Opal architecture
Learn about components in Opal's identity management platform.
Use this guide for an overview of Opal's architecture and system components.
End user experience
End users request access to your resources using Opal's web UI, Slack, Google Chat, or the Opal CLI. AI agents can request access using Opal's MCP server.
Orchestration layer
In the Orchestration layer, admins can:
- Configure approval workflows to customize how resources are requested and approved
- Use the Risk Center to view insights on anomalous access and proactively remediate vulnerabilities
- Create user access reviews to streamline compliance
- Use Access Rules to assign access to resources based on user attributes (ABAC), enabling Joiner-Mover-Leaver (JML) workflows
Data fabric layer
The Data fabric is composed of an access graph, where Opal tracks and exposes all direct and indirect access paths. Opal's integration catalog lets you easily connect to your HR, identity, cloud, data, SaaS, and custom systems. Custom connections provide the flexibility to combine and connect additional systems.
Remote systems connect to the data fabric layer through a robust Bidirectional sync, which propagates all access changes to and from your end systems. Okta, AWS, and Azure also support real-time syncs, so access stays up-to-date.
See individual integrations guides—e.g., AWS and GCP—for details on capabilities.
Additional data sources
Additionally enrich your user data by syncing attributes from User directories and systems of record, such as Okta.
On-call schedules
Sync Opal groups with On-call schedules pulled from services such as PagerDuty and Opsgenie.
Orchestration tools
To scale and configure your Opal deployment, you can:
- Set up Terraform to programmatically manage your Opal configuration and orchestrate your configuration
- Use Opal's REST API to connect to Opal objects
- Connect to Opal's MCP server to allow your AI agents to interact with Opal
SIEM and logging tools
Opal's integrations with SIEM providers and logging tools allow you to stream Opal events directly to your logging providers, such as DataDog and SumoLogic. Set up events streaming to get started.
ITSM tools
Opal can connect to your ticketing providers–Jira, Linear, or ServiceNow—to propagate access using tickets, create audit tickets, and link requests to existing tickets in Opal.
Deploy Opal
Deploy Opal with your preferred method:
- Use Opal Cloud to quickly connect to Opal's cloud instance
- Set up self-hosted Opal on AWS EKS or GKE using Helm or KOTS to configure deployments
- Configure airgapped deployments for self-hosted Opal
Updated about 10 hours ago