diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-group-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-group-context.xml
index 2cb51697b7..3c774e5435 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-group-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-group-context.xml
@@ -101,7 +101,7 @@
             <ref bean="rmMoveRecordCategoryCapability"/>
             <ref bean="rmMoveRecordFolderCapability"/>
             <ref bean="rmMoveRecordsCapability"/>
-            <ref bean="rmFileToRecordsCapability"/>
+            <ref bean="rmFileUnfiledRecordsCapability"/>
          </list>
       </property>
    </bean>
diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-record-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-record-context.xml
index 953c6d2dbc..7c45f5ce8c 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-record-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-record-context.xml
@@ -117,10 +117,10 @@
       <property name="targetCapability" ref="rmFileRecordsCapability" />
    </bean>
 
-   <bean id="rmFileToRecordsCapability"
+   <bean id="rmFileUnfiledRecordsCapability"                              
       parent="declarativeCapability">
-      <property name="name" value="FileToRecords"/>
-      <property name="private" value="true" />								<!-- This is an unasingable capability, we reference an assignable one in the target -->
+      <property name="name" value="FileUnfiledRecords"/>						
+      <property name="permission" value="FileUnfiledRecords"/>
       <property name="conditions">
          <map>
             <entry key="capabilityCondition.filling" value="true"/>  		<!--  Checks if the user has the filling capability -->
@@ -128,7 +128,9 @@
             <entry key="capabilityCondition.recordFiled" value="false"/>	<!--  Checks that the node hasn't been filed -->
          </map>
       </property>
-      <property name="targetCapability" ref="rmFileRecordsCapability" />  <!--  Checks that the user has the correct capability on the destination folder -->
+      <property name="targetCapability" ref="rmFileRecordsCapability" />  <!--  Checks that the user has the correct capability on the destination folder -->      
+      <property name="group"><ref bean="recordsGroup"/></property>
+      <property name="index" value="41" />
    </bean>
 
    <bean id="rmDeclareRecordsCapability"
@@ -254,7 +256,7 @@
    <bean id="rmRejectRecordsCapability"
       parent="declarativeCapability">
       <property name="name" value="RejectRecords"/>
-      <property name="private" value="true" />
+      <property name="permission" value="RejectRecords"/>
       <property name="conditions">
          <map>
             <entry key="capabilityCondition.filling" value="true"/>
@@ -265,6 +267,8 @@
             <entry key="capabilityCondition.recordFiled" value="false"/>
          </map>
       </property>
+      <property name="group"><ref bean="recordsGroup"/></property>
+      <property name="index" value="42" />
    </bean>
    
    <bean id="rmHideRecordsCapability" 
diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/messages/capability-service.properties b/rm-server/config/alfresco/module/org_alfresco_module_rm/messages/capability-service.properties
index 69d57bb600..516802817e 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/messages/capability-service.properties
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/messages/capability-service.properties
@@ -5,6 +5,8 @@ capability.ViewRecords.title=View Records
 capability.UndeclareRecords.title=Reopen Records
 capability.CreateRecords.title=Create Records
 capability.RequestRecordInformation.title=Request Record Information
+capability.RejectRecords=Reject Records
+capability.FileUnfiledRecords=File Unfiled Records
 
 # Metadata Control
 capability.group.metadataControl.title=Metadata Control
diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/model/recordsPermissionModel.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/model/recordsPermissionModel.xml
index bc080a360a..4a6c1d9625 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/model/recordsPermissionModel.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/model/recordsPermissionModel.xml
@@ -84,6 +84,8 @@
             <includePermissionGroup type="rma:filePlanComponent" permissionGroup="ManageRules"/>
             <includePermissionGroup type="rma:filePlanComponent" permissionGroup="RequestRecordInformation"/>
             <includePermissionGroup type="rma:filePlanComponent" permissionGroup="FileDestructionReport"/>
+            <includePermissionGroup type="rma:filePlanComponent" permissionGroup="FileUnfiledRecords"/>
+            <includePermissionGroup type="rma:filePlanComponent" permissionGroup="RejectRecords"/>
         </permissionGroup>
         
         <permissionGroup name="Filing" allowFullControl="false" expose="true">
@@ -160,6 +162,8 @@
         <permissionGroup name="ManageRules" expose="false" allowFullControl="false"/>
         <permissionGroup name="RequestRecordInformation" expose="false" allowFullControl="false"/>
         <permissionGroup name="FileDestructionReport" expose="false" allowFullControl="false"/>
+        <permissionGroup name="RejectRecords" expose="false" allowFullControl="false"/>
+        <permissionGroup name="FileUnfiledRecords" expose="false" allowFullControl="false"/>
         
