Documentation

Least Privilege Posture Management

Suggest Edits

Least privilege posture management can be found on the Opal Homepage for users with Opal Admin roles.

Visualizing Overall Posture

Risk-Based Dashboard

Once an IDP or first-party application is integrated with Opal, the dot graph visualization populates with the latest access posture of the environment. Risk is visualized as a spectrum in Opal, with the most at risk resources appearing on the far left of the graph, and the least risky resources appearing on the right. Each dot represents a number of resources with that score.

At the top of the visualization, Opal lists the overall status of your posture, along with an explanation of how scores are calculated.

Calculating Risk

Once groups and resources are imported into Opal, Opal systems analyze the access logs, user and resource attributes, the length that access has been granted, whether that access was granted through the proper approval channels, and the sensitivity of the resource.

View this explanation in-product by clicking the prompt at the top of the visualization


Filtering By Score

Hover over a section of the graph to see the resources scored in that risk range. Clicking on a portion of the graph will populated suggestions for how to improve the risk score of those resources.


Risk Detection & Remediation

Remediation Suggestions

Scroll below the risk visualization to find a list of suggestions to improve your security posture. Opal automatically prioritizes the suggestions based on how much they will improve your overall risk score.

Dismiss a suggestion row to mark the identified threats as safe. This prevents the suggestion appearing for another 6 months and will count the detected issues as safe so as not to negatively impact your risk score.


Filtering

The list of suggestions can be filtered by application and risk score. In addition, select any section of the visualization to filter by the associated score range.


Group Cleanup

Both groups and resources can be vulnerable to overprovisioning, and both can be fixed in bulk through remediation in Opal. Groups with both users that do not users that do not access resources via the group and resources that are not access by anyone in the group will count as overprovisioned for remediation purposes.


Tag as Critical

Resources within Opal have a sensitivity judgement calibrated by Opal by default, but resource sensitivity can be manually overriden. If certain resources are highly sensitive or not sensitive, go to the resource edit view to change the sensitivity setting. Increasing the setting will generally increase the risk score of vulnerabilities associated with that resource.



Remediation Workflow

Select Remediate on any suggestion row to begin 1 click bulk-remediation.


Opal Recommendations

Opal will typically recommend converting overprovisioned users to JIT as it is a less jarring experience for end users who might be accustomed to having longstanding access. If you prefer access to be revoked, the JIT recommendation can be overriden by toggling the selection below. The Opal recommendation takes into consideration all factors from the "Calculating Risk" section above.


Remediating In Bulk

Click apply to immediately convert all overprovisioned users to JIT access. You can review the changelog below. Rows highlighted in yellow (in this case all users) will be marked for access calibration, with the "Expires" column detailing the change.

Editing the Recommendation

If changes need to be made to Opal's recommendation then it is possible to alter:

  1. Which users' access should be remediated (see check boxes on the left)
  2. JIT period duration (see expires column below)
  3. Whether the access should be converted to JIT or revoked (see revoked red rows below)

Updated 2 months ago