Admin Provisioning MCP Server

Opal’s admin provisioning MCP provides a set of tools that enables admins to use AI agents to manage user access in Opal. They can view user permissions and add or remove access to resources and groups. Use cases include:

Generate an overview of a user’s access across resources and groups
Add or remove users from resources and groups
Update user access levels and durations
Manage group memberships

Installation

First, create an API Token in your Opal environment. Then, select a method and follow the instructions below.

If you run self-hosted, remember to replace https://app.opal.dev to your own domain.

Claude Code
Cursor
Gemini CLI
Other

To install, run the following command in your shell:

claude mcp add --transport http opal-admin-user-provisioning https://app.opal.dev/mcp/admin-user-provisioning --header "Authorization: Bearer ${OPAL_API_TOKEN}" 

Then authenticate with Opal.

claude /mcp

To learn more, see Claude Code documentation.

To install, add the following to your ~/.cursor/mcp.json file:

{
  "mcpServers": {
    "opal-end-user": {
      "transport": "http",
      "url": "https://app.opal.dev/mcp/admin-user-provisioning",
      "headers": {
        "Authorization": "Bearer ${env:OPAL_API_TOKEN}"
      }
    }
  }
}

Define your OPAL_API_TOKEN, and make sure you open Cursor from the same shell.

export OPAL_API_TOKEN="secret"

open -a Cursor

To learn more, see Cursor documentation.

To install, add the following to your ~/.gemini/settings.json

{
  "mcpServers": {
    "opal-end-user": {
      "httpUrl": "https://app.opal.dev/mcp/admin-user-provisioning",
      "headers": {
        "Authorization": "Bearer ${OPAL_API_TOKEN}"
      }
    }
  }
}

To learn more, see Gemini documentation.

MCP is an open protocol supported by many other clients, and your specific client documentation can advise you how to connect. Key inputs:

Transport http
Endpoint https://app.opal.dev/mcp/admin-user-provisioning
Add the header Authorization: Bearer ${OPAL_API_TOKEN}.

Available Tools

Tool	Description
`opal_user`	Retrieves detailed user information from Opal. This endpoint is designed to fetch user details by either user ID (UUID) or email address. The endpoint follows a strict precedence rule where `user_id` takes priority.
`opal_get_user_tags`	Returns all tags applied to the user.
`opal_get_users`	Returns a list of users for your organization.
`opal_update_resource_user`	Updates a user’s access level or duration on this resource.
`opal_delete_resource_user`	Removes a user’s direct access from this resource.
`opal_set_owner_users`	Sets the list of users for this owner. If escalation is enabled, the order of this list is the escalation priority order of the users. If the owner has a source group, adding or removing users from this list won’t be possible.
`opal_get_owner_users`	Gets the list of users for this owner, in escalation priority order if applicable.
`opal_add_group_user`	Adds a user to this group.
`opal_update_group_user`	Updates a user’s access level or duration in this group.
`opal_delete_group_user`	Removes a user’s access from this group.
`opal_get_group_users`	Gets the list of users for this group.

Welcome

Getting Started

Access Management

OpalScript

Paladin

OpalQuery

Auditing and Security

Custom Integrations

For Developers

Installation

Available Tools

Welcome

Getting Started

Access Management

OpalScript

Paladin

OpalQuery

Auditing and Security

Custom Integrations

For Developers

Documentation Index

​Installation

​Available Tools

Installation

Available Tools