Bug Fixes
- Fixed bug where admin owners were not allowed to edit max users
- Fixed not being able to add immutable groups (e.g. access rules) as member groups from group access screen
- Fixed missing option to use login as primary field when creating a new Okta connection/Native App
- Fixed a bug with permission handling in the resource import flow to correctly respect connection-specific permissions
Improvements
- On Call schedules can now be imported directly as groups from PagerDuty Native App
Self-hosted only
- (Helm) Added support for chart-level node affinity that applies to all pods
Bug Fixes
- Fixed missing owner source group information in Group Details tab.
Removed
- Fixed missing Google Chat notifications when comments are added to access requests
- Removed incorrect group resources access review vulnerability information
- Fixed an issue where requests could error out if their associated request configuration was deleted after the request was created.
- Fixed missing resource names in the get user resources API Endpoint.
Removed
- Removed vulnerabilities column from Access Review Group Resources view to streamline the interface
Bug Fixes
- Fixed an issue in the Pagerduty integration where some users would be missed during ingestion
- Fixed an issue where users with mixed-case email addresses might not be properly matched when uploading CSV files for adding users to groups or resources
- Fixed Linear ticket status to default to Triage when Triage is enabled
Bug Fixes
- Fixed latency issues in UAR group reviews that were causing timeouts for on-premises deployments
Bug Fixes
- Fixed an issue where some users were missed during ingestion in the PagerDuty integration
Bug Fixes
- Fixed bug where ticket propagation creation events were mislabeled
- Fixed issues in the iLevel connection where role assignments were pulled incorrectly and deprovisioning failed
Added
- Added support for interactive buttons in Google Chat notifications, allowing users to approve, deny, cancel, or escalate requests directly from Google Chat
Improved
- Moved native app create groups button to assets table for better accessibility
Bug Fixes
- Fixed an issue with GitHub SAML user ingestion where certain users would not have their access ingested due to ID mismatches
- Fixed a bug where you were not able to bulk request roles in an Okta app
Added
- Added support for interactive buttons in Google Chat notifications, allowing users to approve, deny, cancel, or escalate requests directly from Google Chat
Improved
- Moved native app create groups button to assets table for better accessibility
Bug Fixes
- Fixed an issue with GitHub SAML user ingestion where certain users would not have their access ingested due to ID mismatches
- Fixed a bug where you were not able to bulk request roles in an Okta app
Bug Fixes
- Fixed a bug where Opal Service Users would fail to authenticate
- Fixed an issue where Slack slash command option names with expiration information could be truncated incorrectly, potentially causing display problems in the Slack UI
- Fixed a bug in Oracle Fusion Connection that redirected users to a broken URL after creating a Github App
Added
- Enabled deprovisioning from the iLevel connection
Improved
- Updated Freshservice ticket type prefixes to automatically sync when ticket type is changed in remote system
- Enhanced request comments to appear as ticket comments for propagation tickets
Bug Fixes
- Fixed the K-Bar not working on Windows computers
- Fixed an issue where users could be assigned as reviewers for items they don’t have visibility to
- Fixed an issue where Jira tickets could not be synced if the number of tickets was too long to query
Bug Fixes
- Fixed a bug causing adding users to groups with access to unmanaged resources to fail.
Bug Fixes
- Fixed a bug causing adding users to groups with access to unmanaged resources to fail.
Improved
- Strengthen Content Security Policy (CSP) for air-gapped Opal deployment environments.
- Improve the UX in slack when there are too many search results.
Improved
- Improve performance when selecting owners in the approval stages.
- Improve retry handling for rate-limited requests from Freshservice.
- Improve rate-limit error handling by auto-retrying requests for Jira ticketing integration.
- Moved access rule conditions into a modal instead of the left sidebar on Access Rule UARs.
Bug Fixes
- Fixed a bug allowing expired resources to get extended access.
- Fixed a bug preventing groups from being given access to Anthropic workspaces.
- Fixed a bug that sometimes caused request configuration priorities to be out of order.
- Fixes a bug where listing assignments could be extremely slow.
Self-hosted Only
- Fixed Azure US Government integration to use the correct endpoint.
