Documentation

Assign and complete reviews

Learn how to assign and complete User Access reviews in Opal.

Suggest Edits

This guide assumes you have already created a User Access Review.

Assign reviewers

❗️

⚠️ Why Can't I Assign Reviewers?

If you don't see an option to assign reviewers, ensure you're an Opal Auditor or an owning team admin.

If you are an Auditor or owning team admin, you can assign reviewers.

In the User Review tab, you can manage and assign reviewers for user access points. Assign reviewers to a single user row by clicking Assign Reviewers for that row, or bulk assign by selecting multiple rows and clicking Assign Reviewers in the top right.

In the Group Review tab, you can manage and assign reviewers for group access points. Assign reviewers to a single user row by clicking Assign Reviewers for that row, or bulk assign by selecting multiple rows and clicking Assign Reviewers in the top right.

After you assign a reviewer, Opal shows one of several reviewer statuses.

The following are possible status types:

  • Not Started: No reviewer(s) have taken action

  • Completed: All reviewer(s) have completed the review

  • Partially Completed: If there is only one reviewer, then the reviewer has started but has not completed the review. If there are multiple reviewers, then not all reviewers have completed the review.

  • Needs Attention:

    • If you see this status type, that means there is an error that needs to be addressed. Click on the Needs Attention status to see error details. In this example, the warning indicates Self reviews are not allowed.

Here are the errors you may encounter and how to resolve them:

  • Self reviews are not allowed: The reviewer is reviewing their own access, which has been marked as not allowed in the access review's settings, so an admin must add another reviewer for approval.

Complete reviews

After an admin assigns a reviewer, a snapshot for the resource and/or group is created for review. This means if an admin changes a resource or group after a review begins, the review won't capture this change.

My Reviews shows reviews assigned to the logged-in user. After reviewers select a row to review, they are shown an overview of users and groups whose access to a resource must be reviewed.

📘

To review access for a resource or group, ensure you select the row, not the resource or group name.

The Group by User and Group by Resource buttons control how reviews are grouped, which can be useful to change based on your requirements. These options are available on Opal Cloud and self-hosted Opal versions 1.0.912 and later.

For each row, reviewers can:

  • Approve the user or resource by clicking on the Accept checkmark button
  • Reject the user or resource by clicking on the Revoke x button

  • Select Add note to explain access decisions:

Reviewers can also perform bulk actions on multiple rows by selecting rows and choosing an option from the top bulk action bar.

After you finish selecting review actions, finalize and submit the review actions by clicking Submit access review in the bottom right. Submitting these changes writes the changes to each end system.

Access Changes

To view and manage proposed changes, go to the Access Changes tab.

For connected applications, Opal automatically revokes access on the end system based on the reviewer's decision, so after submitting a revoke decision, you do not need to perform any more actions.

For custom connections, Opal cannot connect to the end system and won't revoke access automatically. In this case, customers use Opal as a system of record and trigger project management workflows with ticketing systems.

In order for a custom connection's revocation to be complete in an access review, you must either mark the user as revoked manually in this Access Changes view or link a ticket that, when closed, will mark the user as revoked.

Updated 4 months ago