> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
> Use this file to discover all available pages before exploring further.
# Admin Provisioning MCP Server
> Let admins manage access with Opal using our Admin Provisioning MCP server.
Opal's admin provisioning MCP provides a set of tools that enables admins to use AI agents to manage user access in Opal. They can view user permissions and add or remove access to resources and groups. Use cases include:
* Generate an overview of a user's access across resources and groups
* Add or remove users from resources and groups
* Update user access levels and durations
* Manage group memberships
## Installation
First, create an API Token in your Opal environment. Then, select a method and follow the instructions below.
If you run self-hosted, remember to replace [https://app.opal.dev](https://app.opal.dev) to your own
domain.
To install, run the following command in your shell:
```
claude mcp add --transport http opal-admin-user-provisioning https://app.opal.dev/mcp/admin-user-provisioning --header "Authorization: Bearer ${OPAL_API_TOKEN}"
```
Then authenticate with Opal.
```
claude /mcp
```
To learn more, see Claude Code [documentation](https://code.claude.com/docs/en/mcp).
To install, add the following to your `~/.cursor/mcp.json` file:
```
{
"mcpServers": {
"opal-end-user": {
"transport": "http",
"url": "https://app.opal.dev/mcp/admin-user-provisioning",
"headers": {
"Authorization": "Bearer ${env:OPAL_API_TOKEN}"
}
}
}
}
```
Define your `OPAL_API_TOKEN`, and make sure you open Cursor from the same shell.
```
export OPAL_API_TOKEN="secret"
```
```
open -a Cursor
```
To learn more, see Cursor [documentation](https://cursor.com/docs/mcp).
To install, add the following to your `~/.gemini/settings.json`
```
{
"mcpServers": {
"opal-end-user": {
"httpUrl": "https://app.opal.dev/mcp/admin-user-provisioning",
"headers": {
"Authorization": "Bearer ${OPAL_API_TOKEN}"
}
}
}
}
```
To learn more, see Gemini [documentation](https://geminicli.com/docs/tools/mcp-server/).
MCP is an open protocol supported by many other clients, and your specific client documentation can advise you how to connect. Key inputs:
* Transport `http`
* Endpoint `https://app.opal.dev/mcp/admin-user-provisioning`
* Add the header `Authorization: Bearer ${OPAL_API_TOKEN}`.
## Available Tools
| Tool | Description |
| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `opal_user` | Retrieves detailed user information from Opal. This endpoint is designed to fetch user details by either user ID (UUID) or email address. The endpoint follows a strict precedence rule where `user_id` takes priority. |
| `opal_get_user_tags` | Returns all tags applied to the user. |
| `opal_get_users` | Returns a list of users for your organization. |
| `opal_update_resource_user` | Updates a user's access level or duration on this resource. |
| `opal_delete_resource_user` | Removes a user's direct access from this resource. |
| `opal_set_owner_users` | Sets the list of users for this owner. If escalation is enabled, the order of this list is the escalation priority order of the users. If the owner has a source group, adding or removing users from this list won't be possible. |
| `opal_get_owner_users` | Gets the list of users for this owner, in escalation priority order if applicable. |
| `opal_add_group_user` | Adds a user to this group. |
| `opal_update_group_user` | Updates a user's access level or duration in this group. |
| `opal_delete_group_user` | Removes a user's access from this group. |
| `opal_get_group_users` | Gets the list of users for this group. |