Opal’s admin auditing MCP provides a set of tools that enables admins to use AI agents to view Opal events and syncs to investigate access and audit changes. Use cases include:Documentation Index
Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
Use this file to discover all available pages before exploring further.
- Investigate historical access patterns and anomalous access
- Audit changes in organizational structure or role assignments
- Review sync errors and propagation status
- Monitor access requests and approvals
- Track user access reviews and compliance activities
Installation
First, create an API Token in your Opal environment. Then, select a method and follow the instructions below.If you run self-hosted, remember to replace https://app.opal.dev to your own
domain.
- Claude Code
- Cursor
- Gemini CLI
- Other
To install, run the following command in your shell:Then authenticate with Opal.To learn more, see Claude Code documentation.
Available Tools
| Tool | Description |
|---|---|
opal_get_resource | Retrieves a resource. |
opal_get_resources | Returns a list of resources for your organization. |
opal_get_sync_errors | Returns a list of recent sync errors that have occurred since the last successful sync. |
opal_get_resource_visibility | Gets the visibility of this resource. |
opal_get_uar | Retrieves a specific UAR. |
opal_get_ua_rs | Returns a list of UAR objects. |
opal_get_on_call_schedules | Returns a list of OnCallSchedule objects. |
opal_get_message_channels | Returns a list of MessageChannel objects. |
opal_get_tags | Returns a list of tags created by your organization. |
opal_sessions | Returns a list of Session objects. |
opal_get_user_tags | Returns all tags applied to the user. |
opal_get_users | Returns a list of users for your organization. |
opal_get_resource_scoped_role_permissions | Returns all the scoped role permissions that apply to the given resource. Only OPAL_SCOPED_ROLE resource type supports this field. |
opal_get_resource_tags | Returns all tags applied to the resource. |
opal_get_resource_nhis | Gets the list of non-human identities with access to this resource. |
opal_get_resource_users | Gets the list of users for this resource. |
opal_get_nhis | Returns a list of non-human identities for your organization. |
opal_get_resource_reviewer_stages | Gets the list of reviewer stages for a resource. |
opal_get_resource_reviewers | Gets the list of owner IDs of the reviewers for a resource. |
opal_get_resource_message_channels | Gets the list of audit message channels attached to a resource. |
opal_get_requests | Returns a list of requests for your organization that is visible by the admin. |
opal_get_request | Returns a request by ID. |
opal_get_owner_users | Gets the list of users for this owner, in escalation priority order if applicable. |
opal_get_owners | Returns a list of Owner objects. |
opal_get_idp_group_mappings | Returns the configured set of available IdpGroupMapping objects for an Okta app. |
opal_get_group_users | Gets the list of users for this group. |
opal_get_group_visibility | Gets the visibility of this group. |
opal_events | Returns a list of Event objects. |
opal_get_groups | Returns a list of groups for your organization. |
opal_get_group_containing_groups | Gets the list of groups that the group gives access to. |
opal_get_group_on_call_schedules | Gets the list of on call schedules attached to a group. |
opal_get_group_resources | Gets the list of resources that the group gives access to. |
opal_get_group_message_channels | Gets the list of audit and reviewer message channels attached to a group. |
opal_get_bundle_groups | Returns a list of Group objects in a given bundle. |
opal_get_bundle_visibility | Gets the visibility of the bundle. |
opal_get_bundle_resources | Returns a list of Resource objects in a given bundle. |
opal_get_apps | Returns a list of App objects. |
opal_get_configuration_templates | Returns a list of ConfigurationTemplate objects. |
opal_get_bundles | Returns a list of Bundle objects. |