Skip to main content
POST
/
uar
cURL
curl --request POST \
  --url https://api.opal.dev/v1/uar \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
  "name": "Monthly UAR (July)",
  "send_reviewer_assignment_notification": false,
  "deadline": "2022-07-14T06:59:59.000Z",
  "time_zone": "America/Los_Angeles",
  "self_review_allowed": false,
  "reminder_schedule": [
    7,
    3,
    1,
    0
  ],
  "reminder_include_manager": true,
  "uar_scope": {
    "group_visibility": "STRICT",
    "tags": [
      {
        "key": "uar_scope",
        "value": "high_priority"
      }
    ],
    "names": [
      "demo",
      "api"
    ],
    "admins": [
      "f454d283-ca87-4a8a-bdbb-df212eca5353",
      "8763d283-ca87-4a8a-bdbb-df212ecab139"
    ]
  }
}'
{
  "uar_id": "f454d283-ca87-4a8a-bdbb-df212eca5353",
  "name": "Monthly UAR (July)",
  "send_reviewer_assignment_notification": false,
  "deadline": "2022-07-14T06:59:59.000Z",
  "time_zone": "America/Los_Angeles",
  "self_review_allowed": false,
  "uar_scope": {
    "tags": [
      {
        "key": "uar_scope",
        "value": "high_priority"
      }
    ],
    "names": [
      "demo",
      "api"
    ],
    "admins": [
      "f454d283-ca87-4a8a-bdbb-df212eca5353",
      "8763d283-ca87-4a8a-bdbb-df212ecab139"
    ]
  }
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json

The settings of the UAR.

Information needed to start a user access review.

name
string
required

The name of the UAR.

Example:

"Monthly UAR (July)"

reviewer_assignment_policy
enum<string>
required

A policy for auto-assigning reviewers. If auto-assignment is on, specific assignments can still be manually adjusted after the access review is started. Default is Manually. BY_OWNING_TEAM_ADMIN assigns reviews to resource admins in round-robin fashion. BY_OWNING_TEAM_ADMIN_ALL assigns reviews to all resource admins. BY_APPROVERS assigns reviews to resource approvers in round-robin fashion. BY_APPROVERS_ALL assigns reviews to all resource approvers.

Available options:
MANUALLY,
BY_OWNING_TEAM_ADMIN,
BY_OWNING_TEAM_ADMIN_ALL,
BY_MANAGER,
BY_APPROVERS,
BY_APPROVERS_ALL
Example:

"MANUALLY"

send_reviewer_assignment_notification
boolean
required

A bool representing whether to send a notification to reviewers when they're assigned a new review. Default is False.

Example:

false

deadline
string<date-time>
required

The last day for reviewers to complete their access reviews.

Example:

"2022-07-14T06:59:59.000Z"

time_zone
string
required

The time zone name (as defined by the IANA Time Zone database) used in the access review deadline and exported audit report. Default is America/Los_Angeles.

Example:

"America/Los_Angeles"

self_review_allowed
boolean
required

A bool representing whether to present a warning when a user is the only reviewer for themself. Default is False.

Example:

false

instantly_action_reviews
boolean

A bool representing whether to instantly action changes when reviewers submit their decision. Default is False.

Example:

false

reminder_schedule
integer[]
reminder_include_manager
boolean
Example:

false

uar_scope
object

If set, the access review will only contain resources and groups that match at least one of the filters in scope.

Example:
{
  "filter_operator": "ANY",
  "users": ["userd283-ca87-4a8a-bdbb-df212eca5353"],
  "include_group_bindings": true,
  "tags": [
    {
      "key": "uar_scope",
      "value": "high_priority"
    }
  ],
  "names": ["demo", "api"],
  "admins": [
    "f454d283-ca87-4a8a-bdbb-df212eca5353",
    "8763d283-ca87-4a8a-bdbb-df212ecab139"
  ],
  "resource_types": ["GCP_CLOUD_SQL_POSTGRES_INSTANCE"],
  "group_types": ["AWS_SSO_GROUP"],
  "apps": [
    "pas2d283-ca87-4a8a-bdbb-df212eca5353",
    "apss2d283-ca87-4a8a-bdbb-df212eca5353"
  ],
  "entities": [
    "f454d283-as87-4a8a-bdbb-df212eca5353",
    "f454d283-as87-4a8a-bdbb-df212eca5329"
  ]
}

Response

200 - application/json

The UAR that was started.

A user access review.

uar_id
string<uuid>
required

The ID of the UAR.

Example:

"f454d283-ca87-4a8a-bdbb-df212eca5353"

name
string
required

The name of the UAR.

Example:

"Monthly UAR (July)"

reviewer_assignment_policy
enum<string>
required

A policy for auto-assigning reviewers. If auto-assignment is on, specific assignments can still be manually adjusted after the access review is started. Default is Manually. BY_OWNING_TEAM_ADMIN assigns reviews to resource admins in round-robin fashion. BY_OWNING_TEAM_ADMIN_ALL assigns reviews to all resource admins. BY_APPROVERS assigns reviews to resource approvers in round-robin fashion. BY_APPROVERS_ALL assigns reviews to all resource approvers.

Available options:
MANUALLY,
BY_OWNING_TEAM_ADMIN,
BY_OWNING_TEAM_ADMIN_ALL,
BY_MANAGER,
BY_APPROVERS,
BY_APPROVERS_ALL
Example:

"MANUALLY"

send_reviewer_assignment_notification
boolean
required

A bool representing whether to send a notification to reviewers when they're assigned a new review. Default is False.

Example:

false

deadline
string<date-time>
required

The last day for reviewers to complete their access reviews.

Example:

"2022-07-14T06:59:59.000Z"

time_zone
string
required

The time zone name (as defined by the IANA Time Zone database) used in the access review deadline and exported audit report. Default is America/Los_Angeles.

Example:

"America/Los_Angeles"

self_review_allowed
boolean
required

A bool representing whether to present a warning when a user is the only reviewer for themself. Default is False.

Example:

false

instantly_action_reviews
boolean
required

A bool representing whether to instantly action changes when reviewers submit their decision. Default is False.

Example:

false

uar_scope
object

If set, the access review will only contain resources and groups that match at least one of the filters in scope.

Example:
{
  "filter_operator": "ANY",
  "users": ["userd283-ca87-4a8a-bdbb-df212eca5353"],
  "include_group_bindings": true,
  "tags": [
    {
      "key": "uar_scope",
      "value": "high_priority"
    }
  ],
  "names": ["demo", "api"],
  "admins": [
    "f454d283-ca87-4a8a-bdbb-df212eca5353",
    "8763d283-ca87-4a8a-bdbb-df212ecab139"
  ],
  "resource_types": ["GCP_CLOUD_SQL_POSTGRES_INSTANCE"],
  "group_types": ["AWS_SSO_GROUP"],
  "apps": [
    "pas2d283-ca87-4a8a-bdbb-df212eca5353",
    "apss2d283-ca87-4a8a-bdbb-df212eca5353"
  ],
  "entities": [
    "f454d283-as87-4a8a-bdbb-df212eca5353",
    "f454d283-as87-4a8a-bdbb-df212eca5329"
  ]
}