf_status

  • Type: string
  • Purpose: installing, ready, or error.

extra_scf_version

  • Type: string
  • Purpose: Currently-installed SCF version.

extra_scf_auto_process_updates

  • Type: boolean
  • Purpose: Auto-pull SCF updates.

extra_scf_add_new

  • Type: boolean
  • Purpose: Auto-add new SCF controls on update.

extra_scf_update_existing

  • Type: boolean
  • Purpose: Auto-update existing SCF controls on update.

extra_scf_delete_removed

  • Type: boolean
  • Purpose: Delete removed SCF controls (vs archive).

extra_scf_legacy_framework_handler

  • Type: string
  • Purpose: archive or delete.

See The ComplianceForge SCF Extra.

Jira Extra

jira

  • Type: boolean
  • Purpose: Jira Extra activation flag.

JiraInstanceURL

  • Type: string
  • Purpose: Jira instance URL.

JiraUserEmail

  • Type: string
  • Purpose: Jira service account email.

JiraUserAPIKey

  • Type: string
  • Purpose: Jira API token.

JiraWebhookAuthToken

  • Type: string
  • Purpose: Generated 20-char token for inbound webhook authentication.

See The Jira Extra.

Workflows Extra

workflows

  • Type: boolean
  • Purpose: Workflows Extra activation flag.

Workflow definitions, executions, email templates live in dedicated tables. See What the Workflows Extra Does.

AI Extra

extra_artificial_intelligence

  • Type: boolean
  • Purpose: AI Extra activation flag.

ai_provider

  • Type: string
  • Purpose: Active provider (anthropic, openai, gemini, mistral, grok, ollama, custom).

ai_api_key

  • Type: string (encrypted)
  • Purpose: Provider API key.

ai_model

  • Type: string
  • Purpose: Active model name.

extra_ai_risk_suggestions

  • Type: boolean
  • Purpose: Enable AI-assisted risk FAIR analysis.

extra_ai_control_suggestions

  • Type: boolean
  • Purpose: Enable AI-assisted control-to-document matching.

extra_ai_document_suggestions

  • Type: boolean
  • Purpose: Enable AI-assisted document drafting.

ai_context_*

  • Type: various
  • Purpose: FAIR context settings (one-time questionnaire output).

ai_context_last_saved, ai_context_last_updated

  • Type: timestamp
  • Purpose: Context-management timestamps.

See The AI Extra Overview, Configuring AI Providers.

Notification Extra

notification

  • Type: boolean
  • Purpose: Notification Extra activation flag.

Plus the NOTIFY_ON_* per-event toggles listed under "Email and notifications" above.

Import-Export Extra

import_export

  • Type: boolean
  • Purpose: Import-Export Extra activation flag.

See Installing and Managing Frameworks.

API Extra

api_extra

  • Type: boolean
  • Purpose: API Extra activation flag (provides API key generation surface).

See API Key Management.

Debug logging

debug

  • Type: boolean
  • Purpose: Master debug log toggle.

debug_log_destination

  • Type: string
  • Purpose: file, database, or syslog.

debug_log_path

  • Type: string
  • Purpose: Path for file destination.

debug_log_level

  • Type: string
  • Purpose: Minimum level to log (debug/info/notice/warning/error/critical).

See The Debug Log.

Querying and modifying settings

-- Read a setting
SELECT value FROM settings WHERE name = '
  
   '; -- Read settings matching a pattern SELECT name, value FROM settings WHERE name LIKE 'pass_policy_%' ORDER BY name; -- Update a setting UPDATE settings SET value = '
   
    ' WHERE name = '
    
     '; -- Insert a new setting (rare; usually settings are pre-existing) INSERT INTO settings (name, value) VALUES ('
     
      ', '
      
       ');

The update_setting() function in simplerisk/includes/functions.php is the application-level setter; it handles audit logging and side effects.

Common pitfalls

A handful of patterns recur with settings.

  • Modifying settings directly without understanding side effects. Some settings have downstream behavior (e.g., changing risk_model doesn't recompute existing risks). Use the UI when possible; for direct DB changes, understand the implications.

  • Confusing setting types. Some settings are 'true'/'false' strings; some are '1'/'0'; some are integers. Match the type the application expects.

  • Modifying internal-only settings. Some keys are application internals (counters, last-run timestamps). Modifying them produces unpredictable behavior.

  • Storing per-install secrets in plain settings. Most settings are stored as plain text. For secrets (API keys, passwords), the application typically encrypts them; verify before storing.

  • Forgetting to clear PHP opcache after settings changes. Some settings are read once at request boot and cached. Restart PHP-FPM or clear opcache after non-UI changes.

  • Querying SELECT * FROM settings and dumping results. Hundreds of rows; some contain encrypted/sensitive content. Filter what you display.

Related