OpalQuery — found under Queries in the admin sidebar — is an interactive tool for admins to query entities (users, resources, and groups) across your organization. Use it to understand who has access to what, audit access patterns across connections and entity types, and export results.
Use OpalQuery to:
- Find entities with certain attributes (e.g. type, tags)
- Find principals that have access to a scope of entitlements
- Find entitlements that are accessed by a scope of principals
- Save and share queries with other admins
- Export query results for reporting
Requirements
You must be an Opal Admin or Read-only Admin to access OpalQuery.
| Capability | Admin | Read-only Admin |
|---|
| View queries | ✓ | ✓ (public only) |
| Run queries | ✓ | ✓ (public only) |
| Export results | ✓ | ✓ (public only) |
| Create queries | ✓ | |
| Edit queries | ✓ | |
| Make public / private | ✓ | |
Build a query
Queries use two types of filters: entity filters and access filters. You can use entity filters alone, or combine them with access filters to query across relationships.
Entity Filters
Entity Filters narrow down entities by their properties.
| Filter | Description |
|---|
| Entity | A specific entity (user, resource, or group) |
| Entity Type | Users, Resource Types (e.g., AWS IAM Role), or Group Types (e.g., Google Group) |
| Entity Name | Match by name: EQUALS, CONTAINS, STARTS_WITH, ENDS_WITH |
| App | Entities imported from a specific App (e.g., AWS Identity Center) |
| Tag | Key-value tags applied to entities |
| Access Level Remote ID | Filter by access level remote ID |
Access Filters
Access Filters traverse access edges between entities. Each relationship contains its own set of filters to define the related entity.
| Relationship | Question it answers |
|---|
| Has access to | What does this entity have access to? |
| Accessed by | Who has access to this entity? |
Building queries
You can build queries two ways:
Visual builder — add filters and relationships manually using the query builder.
Natural language — describe what you want in plain English and OpalQuery will translate it into filters. Natural language input supports the same filters and relationships available in the visual builder.
Examples:
- “Users with access to AWS IAM roles”
- “Who can access the Finance group?”
- “Show me users that have access to X Github repo with write access and deploy group” (Toxic Combination)
Natural language queries are powered by AI and can be enabled/disabled in Configuration > Organization Settings > AI Features.
Run a query
Click Run or press Cmd+Enter (macOS) / Ctrl+Enter (Windows/Linux) to execute the query.
Results include entities with both direct and indirect access and will appear in a table with clickable entity names. Scroll down to load more results.
Save and manage queries
Saving a query
Click Save to save your query filters. The query title and description are saved automatically on edit — or let the AI generate a title/description.
AI-generated Titles and Descriptions can be enabled/disabled in Configuration > Organization Settings > AI Features.
Private vs. Public Queries
Queries are private by default, meaning only you can see them. To change
visibility, open the query and select Make Public or Make Private from
the more options menu.
- Private — visible only to you
- Public — visible and runnable by all admins in your organization
Export results
Export downloads the query results as a ZIP file containing results CSV and metadata JSON. Start an export job from the more button or result table header.
Export jobs have a 60-second timeout. Queries returning a large number of
results may not complete within this limit. If an export times out, try
narrowing your query filters before exporting.
Duplicate a query
Use Save as New Query to create a variation of an existing query without modifying the original.
Limitations
Query Studio currently supports node-based searches only — queries return entities (users, resources, groups) that match your filters at the present moment. The following are not yet supported:
- Distinguishing indirect vs. direct access
- Time-based filters (e.g., “users who logged in within the last 30 days”)
- Negative filters (e.g., “users who do NOT have access to X”)
- Filtering by user attributes such as department or manager
Natural language queries are constrained by the same limitations. 
