Get groups

Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Query Parameters

cursor

string

The pagination cursor value.

page_size

integer

Number of results to return per page. Default is 200.

Required range: x <= 1000

group_type_filter

enum<string>

The group type to filter by. The type of the group.

Available options:

ACTIVE_DIRECTORY_GROUP,

AWS_SSO_GROUP,

DATABRICKS_ACCOUNT_GROUP,

DUO_GROUP,

GIT_HUB_TEAM,

GIT_LAB_GROUP,

GOOGLE_GROUPS_GROUP,

GOOGLE_GROUPS_GKE_GROUP,

LDAP_GROUP,

OKTA_GROUP,

OKTA_GROUP_RULE,

TAILSCALE_GROUP,

OPAL_GROUP,

OPAL_ACCESS_RULE,

AZURE_AD_SECURITY_GROUP,

AZURE_AD_MICROSOFT_365_GROUP,

CONNECTOR_GROUP,

SNOWFLAKE_ROLE,

WORKDAY_USER_SECURITY_GROUP,

PAGERDUTY_ON_CALL_SCHEDULE,

INCIDENTIO_ON_CALL_SCHEDULE,

DEVIN_GROUP

Example:

"OPAL_GROUP"

group_ids

string<uuid>[]

The group ids to filter by.

group_name

string

Group name.

Response

200 - application/json

One page worth groups associated with your organization.

results

object[]

required

Show child attributes

results.group_id

string<uuid>

required

The ID of the group.

Example:

"f454d283-ca87-4a8a-bdbb-df212eca5353"

results.app_id

string<uuid>

The ID of the group's app.

Example:

"b5a5ca27-0ea3-4d86-9199-2126d57d1fbd"

results.name

string

The name of the group.

Example:

"API Group"

results.description

string

A description of the group.

Example:

"This group represents Active Directory group \"Payments Production Admin\". We use this AD group to facilitate staging deployments and qualifying new releases."

results.admin_owner_id

string<uuid>

The ID of the owner of the group.

Example:

"7c86c85d-0651-43e2-a748-d69d658418e8"

results.group_leader_user_ids

string<uuid>[]

A list of User IDs for the group leaders of the group

results.remote_id

string

The ID of the remote.

Example:

"google-group-group:037m2jsg218b2wb"

results.remote_name

string

The name of the remote.

Example:

"Finance team"

results.group_type

enum<string>

The type of the group.

Available options:

ACTIVE_DIRECTORY_GROUP,

AWS_SSO_GROUP,

DATABRICKS_ACCOUNT_GROUP,

DUO_GROUP,

GIT_HUB_TEAM,

GIT_LAB_GROUP,

GOOGLE_GROUPS_GROUP,

GOOGLE_GROUPS_GKE_GROUP,

LDAP_GROUP,

OKTA_GROUP,

OKTA_GROUP_RULE,

TAILSCALE_GROUP,

OPAL_GROUP,

OPAL_ACCESS_RULE,

AZURE_AD_SECURITY_GROUP,

AZURE_AD_MICROSOFT_365_GROUP,

CONNECTOR_GROUP,

SNOWFLAKE_ROLE,

WORKDAY_USER_SECURITY_GROUP,

PAGERDUTY_ON_CALL_SCHEDULE,

INCIDENTIO_ON_CALL_SCHEDULE,

DEVIN_GROUP

Example:

"OPAL_GROUP"

results.max_duration

integer

The maximum duration for which the group can be requested (in minutes).

Example:

120

results.recommended_duration

integer

The recommended duration for which the group should be requested (in minutes). -1 represents an indefinite duration.

Example:

120

results.extensions_duration_in_minutes

integer

The duration for which access can be extended (in minutes). Set to 0 to disable extensions. When > 0, extensions are enabled for the specified duration.

Example:

120

results.require_manager_approval

boolean

deprecated

A bool representing whether or not access requests to the group require manager approval.

Example:

false

results.require_support_ticket

boolean

A bool representing whether or not access requests to the group require an access ticket.

Example:

false

results.require_mfa_to_approve

boolean

A bool representing whether or not to require MFA for reviewers to approve requests for this group.

