Access Rules
Use Access Rules to enforce access policies at scale.
Access Rules are a set of conditions—built from attributes from your HRIS/IDP source—you can use to dynamically grant access to groups and resources, enabling Attribute-Based Access Control (ABAC). With Access Rules, you can easily enforce policies at scale and adapt your access requirements to changing business logic, without additional overhead.
Use Access Rules to:
- Provision access based on workplace events (e.g. Joiner, Mover, Leaver)—Opal automatically syncs users and updates access downstream when users onboard, transfer, or leave your IDP or HRIS
- Automate and codify your desired state of identity and access at scale
Requirements
You may need to contact Opal Support to enable Access Rules.
To create and delete Access Rules, you must:
- Be an Opal Admin
Before you set up Access Rules, you also must:
- Connect Opal to your IDP/HRIS system
- Import attributes from your IDP/HRIS system as User Tags (custom attributes)
To confirm your attributes are correctly imported, go to Inventory > Tags and search for your tag.
Alternatively, go to Inventory > Users, select a user you expect to be tagged, and go to the Details tab. There, you'll see the attributes with a logo in the column on the right indicating the source.
Create Access Rules
Access Rules do not affect access to groups or resources until you've explicitly granted access, so it is safe to create and modify Access Rules while you determine your ideal conditions.
To create an Access Rule, go to Configuration > Access Rules and select + Access Rule.
Give your Access Rule a name based on the users you're targeting, a Description, and choose an Admin.
Set conditions
Access Rules consist of conditions, which you use to filter a list of users based on tags imported from your IDP. Conditions use the conjunctive normal form, expressed as an AND of ORs.
For example, to filter to full-time employees living in the U.S., you could use the condition Country:United States AND employeeTimeType:permanent. You can continue to modify conditions until you've granted access to groups and resources.
After you select Create Rule, you can view the filtered users and grant access to groups and resources. To modify conditions after you've added groups and resources, you must delete and re-create the Access Rule.
The users in an Access Rule are automatically synced when your IDP is updated, so you don't need to do any extra work to keep access up-to-date with your IDP and internal business logic.
Grant access to groups and resources
Use direct access with sensitive resources/groups
To avoid over-provisioning access to privileged entities, do not use Access Rules to grant access to any sensitive groups and resources. Leverage direct access requests for these groups and resources instead.
In the Resources tab on your Access Rule, you can grant access to groups and resources as you would for an individual group or user. You can also set the access duration to be indefinite or timebound.
After you add groups and resources, the Inventory page for the group or resource displays the users granted access through the Access Rule. The Access Path column shows all sources of access for users.
Clicking on the Access Path shows a detailed breakdown of the paths. This lets you easily determine how a user can access a group or resource, and predict what will happen when access is revoked or expired from different paths.
Remove Access Rules
To remove an Access Rule, go to the detail page for the Access Rule, select ..., then Remove from Opal.
If the Access Rule still grants access to groups and resources, access paths are removed and converted to Direct access when the rule is removed. To remove access granted by Opal when you remove a rule, first delete all resources and groups from the rule, then remove the rule.
Updated 5 days ago