         <!--  End -->
         
@@ -421,6 +425,14 @@
             <grantedToGroup permissionGroup="FileDestructionReport"/>
         </permission>
         
+        <permission name="_FileUnfiledRecords" expose="false">
+            <grantedToGroup permissionGroup="FileUnfiledRecords"/>
+        </permission>
+        
+        <permission name="_RejectRecords" expose="false">
+            <grantedToGroup permissionGroup="RejectRecords"/>
+        </permission>
+        
     </permissionSet>
     
 </permissions>
\ No newline at end of file
diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-action-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-action-context.xml
index 5a003d13f7..f19f7d319e 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-action-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-action-context.xml
@@ -807,10 +807,20 @@
       <property name="target" ref="reject"/>
       <property name="interceptorNames">
          <list>
-            <idref bean="allow_security"/>
+            <idref bean="reject_security"/>
          </list>
       </property>
    </bean>
+   
+   <bean id="reject_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" parent="actionSecurity">
+      <property name="objectDefinitionSource">
+         <value>
+            org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction.execute=RM_CAP.0.rma:filePlanComponent.RejectRecords
+            org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction.*=RM_ALLOW
+            org.alfresco.repo.action.executer.ActionExecuter.*=RM_ALLOW
+         </value>
+      </property>
+   </bean>
 
    <bean id="reject" class="org.alfresco.module.org_alfresco_module_rm.action.impl.RejectAction" parent="rmAction">
       <property name="publicAction" value="true"/>
@@ -822,10 +832,20 @@
       <property name="target" ref="fileTo"/>
         <property name="interceptorNames">
             <list>
-               <idref bean="allow_security"/>
+               <idref bean="fileTo_security"/>
             </list>
          </property>
    </bean>
+   
+   <bean id="fileTo_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" parent="actionSecurity">
+      <property name="objectDefinitionSource">
+         <value>
+            org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction.execute=RM_CAP.0.rma:filePlanComponent.FileUnfiledRecords
+            org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction.*=RM_ALLOW
+            org.alfresco.repo.action.executer.ActionExecuter.*=RM_ALLOW
+         </value>
+      </property>
+   </bean>
 
    <bean id="fileTo" class="org.alfresco.module.org_alfresco_module_rm.action.impl.FileToAction" parent="rmAction">
       <property name="fileFolderService" ref="FileFolderService"/>
diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml
index 1882213abc..e7cf19c2dd 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml
@@ -308,7 +308,7 @@
             <value>RECORD</value>
          </set>
       </property>
-      <property name="capability" value="FileToRecords" />
+      <property name="capability" value="FileUnfiledRecords" />
    </bean>
 
