Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json

CreateConfigurationTemplateInfo Object

Description

The CreateConfigurationTemplateInfo object is used to store creation info for a configuration template.

Usage Example

Use in the POST Configuration Templates endpoint.

admin_owner_id

string<uuid>

required

The ID of the owner of the configuration template.

Example:

"7c86c85d-0651-43e2-a748-d69d658418e8"

visibility

object

required

The visibility info of the configuration template.

Show child attributes

visibility.visibility

enum<string>

required

The visibility level of the entity.

Available options:

GLOBAL,

LIMITED

Example:

"GLOBAL"

visibility.visibility_group_ids

string<uuid>[]

Example:

"private"

require_mfa_to_approve

boolean

required

A bool representing whether or not to require MFA for reviewers to approve requests for this configuration template.

Example:

false

require_mfa_to_connect

boolean

required

A bool representing whether or not to require MFA to connect to resources associated with this configuration template.

Example:

false

name

string

required

The name of the configuration template.

Example:

"Prod AWS Template"

linked_audit_message_channel_ids

string<uuid>[]

The IDs of the audit message channels linked to the configuration template.

Example:

[
  "37cb7e41-12ba-46da-92ff-030abe0450b1",
  "37cb7e41-12ba-46da-92ff-030abe0450b2"
]

member_oncall_schedule_ids

string<uuid>[]

The IDs of the on-call schedules linked to the configuration template.

Example:

[
  "37cb7e41-12ba-46da-92ff-030abe0450b1",
  "37cb7e41-12ba-46da-92ff-030abe0450b2"
]

break_glass_user_ids

string<uuid>[]

The IDs of the break glass users linked to the configuration template.

Example:

[
  "37cb7e41-12ba-46da-92ff-030abe0450b1",
  "37cb7e41-12ba-46da-92ff-030abe0450b2"
]

request_configurations

object[]

The request configuration list of the configuration template. If not provided, the default request configuration will be used.

Show child attributes

request_configurations.allow_requests

boolean

required

A bool representing whether or not to allow requests for this resource.

Example:

true

request_configurations.auto_approval

boolean

required

A bool representing whether or not to automatically approve requests for this resource.

Example:

false

request_configurations.require_mfa_to_request

boolean

required

A bool representing whether or not to require MFA for requesting access to this resource.

Example:

false

request_configurations.require_support_ticket

boolean

required

A bool representing whether or not access requests to the resource require an access ticket.

Example:

false

request_configurations.priority

integer

required

The priority of the request configuration.

Example:

1

request_configurations.condition

object

The condition for the request configuration.

Show child attributes

request_configurations.condition.group_ids

string<uuid>[]

The list of group IDs to match.

Example:

["1b978423-db0a-4037-a4cf-f79c60cb67b3"]

request_configurations.condition.role_remote_ids

string[]

The list of role remote IDs to match.

Example:

[
  "arn:aws:iam::590304332660:role/AdministratorAccess"
]

Example:

{
  "group_ids": ["1b978423-db0a-4037-a4cf-f79c60cb67b3"]
}

request_configurations.max_duration_minutes

integer

The maximum duration for which the resource can be requested (in minutes).

Example:

120

request_configurations.recommended_duration_minutes

integer

The recommended duration for which the resource should be requested (in minutes). -1 represents an indefinite duration.

Example:

120

request_configurations.extensions_duration_in_minutes

integer

The duration for which access can be extended (in minutes). Set to 0 to disable extensions. When > 0, extensions are enabled for the specified duration.

Example:

120

request_configurations.request_template_id

string<uuid>

The ID of the associated request template.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4304"

request_configurations.reviewer_stages

object[]

The list of reviewer stages for the request configuration.

Show child attributes

request_configurations.reviewer_stages.require_manager_approval

boolean

required

Whether this reviewer stage should require manager approval.

Example:

false

request_configurations.reviewer_stages.operator

enum<string>

required

The operator of the reviewer stage. Admin and manager approval are also treated as reviewers.