Example:

false

results.require_mfa_to_request

boolean

A bool representing whether or not to require MFA for requesting access to this group.

Example:

false

results.auto_approval

boolean

A bool representing whether or not to automatically approve requests to this group.

Example:

false

results.request_template_id

string<uuid>

The ID of the associated request template.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4304"

results.configuration_template_id

string<uuid>

The ID of the associated configuration template.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4304"

results.group_binding_id

string<uuid>

The ID of the associated group binding.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4304"

results.is_requestable

boolean

A bool representing whether or not to allow access requests to this group.

Example:

false

results.request_configurations

object[]

A list of request configurations for this group.

Show child attributes

results.request_configurations.allow_requests

boolean

required

A bool representing whether or not to allow requests for this resource.

Example:

true

results.request_configurations.auto_approval

boolean

required

A bool representing whether or not to automatically approve requests for this resource.

Example:

false

results.request_configurations.require_mfa_to_request

boolean

required

A bool representing whether or not to require MFA for requesting access to this resource.

Example:

false

results.request_configurations.require_support_ticket

boolean

required

A bool representing whether or not access requests to the resource require an access ticket.

Example:

false

results.request_configurations.priority

integer

required

The priority of the request configuration.

Example:

1

results.request_configurations.condition

object

The condition for the request configuration.

Show child attributes

results.request_configurations.condition.group_ids

string<uuid>[]

The list of group IDs to match.

Example:

["1b978423-db0a-4037-a4cf-f79c60cb67b3"]

results.request_configurations.condition.role_remote_ids

string[]

The list of role remote IDs to match.

Example:

[
  "arn:aws:iam::590304332660:role/AdministratorAccess"
]

Example:

{
  "group_ids": ["1b978423-db0a-4037-a4cf-f79c60cb67b3"]
}

results.request_configurations.max_duration_minutes

integer

The maximum duration for which the resource can be requested (in minutes).

Example:

120

results.request_configurations.recommended_duration_minutes

integer

The recommended duration for which the resource should be requested (in minutes). -1 represents an indefinite duration.

Example:

120

results.request_configurations.extensions_duration_in_minutes

integer

The duration for which access can be extended (in minutes). Set to 0 to disable extensions. When > 0, extensions are enabled for the specified duration.

Example:

120

results.request_configurations.request_template_id

string<uuid>

The ID of the associated request template.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4304"

results.request_configurations.reviewer_stages

object[]

The list of reviewer stages for the request configuration.

Show child attributes

results.request_configurations.reviewer_stages.require_manager_approval

boolean

required

Whether this reviewer stage should require manager approval.

Example:

false

results.request_configurations.reviewer_stages.operator

enum<string>

required

The operator of the reviewer stage. Admin and manager approval are also treated as reviewers.

Available options:

AND,

OR

Example:

"AND"

results.request_configurations.reviewer_stages.owner_ids

string<uuid>[]

required

results.request_configurations.reviewer_stages.require_admin_approval

boolean

Whether this reviewer stage should require admin approval.

Example:

false

Example:

[]

results.request_configuration_list

object[]

deprecated

A list of request configurations for this group. Deprecated in favor of request_configurations.

Show child attributes

results.request_configuration_list.allow_requests

boolean

required

A bool representing whether or not to allow requests for this resource.

Example:

true

results.request_configuration_list.auto_approval

boolean

required

A bool representing whether or not to automatically approve requests for this resource.

Example:

false

results.request_configuration_list.require_mfa_to_request

boolean

required

A bool representing whether or not to require MFA for requesting access to this resource.

Example:

false

results.request_configuration_list.require_support_ticket

boolean

required

A bool representing whether or not access requests to the resource require an access ticket.

Example:

false

results.request_configuration_list.priority

integer

required

The priority of the request configuration.

Example:

1

results.request_configuration_list.condition

object

The condition for the request configuration.

Show child attributes

results.request_configuration_list.condition.group_ids

string<uuid>[]

The list of group IDs to match.

Example:

["1b978423-db0a-4037-a4cf-f79c60cb67b3"]

results.request_configuration_list.condition.role_remote_ids

string[]

The list of role remote IDs to match.

