SDKs
Opal API
- GETGet groups
- PUTPut groups
- POSTPost groups
- GETGet group by ID
- DELDelete groups
- GETGet groups message channels
- PUTPut groups message channels
- GETGet groups on call schedules
- PUTPut groups on call schedules
- GETGet groups resources
- PUTPut groups resources
- GETGet nested groups
- POSTPost groups containing groups
- GETGet nested group by ID
- DELDelete groups containing groups
- POSTPost groups resources
- GETGet groups visibility
- PUTPut groups visibility
- GETGet groups reviewersdeprecated
- PUTPut groups reviewersdeprecated
- GETGet groups reviewer stagesdeprecated
- PUTPut groups reviewer stagesdeprecated
- GETGet groups tags
- GETGet groups users
- PUTPut groups users
- POSTPost groups users
- DELDelete groups users
- GETGet groupsusers
- GET
curl --request PUT \
--url https://api.opal.dev/v1/groups \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data '
{
"groups": [
{
"group_id": "f454d283-ca87-4a8a-bdbb-df212eca5353",
"description": "This group represents Active Directory group \"Payments Production Admin\". We use this AD group to facilitate staging deployments and qualifying new releases.",
"name": "api-group",
"admin_owner_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
"max_duration": 120,
"require_manager_approval": false,
"require_support_ticket": false
},
{
"group_id": "99d0b81d-14be-4cf6-bd27-348b4af1d11b",
"description": "Manages the Integrations Team on-call privileged resources. This group is automatically synced with the on-call rotation defined in PagerDuty.",
"name": "on-call-integrations",
"admin_owner_id": "4220bc12-ab8a-4b5d-be7b-f6bbcf9159f3",
"max_duration": 360,
"require_manager_approval": false,
"require_support_ticket": true
}
]
}
'{
"groups": [
{
"group_id": "f454d283-ca87-4a8a-bdbb-df212eca5353",
"description": "This group represents Active Directory group \"Payments Production Admin\". We use this AD group to facilitate staging deployments and qualifying new releases.",
"name": "api-group",
"admin_owner_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
"max_duration": 120,
"require_manager_approval": false,
"require_support_ticket": false
},
{
"group_id": "99d0b81d-14be-4cf6-bd27-348b4af1d11b",
"description": "Manages the Integrations Team on-call privileged resources. This group is automatically synced with the on-call rotation defined in PagerDuty.",
"name": "on-call-integrations",
"admin_owner_id": "4220bc12-ab8a-4b5d-be7b-f6bbcf9159f3",
"max_duration": 360,
"require_manager_approval": false,
"require_support_ticket": true
}
]
}Bulk updates a list of groups.
curl --request PUT \
--url https://api.opal.dev/v1/groups \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data '
{
"groups": [
{
"group_id": "f454d283-ca87-4a8a-bdbb-df212eca5353",
"description": "This group represents Active Directory group \"Payments Production Admin\". We use this AD group to facilitate staging deployments and qualifying new releases.",
"name": "api-group",
"admin_owner_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
"max_duration": 120,
"require_manager_approval": false,
"require_support_ticket": false
},
{
"group_id": "99d0b81d-14be-4cf6-bd27-348b4af1d11b",
"description": "Manages the Integrations Team on-call privileged resources. This group is automatically synced with the on-call rotation defined in PagerDuty.",
"name": "on-call-integrations",
"admin_owner_id": "4220bc12-ab8a-4b5d-be7b-f6bbcf9159f3",
"max_duration": 360,
"require_manager_approval": false,
"require_support_ticket": true
}
]
}
'{
"groups": [
{
"group_id": "f454d283-ca87-4a8a-bdbb-df212eca5353",
"description": "This group represents Active Directory group \"Payments Production Admin\". We use this AD group to facilitate staging deployments and qualifying new releases.",
"name": "api-group",
"admin_owner_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
"max_duration": 120,
"require_manager_approval": false,
"require_support_ticket": false
},
{
"group_id": "99d0b81d-14be-4cf6-bd27-348b4af1d11b",
"description": "Manages the Integrations Team on-call privileged resources. This group is automatically synced with the on-call rotation defined in PagerDuty.",
"name": "on-call-integrations",
"admin_owner_id": "4220bc12-ab8a-4b5d-be7b-f6bbcf9159f3",
"max_duration": 360,
"require_manager_approval": false,
"require_support_ticket": true
}
]
}Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Body
Groups to be updated
A list of groups with information to update.