    <bean id="jsonConversionComponent.file"
diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-default-roles-bootstrap.json b/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-default-roles-bootstrap.json
index 5fcdee9565..3ee7b4a81b 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-default-roles-bootstrap.json
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-default-roles-bootstrap.json
@@ -46,7 +46,9 @@
          "ReOpenFolders",
          "CycleVitalRecords",
          "PlanningReviewCycles",
-         "RequestRecordInformation"
+         "RequestRecordInformation",
+         "FileUnfiledRecords",
+         "RejectRecords"
       ]
    },
    {
@@ -67,7 +69,9 @@
           "ReOpenFolders",
           "CycleVitalRecords",
           "PlanningReviewCycles",
-          "RequestRecordInformation"
+          "RequestRecordInformation",
+          "FileUnfiledRecords",
+          "RejectRecords"
       ]
    },
    {
@@ -128,7 +132,9 @@
           "ExportAudit",
           "CreateModifyDestroyReferenceTypes",
           "RequestRecordInformation",
-          "FileDestructionReport"
+          "FileDestructionReport",
+          "FileUnfiledRecords",
+          "RejectRecords"
       ]
    },
    {
@@ -191,7 +197,9 @@
           "ManageAccessControls",
           "ManageRules",
           "RequestRecordInformation",
-          "FileDestructionReport"
+          "FileDestructionReport",
+          "FileUnfiledRecords",
+          "RejectRecords"
       ]
    }
 ]
diff --git a/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/admin/rmrole/rmroles.get.desc.xml b/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/admin/rmrole/rmroles.get.desc.xml
index ec3ef12310..aa9c48a015 100644
--- a/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/admin/rmrole/rmroles.get.desc.xml
+++ b/rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/admin/rmrole/rmroles.get.desc.xml
@@ -9,11 +9,12 @@
      siteid - id of a RM site to take the file plan from
      user - only returns roles that this user is assigned to
      auths - if true, returns details of authorites directly assigned to the role.  false by default.	
+     is - if true includes system roles in the results, otherwise excludes them.  false by default.
   ]]>
   </description>
-  <url>/api/rma/admin/rmroles?user={user?}&amp;auths={auths?}</url>  <!--  NOTE: this URL should be considered as deprecated -->
-  <url>/api/rma/admin/{store_type}/{store_id}/{id}/rmroles?user={user?}&amp;auths={auths?}</url>
-  <url>/api/rma/admin/{siteid}/rmroles?user={user?}&amp;auths={auths?}</url>
+  <url>/api/rma/admin/rmroles?user={user?}&amp;auths={auths?}&amp;is={is?}</url>  <!--  NOTE: this URL should be considered as deprecated -->
+  <url>/api/rma/admin/{store_type}/{store_id}/{id}/rmroles?user={user?}&amp;auths={auths?}&amp;is={is?}</url>
+  <url>/api/rma/admin/{siteid}/rmroles?user={user?}&amp;auths={auths?}&amp;is={is?}</url>
   <format default="json">argument</format>
   <authentication>user</authentication>
   <transaction allow="readonly">required</transaction>
diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/RMv21CapabilityPatch.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/RMv21CapabilityPatch.java
index abd78bbc19..9201380e42 100644
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/RMv21CapabilityPatch.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/RMv21CapabilityPatch.java
@@ -122,7 +122,19 @@ public class RMv21CapabilityPatch extends ModulePatchComponent
             addCapability(filePlan,
                           "FileDestructionReport", 
                           FilePlanRoleService.ROLE_ADMIN, 
-                          FilePlanRoleService.ROLE_RECORDS_MANAGER);            
+                          FilePlanRoleService.ROLE_RECORDS_MANAGER); 
+            addCapability(filePlan,
+                          "RejectRecords", 
+                          FilePlanRoleService.ROLE_ADMIN, 
+                          FilePlanRoleService.ROLE_POWER_USER, 
+                          FilePlanRoleService.ROLE_RECORDS_MANAGER,
+                          FilePlanRoleService.ROLE_SECURITY_OFFICER);    
+            addCapability(filePlan,
+                          "FileUnfiledRecords", 
+                          FilePlanRoleService.ROLE_ADMIN, 
+                          FilePlanRoleService.ROLE_POWER_USER, 
+                          FilePlanRoleService.ROLE_RECORDS_MANAGER,
+                          FilePlanRoleService.ROLE_SECURITY_OFFICER);         
         }
         
         if (logger.isDebugEnabled() == true)
diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/admin/RmRolesGet.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/admin/RmRolesGet.java
index 1baeadc026..188260c52a 100644
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/admin/RmRolesGet.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/admin/RmRolesGet.java
@@ -57,16 +57,24 @@ public class RmRolesGet extends RoleDeclarativeWebScript
         {
             throw new WebScriptException(Status.STATUS_FOUND, "File plan does not exist.");
         }
+        
+        // get the includesystem parameter
+        boolean includeSystem = false;
+        String includeSystemValue = req.getParameter("is");
+        if (includeSystemValue != null && includeSystemValue.length() != 0)
+        {
+            includeSystem = Boolean.parseBoolean(includeSystemValue);
+        }
 
         // get the user filter
         String user = req.getParameter("user");
         if (user != null && user.length() != 0)
         {
-            roles = filePlanRoleService.getRolesByUser(filePlan, user, false);
+            roles = filePlanRoleService.getRolesByUser(filePlan, user, includeSystem);
         }
         else
         {
-            roles = filePlanRoleService.getRoles(filePlan, false);
+            roles = filePlanRoleService.getRoles(filePlan, includeSystem);
         }
 
         // get the auths parameter
diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/action/FileToActionTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/action/FileToActionTest.java
index 344d9b27bb..c30504fe63 100644
--- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/action/FileToActionTest.java
+++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/action/FileToActionTest.java
@@ -83,7 +83,7 @@ public class FileToActionTest extends BaseRMTestCase
                 assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.FILING));
                 assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmFolder, RMPermissionModel.FILING));
 
-                Capability capability = capabilityService.getCapability("FileToRecords");
+                Capability capability = capabilityService.getCapability("FileUnfiledRecords");
                 assertNotNull(capability);
                 assertEquals(AccessStatus.ALLOWED, capability.hasPermission(dmDocument));