Available options:

AND,

OR

Example:

"AND"

request_configurations.reviewer_stages.owner_ids

string<uuid>[]

required

request_configurations.reviewer_stages.require_admin_approval

boolean

Whether this reviewer stage should require admin approval.

Example:

false

request_configuration_list

object

deprecated

The request configuration list of the configuration template. If not provided, the default request configuration will be used. Deprecated in favor of request_configurations.

Show child attributes

request_configuration_list.request_configurations

object[]

required

A list of request configurations to create.

Show child attributes

request_configuration_list.request_configurations.allow_requests

boolean

required

A bool representing whether or not to allow requests for this resource.

Example:

true

request_configuration_list.request_configurations.auto_approval

boolean

required

A bool representing whether or not to automatically approve requests for this resource.

Example:

false

request_configuration_list.request_configurations.require_mfa_to_request

boolean

required

A bool representing whether or not to require MFA for requesting access to this resource.

Example:

false

request_configuration_list.request_configurations.require_support_ticket

boolean

required

A bool representing whether or not access requests to the resource require an access ticket.

Example:

false

request_configuration_list.request_configurations.priority

integer

required

The priority of the request configuration.

Example:

1

request_configuration_list.request_configurations.condition

object

The condition for the request configuration.

Show child attributes

request_configuration_list.request_configurations.condition.group_ids

string<uuid>[]

The list of group IDs to match.

Example:

["1b978423-db0a-4037-a4cf-f79c60cb67b3"]

request_configuration_list.request_configurations.condition.role_remote_ids

string[]

The list of role remote IDs to match.

Example:

[
  "arn:aws:iam::590304332660:role/AdministratorAccess"
]

Example:

{
  "group_ids": ["1b978423-db0a-4037-a4cf-f79c60cb67b3"]
}

request_configuration_list.request_configurations.max_duration_minutes

integer

The maximum duration for which the resource can be requested (in minutes).

Example:

120

request_configuration_list.request_configurations.recommended_duration_minutes

integer

The recommended duration for which the resource should be requested (in minutes). -1 represents an indefinite duration.

Example:

120

request_configuration_list.request_configurations.extensions_duration_in_minutes

integer

The duration for which access can be extended (in minutes). Set to 0 to disable extensions. When > 0, extensions are enabled for the specified duration.

Example:

120

request_configuration_list.request_configurations.request_template_id

string<uuid>

The ID of the associated request template.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4304"

request_configuration_list.request_configurations.reviewer_stages

object[]

The list of reviewer stages for the request configuration.

Show child attributes

request_configuration_list.request_configurations.reviewer_stages.require_manager_approval

boolean

required

Whether this reviewer stage should require manager approval.

Example:

false

request_configuration_list.request_configurations.reviewer_stages.operator

enum<string>

required

The operator of the reviewer stage. Admin and manager approval are also treated as reviewers.

Available options:

AND,

OR

Example:

"AND"

request_configuration_list.request_configurations.reviewer_stages.owner_ids

string<uuid>[]

required

request_configuration_list.request_configurations.reviewer_stages.require_admin_approval

boolean

Whether this reviewer stage should require admin approval.

Example:

false

Example:

{
  "request_configurations": [
    {
      "request_configuration_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
      "organization_id": "w86c85d-0651-43e2-a748-d69d658418e8",
      "condition": null,
      "allow_requests": true,
      "auto_approval": false,
      "require_mfa_to_request": false,
      "max_duration_minutes": 120,
      "recommended_duration_minutes": 120,
      "require_support_ticket": false,
      "reviewer_stages": [
        {
          "reviewer_stage_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
          "owner_ids": [
            "37cb7e41-12ba-46da-92ff-030abe0450b1",
            "37cb7e41-12ba-46da-92ff-030abe0450b2"
          ],
          "stage": 1
        }
      ],
      "priority": 0
    },
    {
      "request_configuration_id": "7c86c85d-0651-43e2-a748-d69d658418e9",
      "organization_id": "w86c85d-0651-43e2-a748-d69d658418e8",
      "condition": {
        "group_id": "1b978423-db0a-4037-a4cf-f79c60cb67b4"
      },
      "allow_requests": true,
      "auto_approval": false,
      "require_mfa_to_request": false,
      "max_duration_minutes": 120,
      "recommended_duration_minutes": 120,
      "require_support_ticket": false,
      "reviewer_stages": [
        {
          "reviewer_stage_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
          "owner_ids": [
            "37cb7e41-12ba-46da-92ff-030abe0450b1",
            "37cb7e41-12ba-46da-92ff-030abe0450b2"
          ],
          "stage": 1
        }
      ],
      "priority": 1
    }
  ]
}