- (Airgapped On-Prem Only) Avoid browser calls to initialize Pendo for airgapped environments.
Added
- Adds option to revoke all unreviewed access at the end of an Access Review
- Updated the request details screen to show the approver chain after a request has been completed
Bug Fixes
- Fixed poor performance when loading items with visibility restrictions. Some users were seeing timeouts as a result of this bug.
Added
- Added Google Chat notification support for access requests being approved, denied, and cancelled
Improved
- Improved race condition handling between scheduled & real time sync
- Improved Salesforce setup documentation
- Improved visibility of import items button for native apps by moving it into the assets table
- Made handling of role conditions more explicit in GCP, favoring creating new role bindings rather than attaching to existing bindings
Bug Fixes
- Fixed a bug where the requested role would not be included in request audit tickets
- Fixed an issue where Opal would not retry push-only custom app webhooks on 5xx, 429 and 408 errors
- Fixed a bug where flakiness in the Azure API on listing application templates could result in entitlement sync failing for Azure Enterprise Apps
- Fixed a bug where Jira would erroneously find multiple users in certain cases
- Fixed an issue in the request UI to prevent expired delegations from displaying as reviewers
- Fixed scroll on settings pages
Bug fixes
- Fixed a bug where flakiness in the Azure API on listing application templates could result in entitlement sync failing for Azure Enterprise Apps.
Added
- Added search functionality to Add Apps Catalog
- Added support for pulling icons for Azure Enterprise Applications when icons are not set by the user in Azure
- Added Notion as a new third-party ticket provider for creating and managing tickets
Improved
- Improved request delegation by only showing active users for selection
- Enhanced request delegation security by preventing excluded groups, non-team members, and non-managers from being delegated to
Bug fixes
- Fixed a bug where group-group deletions could fail to propagate in certain group topologies.
Bug fixes
- Fixed performance issue when creating new group <=> group assignments.
Added
- Added ability to search for resources using their remote IDs (such as AWS ARNs or instance IDs), making it easier to find specific resources in large environments
Bug Fixes
- Fixed a bug where the catalog modals closed when redirecting from the button or from search
- Fixed inconsistent behavior when deleting access edges (group users, group resources etc). If the access edge doesn’t exist, empty success will always be returned instead of sometimes returning not found errors.
- Fixed a bug where syncing a large number of groups could produce Opal internal errors
Bug Fixes
- Fixed bug causing IDP group mappings to get hidden in the catalog.
Improved
- Enabled searching by resource’s remote ID in UI for easier resource discovery
Improved
- Improved IDP group mappings API with RESTful URL structure and included application resource ID in responses
Bug Fixes
- Fixed permissions issue preventing non-super-admins with import permissions from triggering resource imports for Native Apps
- Fixed tag dropdown search functionality to properly filter results
- Fixed table sorting to correctly handle resource access without expiration dates
Added
- Added the ability to sort access review assignments by reviewer name, making it easier to organize and find assignments
Improved
- Improved Okta app visibility by showing apps both as top-level items and as resources under the Okta Native app, enabling bulk edit/removal via the Assets table
Bug Fixes
- Fixed rendering issue for custom fields in ticketing integrations
- Fixed a bug where indirect access could fail to propagate in specific edge cases
Deprecated
Bug Fixes
- Fixed nested group indirect access propagation failure in specific edge cases
Added
- Added Github app setting to toggle automatically linking Github user identities for Organizations using SAML SSO
- Added ability for admins to create delegations for all users in the organization at inventory/delegations
- Added a new REST API endpoint to retrieve individual IDP group mappings by app resource ID and group ID
-
Added public API endpoints for managing request reviewer delegations, allowing users to delegate access review requests to other users during absences
- GET endpoint for listing delegations
- POST endpoint for creating delegations
- GET endpoint for retrieving specific delegations
- DELETE endpoint for removing delegations
-
Added support for user account deprovisioning for Okta, Salesforce, PagerDuty, Duo, Google Workspace, and Custom Connectors. Deprovisioning can be enabled for an app under “Edit App”. Once enabled, user accounts will be deprovisioned when:
- Their access is revoked in an access review
- When deprovisioning is disabled, user accounts will not be displayed in access reviews, only their entitlements.