Show child attributes
Show child attributes
The ID of the group.
"f454d283-ca87-4a87-bdbb-df212eca5353"
The name of the group.
"api-group"
A description of the group.
"This group represents Active Directory group \"Payments Production Admin\". We use this AD group to facilitate staging deployments and qualifying new releases."
The ID of the owner of the group.
"7c86c85d-0651-43e2-a748-d69d658418e8"
The maximum duration for which the group can be requested (in minutes). Use -1 to set to indefinite. Deprecated in favor of request_configurations.
120
The recommended duration for which the group should be requested (in minutes). Will be the default value in a request. Use -1 to set to indefinite and 0 to unset. Deprecated in favor of request_configurations.
120
A bool representing whether or not access requests to the group require manager approval. Deprecated in favor of request_configurations.
false
A bool representing whether or not access requests to the group require an access ticket. Deprecated in favor of request_configurations.
false
The ID of the folder that the group is located in.
"e27cb7b0-98e2-4555-9916-9e6d8ca6b079"
A bool representing whether or not to require MFA for reviewers to approve requests for this group.
false
A bool representing whether or not to require MFA for requesting access to this group. Deprecated in favor of request_configurations.
false
A bool representing whether or not to automatically approve requests to this group. Deprecated in favor of request_configurations.
false
The ID of the associated configuration template.
"06851574-e50d-40ca-8c78-f72ae6ab4304"
The ID of the associated request template. Deprecated in favor of request_configurations.
"06851574-e50d-40ca-8c78-f72ae6ab4304"
A bool representing whether or not to allow access requests to this group. Deprecated in favor of request_configurations.
false
A list of User IDs for the group leaders of the group
The duration for which access can be extended (in minutes). Deprecated, set the extension duration in the request_configuration you want it to apply to.
120
The request configuration list of the configuration template. If not provided, the default request configuration will be used.
Show child attributes
Show child attributes
A bool representing whether or not to allow requests for this resource.
true
A bool representing whether or not to automatically approve requests for this resource.
false
A bool representing whether or not to require MFA for requesting access to this resource.
false
A bool representing whether or not access requests to the resource require an access ticket.
false
The priority of the request configuration.
1
The condition for the request configuration.
Show child attributes
Show child attributes
The list of group IDs to match.
["1b978423-db0a-4037-a4cf-f79c60cb67b3"]The list of role remote IDs to match.
[
"arn:aws:iam::590304332660:role/AdministratorAccess"
]{
"group_ids": ["1b978423-db0a-4037-a4cf-f79c60cb67b3"]
}The maximum duration for which the resource can be requested (in minutes).
120
The recommended duration for which the resource should be requested (in minutes). -1 represents an indefinite duration.
120
The duration for which access can be extended (in minutes). Set to 0 to disable extensions. When > 0, extensions are enabled for the specified duration.
120
The ID of the associated request template.
"06851574-e50d-40ca-8c78-f72ae6ab4304"
The list of reviewer stages for the request configuration.
Show child attributes
Show child attributes
Whether this reviewer stage should require manager approval.
false
The operator of the reviewer stage. Admin and manager approval are also treated as reviewers.
AND, OR "AND"
Whether this reviewer stage should require admin approval.
false
The request configuration list of the configuration template. If not provided, the default request configuration will be used. Deprecated in favor of request_configurations.
Show child attributes
Show child attributes
A list of request configurations to create.
Show child attributes
Show child attributes
A bool representing whether or not to allow requests for this resource.
true
A bool representing whether or not to automatically approve requests for this resource.
false
A bool representing whether or not to require MFA for requesting access to this resource.
false
A bool representing whether or not access requests to the resource require an access ticket.
false
The priority of the request configuration.
1
The condition for the request configuration.
Show child attributes
Show child attributes
The list of group IDs to match.
["1b978423-db0a-4037-a4cf-f79c60cb67b3"]The list of role remote IDs to match.
[
"arn:aws:iam::590304332660:role/AdministratorAccess"
]{
"group_ids": ["1b978423-db0a-4037-a4cf-f79c60cb67b3"]
}The maximum duration for which the resource can be requested (in minutes).