ticket_propagation

object

Configuration for ticket propagation, when enabled, a ticket will be created for access changes related to the users in this resource.

Show child attributes

ticket_propagation.enabled_on_grant

boolean

required

ticket_propagation.enabled_on_revocation

boolean

required

ticket_propagation.ticket_provider

enum<string>

The third party ticketing platform provider.

Available options:

JIRA,

LINEAR,

SERVICE_NOW

Example:

"LINEAR"

ticket_propagation.ticket_project_id

string

custom_request_notification

string | null

Custom request notification sent upon request approval for this configuration template.

Maximum string length: 800

Example:

"Check your email to register your account."

Response

200 - application/json

The configuration template just created.

Configuration Template Object

Description

The ConfigurationTemplate object is used to represent a configuration template.

Usage Example

Returned from the GET Configuration Templates endpoint.

configuration_template_id

string<uuid>

The ID of the configuration template.

Example:

"7c86c85d-0651-43e2-a748-d69d658418e8"

name

string

The name of the configuration template.

Example:

"Prod AWS Template"

admin_owner_id

string<uuid>

The ID of the owner of the configuration template.

Example:

"7c86c85d-0651-43e2-a748-d69d658418e8"

visibility

object

The visibility info of the configuration template.

Show child attributes

visibility.visibility

enum<string>

required

The visibility level of the entity.

Available options:

GLOBAL,

LIMITED

Example:

"GLOBAL"

visibility.visibility_group_ids

string<uuid>[]

Example:

"private"

linked_audit_message_channel_ids

string<uuid>[]

The IDs of the audit message channels linked to the configuration template.

Example:

[
  "37cb7e41-12ba-46da-92ff-030abe0450b1",
  "37cb7e41-12ba-46da-92ff-030abe0450b2"
]

request_configuration_id

string<uuid>

The ID of the request configuration linked to the configuration template.

Example:

"7c86c85d-0651-43e2-a748-d69d658418e8"

member_oncall_schedule_ids

string<uuid>[]

The IDs of the on-call schedules linked to the configuration template.

Example:

[
  "37cb7e41-12ba-46da-92ff-030abe0450b1",
  "7c86c85d-0651-43e2-a748-d69d658418e8"
]

break_glass_user_ids

string<uuid>[]

The IDs of the break glass users linked to the configuration template.

Example:

[
  "37cb7e41-12ba-46da-92ff-030abe0450b1",
  "37cb7e41-12ba-46da-92ff-030abe0450b2"
]

require_mfa_to_approve

boolean

A bool representing whether or not to require MFA for reviewers to approve requests for this configuration template.

Example:

false

require_mfa_to_connect

boolean

A bool representing whether or not to require MFA to connect to resources associated with this configuration template.

Example:

false

ticket_propagation

object

Configuration for ticket propagation, when enabled, a ticket will be created for access changes related to the users in this resource.

Show child attributes

ticket_propagation.enabled_on_grant

boolean

required

ticket_propagation.enabled_on_revocation

boolean

required

ticket_propagation.ticket_provider

enum<string>

The third party ticketing platform provider.

Available options:

JIRA,

LINEAR,

SERVICE_NOW

Example:

"LINEAR"

ticket_propagation.ticket_project_id

string

custom_request_notification

string | null

Custom request notification sent upon request approval for this configuration template.

Maximum string length: 800

Example:

"Check your email to register your account."

API Concepts

SDKs

Opal API

Post configuration templates

Authorizations

Body

CreateConfigurationTemplateInfo Object

Description

Usage Example

Response

Configuration Template Object

Description

Usage Example