Requests and Approvals
All resources and groups in Opal can be requestable with configurable approval options and reviewers.
Owners
Owners are lists of users who can be:
- Reviewers: Users who can review and approve access requests
- Admins: Users who can manage the full configuration of policies for resources and groups
In Owners, there are important settings for reviewers:
- Reviewer Escalation Policy:
- Notify everyone: As the default option, Opal will notify all required reviewers at once. Opal will require just one approval from all required reviewers to complete the request.
- Reviewer escalation policy: Once configured, Opal will create an explicit escalation order. In this example, Opal will notify the first reviewer. After the escalation time has passed, Opal will notify the next reviewer, and so on.
-
Linked reviewer Slack channel: Opal will create a channel that receives a message for every access request.
-
Source group: Opal will keep the user list for this owner synchronized with a group of your choice. You can still edit the escalation path in the Users tab, but it won't be possible to add or remove users from this owner directly.
Approval diagram
At any time, you can click on See who will be notified to understand the approval workflow
Approval Workflows
For resources and groups, the Request Configuration section will give admins an overview of the approval logic.
Once the edit button has been selected, admins can:
- Set approval logic to Auto-Approve
- Configure an Approval Workflow
-
There can be between 1 and 3 stages of approvals.
-
Within each stage, admins can either select Manager or Owner
-
If multiple approvers are selected, Opal will show the All or Any toggle
- All: All reviewers must approve the access request to proceed to the next stage. This is "AND" logic.
- Any: Any reviewers can approve before the access request proceeds to the next stage. This is "OR" logic.
- Set up custom notes upon approval (optional)
- Check the "Include custom notification text with approvals" section in the request configuration or template, then specify a custom message that will be sent to users when they are approved for that specific resource or group.
- This allows teams to send customized instructions for accessing and configuring the resource or group.
Updated about 1 month ago