Example:

[
  "arn:aws:iam::590304332660:role/AdministratorAccess"
]

Example:

{
  "group_ids": ["1b978423-db0a-4037-a4cf-f79c60cb67b3"]
}

results.request_configuration_list.max_duration_minutes

integer

The maximum duration for which the resource can be requested (in minutes).

Example:

120

results.request_configuration_list.recommended_duration_minutes

integer

The recommended duration for which the resource should be requested (in minutes). -1 represents an indefinite duration.

Example:

120

results.request_configuration_list.extensions_duration_in_minutes

integer

The duration for which access can be extended (in minutes). Set to 0 to disable extensions. When > 0, extensions are enabled for the specified duration.

Example:

120

results.request_configuration_list.request_template_id

string<uuid>

The ID of the associated request template.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4304"

results.request_configuration_list.reviewer_stages

object[]

The list of reviewer stages for the request configuration.

Show child attributes

results.request_configuration_list.reviewer_stages.require_manager_approval

boolean

required

Whether this reviewer stage should require manager approval.

Example:

false

results.request_configuration_list.reviewer_stages.operator

enum<string>

required

The operator of the reviewer stage. Admin and manager approval are also treated as reviewers.

Available options:

AND,

OR

Example:

"AND"

results.request_configuration_list.reviewer_stages.owner_ids

string<uuid>[]

required

results.request_configuration_list.reviewer_stages.require_admin_approval

boolean

Whether this reviewer stage should require admin approval.

Example:

false

Example:

[]

results.metadata

string

deprecated

JSON metadata about the remote group. Only set for items linked to remote systems. See this guide for details.

Example:

"{ \"okta_directory_group\": { \"group_id\": \"00g4bs66kwtpe1g12345\" } }"

results.remote_info

object

Information that defines the remote group. This replaces the deprecated remote_id and metadata fields. If remote_info is provided, a group will be imported into Opal. For group types that support group creation through Opal, a new group will be created if remote_info is not provided.

Show child attributes

results.remote_info.active_directory_group

object

Remote info for Active Directory group.

Show child attributes

results.remote_info.active_directory_group.group_id

string

required

The id of the Google group.

Example:

"01fa7402-01d8-103b-8deb-5f3a0ab7884"

results.remote_info.tailscale_group

object

Remote info for Tailscale group.

Show child attributes

results.remote_info.tailscale_group.group_id

string

required

The id of the Tailscale group.

Example:

898931321

results.remote_info.aws_sso_group

object

Remote info for AWS SSO group.

Show child attributes

results.remote_info.aws_sso_group.group_id

string

required

The id of the AWS SSO group.

Example:

898931321

results.remote_info.databricks_account_group

object

Remote info for Databricks account group.

Show child attributes

results.remote_info.databricks_account_group.group_id

string

required

The id of the Databricks account group.

Example:

898931321

results.remote_info.connector_group

object

Remote info for Connector group.

Show child attributes

results.remote_info.connector_group.group_id

string

required

The id of the Connector group.

Example:

898931321

results.remote_info.github_team

object

Remote info for GitHub team.

Show child attributes

results.remote_info.github_team.team_slug

string

required

The slug of the GitHub team.

Example:

"opal-security"

results.remote_info.github_team.team_id

string

deprecated

The id of the GitHub team.

Example:

898931321

results.remote_info.gitlab_group

object

Remote info for Gitlab group.

Show child attributes

results.remote_info.gitlab_group.group_id

string

required

The id of the Gitlab group.

Example:

898931321

results.remote_info.google_group

object

Remote info for Google group.

Show child attributes

results.remote_info.google_group.group_id

string

required

The id of the Google group.

Example:

"1y6w882181n7sg"

results.remote_info.ldap_group

object

Remote info for LDAP group.

Show child attributes

results.remote_info.ldap_group.group_id

string

required

The id of the LDAP group.

Example:

"01fa7402-01d8-103b-8deb-5f3a0ab7884"

results.remote_info.okta_group

object

Remote info for Okta Directory group.

Show child attributes

results.remote_info.okta_group.group_id

string

required

The id of the Okta Directory group.

