Access Reviews

Opal can be used to automate User Access Reviews. The platform lets compliance teams:

  1. Snapshot user access at the time the review is started
  2. Intelligently assign reviews for resource owners to review in a self-service way
  3. Scope reviews by apps and resources
  4. Generate a report to summarize all actions for audit purposes

Starting a User Access Review

Assuming the Opal Auditor role

To start a user review, you must have the Opal Auditor role.

In the Catalog tab, select the App Opal. Here you'll find the Opal Auditor role.

📘

Note

If you're an Opal Admin, you can add yourself directly to the resource by navigating to the User Access tab and clicking on the + Add Users.

If you are not, you can request access to the role.

Configurations for User Access Reviews

Start an access review from the + Access Review button in the Ongoing tab.

General info

  1. Name of Access Review:  Customize the name of the review

  2. Access review deadline:  Set the deadline that reviewers have the complete the review by

  3. Time zone: Set the timezone that will be used across reviews

Scope & Visibility

You can set the visibility to reviewers to be Strict, Moderate, or Full visibility depending on the sensitivity of the resources and groups being reviewed.

To filter which entities are in scope for the review, consider:

  1. Filter by user: Include only resources and groups that certain users have access to in the review. The user filter is applied first before any other filters are applied to entities.

  2. Filter by specific entities: Select specific resources, groups, and apps to include in the review

  3. Filter by apps: Specify resources and groups to include from certain apps

  4. Filter by admin: Include resources and groups with owners of specified admins

  5. Filter by resource and group type: Include resources and groups of certain types

  6. Filter by tags: Include resources and groups with certain tags

  7. Filter by name: Include resources and groups that match a provided substring

If you leverage linked groups and would like to include users from source groups in the access review, consider toggling on Include linked group source groups.

Notifications

  1. New review notifications: Notify users on Slack and Email if they are selected as a reviewer

  2. Reminder notifications:  Preset campaign reminders to reviewers with incomplete reviews

Reviewer assignment rules

  1. Reviewer auto-assignment: By default, this is set to Manually assign reviewers. You can Select Policy to choose your auto-assignment configuration.

  2. Self-review: Enable Opal to restrict or allow self-reviews.