13.05 Known Limitations

Why this is a reference article

This article catalogs the substantive limitations operators encounter in SimpleRisk. The list is honest — these are real gaps, not features that exist with limitations. Knowing the gaps before they surprise you allows planning around them; missing the gaps in design produces "we assumed SimpleRisk did X" disappointments.

Each limitation includes the workaround that programs typically use. Most limitations are addressable; the workarounds vary in cost.

Authentication and identity

No native OIDC

SimpleRisk supports SAML 2.0 and LDAP for SSO; it doesn't have a native OIDC client. Workaround: use the IdP's SAML endpoint (every major OIDC provider also speaks SAML), or front OIDC with a SAML-capable broker. See Configuring OIDC.

No SCIM provisioning

SimpleRisk doesn't accept SCIM-style bulk provisioning. Workaround: use the v2 user-management API for bulk provisioning; or rely on just-in-time provisioning during SSO login.

No WebAuthn / FIDO2 hardware-token MFA

Core MFA is TOTP-only. Workaround: enforce MFA at the IdP layer (SAML / LDAP) where WebAuthn is supported; SimpleRisk inherits the IdP's MFA posture for SSO users.

No SMS-based MFA

Intentionally — NIST SP 800-63B has deprecated SMS as a second factor. TOTP via authenticator app is the supported alternative.

No built-in MFA recovery codes

If a user loses their TOTP device, recovery requires admin intervention (clear their MFA secret; re-enroll). Workaround: documented operator procedure; identity-verify before clearing.

API

No native rate limiting

SimpleRisk's v2 API has no built-in rate limiting or per-key quotas. Workaround: enforce at a reverse proxy (nginx, HAProxy) or CDN (Cloudflare, AWS WAF) in front of SimpleRisk. See Rate Limiting and Quotas.

No native pagination on list endpoints

Most list endpoints return all matching records in one response. Workaround: filter at the source via query parameters; cache locally; use per-record endpoints when you know the ID.

No outbound webhooks

SimpleRisk doesn't POST to external URLs on its events. The only inbound webhook is from Jira (via the Jira Extra). Workaround: poll the API on schedule; use a workflow automation platform; build custom dispatch via the Workflows Extra. See Webhook Integration.

Email and notifications

No per-user notification opt-out

Users can't unsubscribe from specific notification types via a UI; the per-event toggles are system-wide. Workaround: tune the notification configuration to balance signal vs noise for the entire user base; for users who genuinely shouldn't receive notifications, change their account configuration or role.

No HTML/text dual-format emails

Emails go out in one format. Workaround: design templates that render reasonably in both modes (most modern email clients handle HTML email fine).

Reporting

No native scheduled reports

SimpleRisk Core has no built-in "send this report every Monday" feature. Workaround: cron-driven script + email; or BI tool integration; or workflow automation platform. See Scheduled Reports.

Limited CSV export

Most reports don't have one-click CSV export. The Dynamic Risk Report does, but only when the Import-Export Extra is active. Workaround: API-driven extraction.

No native PDF export for most reports

Some reports support PDF export via the application's print path; many don't. Workaround: browser-side print-to-PDF; or scripted extraction with custom PDF generation.

No public-link sharing for reports

Reports are accessible only to authenticated users. Workaround: extract and email; or use the API to feed external dashboards.

Customization

Custom fields only on risks

The Customization Extra adds custom fields to risk-related forms (details, mitigation, review). Other entities (assets, controls, frameworks, documents) don't support custom fields. Workaround: encode the data in existing fields where possible; or layer additional Extras that add domain-specific custom fields.

Form layout customization is limited

Custom field placement, hiding standard fields, reordering — these work via the Customization Extra. Deeper UI customization (theme changes, custom widgets, custom navigation) requires code changes. Workaround: file feature requests for specific needs.

No native white-labeling

The SimpleRisk branding is in the application. Workaround: code-level customization (with care to preserve upgrade compatibility).

Workflows and automation

No state-machine enforcement

Workflows trigger on events; they don't gate state transitions. A risk doesn't get blocked from moving to a different state because a workflow hasn't completed. Workaround: operational discipline; workflow actions that update state; custom approval flows via the Workflows Extra.