Example:

"00gjs33pe8rtmRrp3rd6"

results.remote_info.duo_group

object

Remote info for Duo Security group.

Show child attributes

results.remote_info.duo_group.group_id

string

required

The id of the Duo Security group.

Example:

"DSRD8W89B9DNDBY4RHAC"

results.remote_info.azure_ad_security_group

object

Remote info for Microsoft Entra ID Security group.

Show child attributes

results.remote_info.azure_ad_security_group.group_id

string

required

The id of the Microsoft Entra ID Security group.

Example:

"01fa7402-01d8-103b-8deb-5f3a0ab7884"

results.remote_info.azure_ad_microsoft_365_group

object

Remote info for Microsoft Entra ID Microsoft 365 group.

Show child attributes

results.remote_info.azure_ad_microsoft_365_group.group_id

string

required

The id of the Microsoft Entra ID Microsoft 365 group.

Example:

"01fa7402-01d8-103b-8deb-5f3a0ab7884"

results.remote_info.snowflake_role

object

Remote info for Snowflake role.

Show child attributes

results.remote_info.snowflake_role.role_id

string

required

The id of the Snowflake role.

Example:

"01fa7402-01d8-103b-8deb-5f3a0ab7884"

results.remote_info.okta_group_rule

object

Remote info for Okta Directory group rule.

Show child attributes

results.remote_info.okta_group_rule.rule_id

string

required

The id of the Okta group rule.

Example:

"0pr3f7zMZZHPgUoWO0g4"

results.remote_info.workday_user_security_group

object

Remote info for Workday User Security group.

Show child attributes

results.remote_info.workday_user_security_group.group_id

string

required

The id of the Workday User Security group.

Example:

"123abc456def"

results.remote_info.pagerduty_on_call_schedule

object

Remote info for PagerDuty on-call schedule group.

Show child attributes

results.remote_info.pagerduty_on_call_schedule.schedule_id

string

required

The id of the PagerDuty on-call schedule.

Example:

"PNZNINN"

results.remote_info.incidentio_on_call_schedule

object

Remote info for Incident.io on-call schedule group.

Show child attributes

results.remote_info.incidentio_on_call_schedule.schedule_id

string

required

The id of the Incident.io on-call schedule.

Example:

"01HZ8XQM9ZQX8RKMZQ8ZQX8RK"

results.remote_info.devin_group

object

Remote info for Devin group.

Show child attributes

results.remote_info.devin_group.group_name

string

required

The name of the Devin group.

Example:

"devin-group-01"

results.custom_request_notification

string | null

Custom request notification sent to the requester when the request is approved.

Maximum string length: 800

Example:

"Check your email to register your account."

results.risk_sensitivity

enum<string>

The risk sensitivity level for the group. When an override is set, this field will match that.

Available options:

UNKNOWN,

CRITICAL,

HIGH,

MEDIUM,

LOW,

NONE

results.risk_sensitivity_override

enum<string>

Indicates the level of potential impact misuse or unauthorized access may incur.

Available options:

UNKNOWN,

CRITICAL,

HIGH,

MEDIUM,

LOW,

NONE

results.last_successful_sync

object

Information about the last successful sync of this group.

Show child attributes

results.last_successful_sync.id

string<uuid>

required

The ID of the sync task.

Example:

"7c86c85d-0651-43e2-a748-d69d658418e8"

results.last_successful_sync.completed_at

string<date-time>

required

The time when the sync task was completed.

Example:

"2023-10-01T12:00:00.000Z"

Example:

{
  "id": "7c86c85d-0651-43e2-a748-d69d658418e8",
  "completed_at": "2023-10-01T12:00:00.000Z"
}

string | null

The cursor with which to continue pagination if additional result pages exist.

Example:

"cD0yMDIxLTAxLTA2KzAzJTNBMjQlM0E1My40MzQzMjYlMkIwMCUzQTAw"

string | null

The cursor used to obtain the current result page.

Example:

"cj1sZXdwd2VycWVtY29zZnNkc2NzUWxNMEUxTXk0ME16UXpNallsTWtJ"

API Concepts

SDKs

Opal API

Authorizations

Query Parameters

Response