- The user is deprovisioned in the configured HRIS/IDP
- The account is manually deprovisioned via Opal
- Their access is revoked in an access review
Improved
- Improved Slack admin/deny/approval with MFA modal to be simpler to use (Slack only)
Bug Fixes
- Fixed an issue where a nil pointer would sometimes be surfaced for Okta group rules sync, instead of the actual error
- Fixed an issue where approvals with MFA would not resolve when approving through Slack (Slack only)
- Fixed a bug where the App Details tab could become stuck on loading
- Removed revocation indicator on Requests details view
Added
-
Added new public API endpoints:
GET /requests/:id/commentsPOST /requests/:id/commentsPOST /requests/:id/deny
-
Added an API endpoint,
GET /groups/users/:user_id, to request all groups a user is a member of
Improved
- The
POST /groupsAPI endpoint now creates Okta and Google Groups ifremote_infois not specified. This is useful for Terraform or custom automation when creating new remote groups is desirable. - The Connect button is now shown when available instead of Request in the Catalog card view.
Bug Fixes
- Fixed
GET /requests/:idendpoint issues where reviewer stages were missing information andrequested_itemslist showed incorrect access levels - Fixed a bug preventing updating access review deadlines
Improved
- Improved categorization of native apps
Bug Fixes
- Fixed an issue where the
GET /resourcesAPI would return 500s - Fixed issue where users were not rendered correctly when adding more than 50 of them to an Access Review
- Fixed a bug preventing creation of apps for GitHub organizations in enterprises with managed users
Added
- Added feature to quickly re-request access to resources in Slack
- Added feature to extend access to requests in the Opal UI and Slack, configurable when editing resources
- Added the ability to star resources as Favorites in the Catalog
Bug Fixes
- Fixed Select all button not being clickable
- Fixed access review name filters not working
Added
- Added visibility toggle to AWS credentials on Connect page
Bug Fixes
- Fixed date picker in UAR flow that was causing incorrect dates to be used
- Fixed modal behavior to properly close when navigating forward/backward in browser
- Fixed issue that was breaking the sign-in flow when accessing deep links into Opal
Improved
- Disallow read-only admins from hiding/unhiding grants from Risk Center
Added
- Added a new API endpoint to create or update individual IDP group mappings, allowing for more granular control when managing group mappings
Improved
- Improved the access review preview interface with better handling of items that have no reviews, making it easier to identify which connections, groups, and resources will generate review items
- Reworked bulk update and bulk import logic to offload large tasks to be asynchronous, large item updates will be processed in the background and will notify admins in case of success or failure
- Masked AWS Credential values on the resource Connect screen
- Enhanced access review capabilities for custom connectors when user deprovisioning is enabled
- Cleaned up interaction with adding/removing reviewers in request configuration
Bug Fixes
- Fixed a bug where propagation events would not be created for user provisioning
- Fixed a bug where the resource/group configuration form could error out when setting or unlinking a template
Added
- Added links to configuration template label on detail cards
- Added an option to set recommended duration as Permanent in request configurations
- Added copy name as link to catalog cards
Bug Fixes
- Fixed bug where Jira tickets don’t have their reporter set if your Jira Data Center instance uses non-email usernames (requires Jira Data Center version 8.14 or later)
- Fixed REST API logging error for status codes
Improved
- Updated styling for access review overview
Bug Fixes
- Fixed Approve OpenAPI endpoint which would error in some cases
- Fixed issue where Escalate to skip-manager modal was showing the viewer’s skip manager instead of the target user’s skip manager
- Fixed API bug where importing a child resource would fail if the parent resource was unmanaged
Improved
- Updated Slack message preview for Soon To Expire Access messages to display the asset and time until expiration
- Updated group more actions button design and functionality
- Updated duration events to display as durations properly instead of timestamps
- Updated toast notifications to automatically disappear after 4 seconds by default
- Updated design for catalog cards with improved visual styling
Added
- Added ENTITY_TAG_ADDED events when tags are attached to a group/resource/user
- Added ENTITY_TAG_REMOVED events when tags are removed from a group/resource/user
