Resources

A Resource is what you request access to. For example, you might want to request access to an RDS database, customer impersonation tool, or a popular SaaS application.

As you can see, Opal lists all the resources at your organization so it’s easy to both discover and request access to any of these:

Roles

Roles are permissions that you can request access to within a resource. Different Roles will give you the ability to take different actions. For example, you might request access to read-only role to a RDS database or an admin role to a SaaS application.

Apps

Apps are the system that Opal uses to import resources. For example, an individual AWS account is an application. From that application, you can import EKS clusters, SSH instances, RDS databases, or IAM roles as resources. Additionally, an Okta account is an application. From that application, you can import Okta applications and Okta groups.

Owners

Owners are used to determine the Admin or Required Reviewers for Resources and Groups. Opal uses Owners to decentralize access management.

  • Admins are able to manage approval and security configurations.
  • Required Reviewers are able to approve or reject access requests.

Groups

Groups are resources which grant a collection of other resources to users. Groups can grant member users access to other groups, and both member users and member resources can be configured for just-in-time access. Existing groups from identity providers, such as Google Groups, Okta, Active Directory, can be imported into Opal.

Groups can be synced to on-call schedules. This enables privileged access to be granted if users are on-call and removed if users are off-call.

Tags

Tags are key-value pairs that can be associated with Users, Groups, and Resources. Tags can be imported from end systems or natively created within Opal, and they are particularly useful for attaching metadata to objects. In the below example, the imported Tag security:green applies to Resource opal-dev-sandbox from AWS. Similarly, a Tagdepartment:engineer that applies to User Jane Doe can be imported from an IDP or HR system like Okta or Workday to reflect a User's attribute.