120
The recommended duration for which the resource should be requested (in minutes). -1 represents an indefinite duration.
120
The duration for which access can be extended (in minutes). Set to 0 to disable extensions. When > 0, extensions are enabled for the specified duration.
120
The ID of the associated request template.
"06851574-e50d-40ca-8c78-f72ae6ab4304"
The list of reviewer stages for the request configuration.
Show child attributes
Show child attributes
Whether this reviewer stage should require manager approval.
false
The operator of the reviewer stage. Admin and manager approval are also treated as reviewers.
AND, OR "AND"
Whether this reviewer stage should require admin approval.
false
{
"request_configurations": [
{
"request_configuration_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
"organization_id": "w86c85d-0651-43e2-a748-d69d658418e8",
"condition": null,
"allow_requests": true,
"auto_approval": false,
"require_mfa_to_request": false,
"max_duration_minutes": 120,
"recommended_duration_minutes": 120,
"require_support_ticket": false,
"reviewer_stages": [
{
"reviewer_stage_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
"owner_ids": [
"37cb7e41-12ba-46da-92ff-030abe0450b1",
"37cb7e41-12ba-46da-92ff-030abe0450b2"
],
"stage": 1
}
],
"priority": 0
},
{
"request_configuration_id": "7c86c85d-0651-43e2-a748-d69d658418e9",
"organization_id": "w86c85d-0651-43e2-a748-d69d658418e8",
"condition": {
"group_id": "1b978423-db0a-4037-a4cf-f79c60cb67b4"
},
"allow_requests": true,
"auto_approval": false,
"require_mfa_to_request": false,
"max_duration_minutes": 120,
"recommended_duration_minutes": 120,
"require_support_ticket": false,
"reviewer_stages": [
{
"reviewer_stage_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
"owner_ids": [
"37cb7e41-12ba-46da-92ff-030abe0450b1",
"37cb7e41-12ba-46da-92ff-030abe0450b2"
],
"stage": 1
}
],
"priority": 1
}
]
}Custom request notification sent to the requester when the request is approved.
800"Check your email to register your account."
Indicates the level of potential impact misuse or unauthorized access may incur.
UNKNOWN, CRITICAL, HIGH, MEDIUM, LOW, NONE Response
The resulting updated group infos.
A list of groups with information to update.
Show child attributes
Show child attributes
The ID of the group.
"f454d283-ca87-4a87-bdbb-df212eca5353"
The name of the group.
"api-group"
A description of the group.
"This group represents Active Directory group \"Payments Production Admin\". We use this AD group to facilitate staging deployments and qualifying new releases."
The ID of the owner of the group.
"7c86c85d-0651-43e2-a748-d69d658418e8"
The maximum duration for which the group can be requested (in minutes). Use -1 to set to indefinite. Deprecated in favor of request_configurations.
120
The recommended duration for which the group should be requested (in minutes). Will be the default value in a request. Use -1 to set to indefinite and 0 to unset. Deprecated in favor of request_configurations.
120
A bool representing whether or not access requests to the group require manager approval. Deprecated in favor of request_configurations.
false
A bool representing whether or not access requests to the group require an access ticket. Deprecated in favor of request_configurations.
false
The ID of the folder that the group is located in.
"e27cb7b0-98e2-4555-9916-9e6d8ca6b079"
A bool representing whether or not to require MFA for reviewers to approve requests for this group.
false
A bool representing whether or not to require MFA for requesting access to this group. Deprecated in favor of request_configurations.
false
A bool representing whether or not to automatically approve requests to this group. Deprecated in favor of request_configurations.
false
The ID of the associated configuration template.
"06851574-e50d-40ca-8c78-f72ae6ab4304"
The ID of the associated request template. Deprecated in favor of request_configurations.
"06851574-e50d-40ca-8c78-f72ae6ab4304"
A bool representing whether or not to allow access requests to this group. Deprecated in favor of request_configurations.
false
A list of User IDs for the group leaders of the group
The duration for which access can be extended (in minutes). Deprecated, set the extension duration in the request_configuration you want it to apply to.
120
The request configuration list of the configuration template. If not provided, the default request configuration will be used.
Show child attributes
Show child attributes
A bool representing whether or not to allow requests for this resource.
true
A bool representing whether or not to automatically approve requests for this resource.
false
A bool representing whether or not to require MFA for requesting access to this resource.
false
A bool representing whether or not access requests to the resource require an access ticket.
false
The priority of the request configuration.