Improved
- Improved performance of visibility group selector
- Improved user resource and groups tables’ performance with unmanaged resources on web
- Improved user resources API endpoint performance with unmanaged resources and proper pagination
- Improved Jira ticket creation to handle suspended or inactive reporters gracefully
- Ticket creation is no longer cancelled if Jira Service Management projects are missing the opal-specific request type “Access Change - Opal”
Bug Fixes
- Fixed break glass users dropdown displaying when not in edit mode
- Fixed Dashboard page date range selector
- Fixed incorrect display of human users in Databricks groups’ “Non-Human Access” tab
Improved
- Updated manual sync toast notifications to automatically close after success or failure states
Bug Fixes
- Fixed bulk selecting functionality on resource groups when multiple roles are assigned
- Fixed audit tickets not updating their status properly
- Fixed ticket creation failures in Jira Service Management projects when required fields were missing
Added
- Added ability for Admins to turn off Request Review Delegation
- Added owner names to bundles on catalog
- Added ticket propagation support for Jira Service Management projects for self-hosted Jira instances - the reporter will now be set for JSM projects and the links to the tickets will direct to the customer-facing URL rather than the agent URL
- Added a link to propagation tickets created for requests on non-admin request views
- Added support for setting the Request Type field for Jira Service Management issues when Issue Types are associated with Request Types
Improved
- Improved event naming consistency -
GROUPS_ADDED_TO_GROUPSevents now show up asROLE_ASSIGNMENTS_CREATED - Improved event naming consistency -
GROUP_GROUPS_UPDATEDevents now show up asROLE_ASSIGNMENTS_UPDATED - Improved event naming consistency -
GROUPS_REMOVED_FROM_GROUPSevents now show up asROLE_ASSIGNMENTS_DELETED - Improved Jira ticket linking for JSM projects to use customer-facing URLs instead of agent URLs
- Enhanced Jira integration to always set the reporter field to the person making the request in Opal - if the email does not exist in Jira, a customer account will be created
Bug Fixes
- Fixed configuration template edit button not redirecting to the edit page
- Fixed Jira bug for self-hosted Jira instances where access tickets could not be linked to requests
Added
- Added support for roles in CSV uploads for custom apps
- Updated search to correctly show the logo for Resource Apps instead of the logo for their parent Apps.
Bug Fixes
- Fixed the ‘Create UAR without Scope’ warning modal incorrectly appearing when only scoping by group types
- Fixed bulk expiration button showing incorrect expiration option on first load
Self-hosted only
- Replaced Bitnami Redis images with Opal-hosted alternatives (On-prem customers must upgrade to this version by 08/28/2025)
Added
- Added the ability to delegate access request reviews to other organization members. Schedule delegates from Settings > Delegates, accessible from your user profile in the lower left corner of the dashboard
Improvements
- Improved end user details interface by separating ID and link copy buttons for better usability
Bug Fixes
- Fixed groups in the Group Access table and Group Details modal not being clickable
-
Fixed an issue with API-initiated access requests having a broken support ticket when no
support_ticketparameter is passed. - Fixed search functionality on the sent tab of requests
Added
- Admins can now download requests from the admin tab
Improvements
- Improved owner escalation policy validation to prevent setting values below 5 minutes or above 1440 minutes
Bug Fixes
- Fixed UAR cells getting cut off to prevent content truncation in the user interface
- Fixed inventory tag and inventory owner links to navigate to the correct tab on the details page when clicked
- Fixed requests incorrectly indicating requested assets as never used
New Functionality
- Added custom date option to bulk expirations menu
- Added connector group and connector resource app identifiers to sublabels and hovercards
- Added ability to filter inventory/owners by specific users
Feature Enhancements
-
Reworked access rules failsafe threshold for better accuracy
- The threshold is now evaluated against additions and removals separately (as opposed to cumulative changes)
- The threshold no longer has a 20 user minimum, this will make the failsafe useful for smaller single-team rules.
- Updated notification styling
Bug Fixes
- Fixed GitHub connection creation sync failure
Self-hosted only
- Added support for SMTP connections on port 25, with or without STARTTLS