Access Rules

Access Rules are a set of conditions—built from attributes from your HRIS/IDP source—you can use to dynamically grant access to groups and resources, enabling Attribute-Based Access Control (ABAC). With Access Rules, you can easily enforce policies at scale and adapt your access requirements to changing business logic, without additional overhead. Use Access Rules to:

• Provision access based on workplace events (e.g. Joiner, Mover, Leaver)—Opal automatically syncs users and updates access downstream when users onboard, transfer, or leave your IDP or HRIS
• Automate and codify your desired state of identity and access at scale

​

Requirements

To create and delete Access Rules, you must:

• Be an Opal Admin

Before you set up Access Rules, you also must:

• Connect Opal to your IDP/HRIS system
• Import attributes from your IDP/HRIS system as User Tags (custom attributes)

To confirm your attributes are correctly imported, go to Inventory > Tags and search for your tag. Alternatively, go to Inventory > Users, select a user you expect to be tagged, and go to the Details tab. There, you’ll see the attributes with a logo in the column on the right indicating the source.

​

Create Access Rules

To create an Access Rule, go to Inventory > Access Rules and select + Access Rule. Give your Access Rule a name based on the users you’re targeting, a Description, and choose an Admin.

​

Set conditions

Access Rules consist of conditions, which you use to filter a list of users based on tags imported from your IDP. Conditions use the conjunctive normal form, expressed as an AND of ORs. You can exclude users with the Except… clause. The following example filters users to full-time engineers living in the United States. The condition includes users tagged with Country:United States AND (position:Senior Network Engineer OR position:Integration Engineer), and the Except… clause excludes any users tagged with employeeTimeType:PartTime. You can continue to modify conditions until you’ve granted access to groups and resources. After you select Create Rule, you can view the filtered users and grant access to groups and resources. To modify conditions after you’ve added groups and resources, you must delete and re-create the Access Rule. The users in an Access Rule are automatically synced when your IDP is updated, so you don’t need to do any extra work to keep access up-to-date with your IDP and internal business logic.

​

Grant access to groups and resources

In the Resources tab on your Access Rule, you can grant access to groups and resources as you would for an individual group or user. You can also set the access duration to be indefinite or timebound. After you add groups and resources, the Inventory page for the group or resource displays the users granted access through the Access Rule. The Access Path column shows all sources of access for users. Clicking on the Access Path shows a detailed breakdown of the paths. This lets you easily determine how a user can access a group or resource, and predict what will happen when access is revoked or expired from different paths.

​

Grant access with Terraform

Use opal_group_resource_list and opal_group_containing_group to assign resources and groups to access rules. Set the access rule ID as the group_id.

​

Pause Access Rules

After you create an Access Rule, you can pause it to prevent new users from being added to the rule. Existing users, even if they no longer match the conditions, still have access to any resources or groups granted from the rule. Pause and activate Access Rules by toggling the Status column, either on the Access Rules page or from the detail page.

​

Enable failsafe functionality

Admins can configure Opal to automatically pause Access Rules which would result in large membership changes. To enable this, go to Configuration > Settings > Advanced and toggle Enable access rules failsafe. The failsafe is automatically triggered when either pending additions or removals exceed 30% of the current membership, the sync will be paused before any changes are applied. The status on the upper right is updated to reflect the failsafe when it’s triggered, as in the following example. If you don’t have any resources or groups assigned to the rule, you can edit the rule’s conditions to produce a smaller set of user changes.

​

Test conditions for given users

To test whether a given user will be included in an access rule and granted access to its resources and groups, enter a user from the Conditions tab on an existing rule. This can be especially useful for debugging.

​

Remove Access Rules

To remove an Access Rule, go to the detail page for the Access Rule, select …, then Remove from Opal. Deleting an Access Rule does not automatically revoke access from remote systems, even if access was granted from the rule. To remove access granted by Opal, first delete all resources and groups from the rule, then remove the rule.

​

Review resources associated with Access Rules

To review what resources an Access Rule grants its matching users access to, you can create a User Access Review, scope it to the desired Access Rules by selecting Add entity > then searching for the Access Rule under the Groups dropdown. You can also review resources across multiple Access Rules by selecting Add entity type > then searching for the Access Rule under the Group types dropdown.

​

Configure access requests based on Access Rule membership

You can also use Access Rules to dynamically enforce which users can request access to resources based on attributes. On the resource, navigate to Edit > Request Configuration > Add a New Configuration > and under Requesting Groups, select the Access Rule.

​

Configure visibility based on Access Rule membership

You can also use Access Rules to dynamically enforce which users can view resources based on attributes. On the resource, navigate to Edit > Restrict to groups > Add groups with visibility: > then select the Access Rule.

---