1
The condition for the request configuration.
Show child attributes
Show child attributes
The list of group IDs to match.
["1b978423-db0a-4037-a4cf-f79c60cb67b3"]The list of role remote IDs to match.
[
"arn:aws:iam::590304332660:role/AdministratorAccess"
]{
"group_ids": ["1b978423-db0a-4037-a4cf-f79c60cb67b3"]
}The maximum duration for which the resource can be requested (in minutes).
120
The recommended duration for which the resource should be requested (in minutes). -1 represents an indefinite duration.
120
The duration for which access can be extended (in minutes). Set to 0 to disable extensions. When > 0, extensions are enabled for the specified duration.
120
The ID of the associated request template.
"06851574-e50d-40ca-8c78-f72ae6ab4304"
The list of reviewer stages for the request configuration.
Show child attributes
Show child attributes
Whether this reviewer stage should require manager approval.
false
The operator of the reviewer stage. Admin and manager approval are also treated as reviewers.
AND, OR "AND"
Whether this reviewer stage should require admin approval.
false
The request configuration list of the configuration template. If not provided, the default request configuration will be used. Deprecated in favor of request_configurations.
Show child attributes
Show child attributes
A list of request configurations to create.
Show child attributes
Show child attributes
A bool representing whether or not to allow requests for this resource.
true
A bool representing whether or not to automatically approve requests for this resource.
false
A bool representing whether or not to require MFA for requesting access to this resource.
false
A bool representing whether or not access requests to the resource require an access ticket.
false
The priority of the request configuration.
1
The condition for the request configuration.
Show child attributes
Show child attributes
The list of group IDs to match.
["1b978423-db0a-4037-a4cf-f79c60cb67b3"]The list of role remote IDs to match.
[
"arn:aws:iam::590304332660:role/AdministratorAccess"
]{
"group_ids": ["1b978423-db0a-4037-a4cf-f79c60cb67b3"]
}The maximum duration for which the resource can be requested (in minutes).
120
The recommended duration for which the resource should be requested (in minutes). -1 represents an indefinite duration.
120
The duration for which access can be extended (in minutes). Set to 0 to disable extensions. When > 0, extensions are enabled for the specified duration.
120
The ID of the associated request template.
"06851574-e50d-40ca-8c78-f72ae6ab4304"
The list of reviewer stages for the request configuration.
Show child attributes
Show child attributes
Whether this reviewer stage should require manager approval.
false
The operator of the reviewer stage. Admin and manager approval are also treated as reviewers.
AND, OR "AND"
Whether this reviewer stage should require admin approval.
false
{
"request_configurations": [
{
"request_configuration_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
"organization_id": "w86c85d-0651-43e2-a748-d69d658418e8",
"condition": null,
"allow_requests": true,
"auto_approval": false,
"require_mfa_to_request": false,
"max_duration_minutes": 120,
"recommended_duration_minutes": 120,
"require_support_ticket": false,
"reviewer_stages": [
{
"reviewer_stage_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
"owner_ids": [
"37cb7e41-12ba-46da-92ff-030abe0450b1",
"37cb7e41-12ba-46da-92ff-030abe0450b2"
],
"stage": 1
}
],
"priority": 0
},
{
"request_configuration_id": "7c86c85d-0651-43e2-a748-d69d658418e9",
"organization_id": "w86c85d-0651-43e2-a748-d69d658418e8",
"condition": {
"group_id": "1b978423-db0a-4037-a4cf-f79c60cb67b4"
},
"allow_requests": true,
"auto_approval": false,
"require_mfa_to_request": false,
"max_duration_minutes": 120,
"recommended_duration_minutes": 120,
"require_support_ticket": false,
"reviewer_stages": [
{
"reviewer_stage_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
"owner_ids": [
"37cb7e41-12ba-46da-92ff-030abe0450b1",
"37cb7e41-12ba-46da-92ff-030abe0450b2"
],
"stage": 1
}
],
"priority": 1
}
]
}Custom request notification sent to the requester when the request is approved.
800"Check your email to register your account."
Indicates the level of potential impact misuse or unauthorized access may incur.
UNKNOWN, CRITICAL, HIGH, MEDIUM, LOW, NONE Was this page helpful?