Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.opal.dev/llms.txt

Use this file to discover all available pages before exploring further.

OpalQuery — found under Queries in the admin sidebar — is an interactive tool for admins to query entities (users, resources, and groups) across your organization. Use it to understand who has access to what, audit access patterns across connections and entity types, and export results. Use OpalQuery to:
  • Find entities with certain attributes (e.g. type, tags)
  • Find principals that have access to a scope of entitlements
  • Find entitlements that are accessible by a scope of principals
  • Save and share queries with other admins
  • Export query results for reporting

Requirements

You must be an Opal Admin or Read-only Admin to access OpalQuery.
CapabilityAdminRead-only Admin
View queries✓ (public only)
Run queries✓ (public only)
Export results✓ (public only)
Create queries
Edit queries
Make public / private

Build a query

Queries use two types of filters: node filters and access filters. You can use node filters alone, or combine them with access filters to query across relationships.

Entity Filters

Entity Filters narrow down entities by their properties.
FilterDescription
EntityA specific entity (user, resource, or group)
Entity TypeUsers, Resource Types (e.g., AWS IAM Role), or Group Types (e.g., Google Group)
Entity NameMatch by name: EQUALS, CONTAINS, STARTS_WITH, ENDS_WITH
AppEntities imported from a specific App (e.g., AWS Identity Center)
TagKey-value tags applied to entities
Access Level Remote IDFilter by access level remote ID

Access Filters

Access Filters traverse access edges between entities. Each relationship contains its own set of filters to define the related entity.
RelationshipQuestion it answers
Has access toWhat does this entity have access to?
Accessible byWho has access to this entity?
Combine multiple filters and relationships using All of / Any of boolean logic to narrow or broaden your results. Each entity filter operator can also be flipped from is to is NOT to exclude matching entities — for example, “users who are NOT in the Engineering group.”

Building queries

You can build queries two ways: Visual builder — add filters and relationships manually using the query builder. Natural language — describe what you want in plain English and OpalQuery will translate it into filters. Natural language input supports the same filters and relationships available in the visual builder. Examples:
  • “Users with access to AWS IAM roles”
  • “Who can access the Finance group?”
  • “Show me users that have access to X Github repo with write access and deploy group” (Toxic Combination)
  • “Users in the Engineering group who do NOT have access to the production database” (Negation)
Natural language queries are powered by AI and can be enabled/disabled in Configuration > Organization Settings > AI Features.

Run a query

Click Run or press Cmd+Enter (macOS) / Ctrl+Enter (Windows/Linux) to execute the query. Results include entities with both direct and indirect access and will appear in a table with clickable entity names. Scroll down to load more results.

Save and manage queries

Saving a query

Click Save to save your query filters. The query title and description are saved automatically on edit — or let the AI generate a title/description.
AI-generated Titles and Descriptions can be enabled/disabled in Configuration > Organization Settings > AI Features.

Private vs. Public Queries

Queries are private by default, meaning only you can see them. To change visibility, open the query and select Make Public or Make Private from the more options menu.
  • Private — visible only to you
  • Public — visible and runnable by all admins in your organization

Export results

Export downloads the query results as a ZIP file containing results CSV and metadata JSON. Start an export job from the more button or result table header.
Export jobs have a 60-second timeout. Queries returning a large number of results may not complete within this limit. If an export times out, try narrowing your query filters before exporting.

Duplicate a query

Use Save as New Query to create a variation of an existing query without modifying the original.

Limitations

OpalQuery currently supports node-based searches only — queries return entities (users, resources, groups) that match your filters at the present moment. The following are not yet supported:
  • Distinguishing indirect vs. direct access
  • Time-based filters (e.g., “users who logged in within the last 30 days”)
Natural language queries are constrained by the same limitations.
Last modified on May 13, 2026