Workflows are events + actions, not full programming

The action catalog covers communication (email, Slack, webhook). Complex business logic requires dispatch via webhook to external scripts. Workaround: thin SimpleRisk-side workflow that fires a webhook to your custom logic.

Encryption

Single per-install master key

The Encryption Extra has one key. No per-user keys, no per-record keys, no key escrow. Workaround: the operational discipline of off-server backup of the key file is non-negotiable.

No native key rotation

Rotating the master key requires deactivate-and-reactivate (decrypt everything, then encrypt again with a new key). Expensive. Workaround: rotate only on suspected compromise.

Selective encryption (~30 fields)

Not every field is encrypted. Lookup IDs, configuration settings, numeric scores remain plaintext. Workaround: this is by design (performance, queryability); the substantively-sensitive content is encrypted.

Lose the key, lose the data

No recovery service. Workaround: rigorous off-server key backup.

Database

No native horizontal sharding

A single SimpleRisk install uses a single database. Workaround: multiple SimpleRisk installs (one per major segment); or vertical scaling.

No native multi-tenancy

A SimpleRisk install is a single tenant. Workaround: multiple installs per tenant; or organize-via-team-segregation within one install (with careful access controls).

Audit log grows without bound by default

The audit_log table accumulates entries forever. Workaround: define and enforce retention policy.

UI and UX

No native global search

A search bar that searches across risks, controls, documents, audits doesn't exist in Core. Per-entity search/filter does. Workaround: rely on per-entity filters; future Core feature work may add global search.

No native dark mode / theme toggle

The UI has one appearance. Workaround: browser-level dark-mode reader extensions for users who want them.

Limited dashboard customization

Dashboards exist as fixed layouts with configurable widgets; deeper layout customization (custom widgets, beyond-grid layouts) isn't available. Workaround: external BI tooling.

No native mobile app

SimpleRisk renders responsively on mobile browsers; there's no dedicated iOS/Android app. Workaround: use the web UI on mobile; or build a custom app on top of the API.

Integration

No deep two-way ServiceNow / SOAR integration

Beyond Jira (via the Jira Extra), SimpleRisk doesn't ship native integrations with ServiceNow, Splunk SOAR, Palo Alto XSOAR, etc. Workaround: build custom integrations against the v2 API.

No native CMDB integration

Asset inventory in SimpleRisk is independent of any external CMDB. Workaround: API-driven sync from the CMDB to SimpleRisk.

Limited threat-feed integration

SimpleRisk doesn't natively consume threat feeds (MISP, OpenCTI, commercial feeds). Workaround: external script that pulls from the feed and creates risks via the API.

Operational

No native multi-region deployment support

A SimpleRisk install runs in one region. Multi-region deployments need either a master-region install (with users in other regions accepting latency) or per-region installs (with no built-in cross-install correlation). Workaround: pick a primary region; CDN for static assets to reduce per-region latency.

No native zero-downtime upgrade

Upgrades require application unavailability during the schema migration. Workaround: schedule maintenance windows; for very high uptime requirements, a complex blue-green pattern is achievable but not natively supported.

No native A/B testing or staged rollout

Configuration changes apply to the whole install at once. Workaround: test in non-production first; coordinate production changes with users.

Compliance and audit

Limited compliance evidence packaging

Producing audit-ready evidence packages requires extraction work; SimpleRisk doesn't have a "click here for SOC 2 evidence package" button. Workaround: scripted extraction. See Compliance Evidence Export.

No native risk acceptance workflow with deep approval gating

The standard workflow uses the mitigation-acceptance pattern; programs needing complex multi-stage approval implement via the Workflows Extra plus operational discipline. Workaround: workflows; documented procedures.

Acknowledgment

This list isn't exhaustive — every program encounters specific edge cases. The honest catalog above covers the most-impactful limitations operators commonly run into. For limitations not listed here, the SimpleRisk community forum and support channel can confirm whether something is a real limitation, an undocumented feature, or a configuration issue.

For limitations that block your program, file feature requests via Getting Help. The product evolves; many of today's limitations are tomorrow's features.