> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Explore and analyze access across your organization with OpalQuery.

OpalQuery — found under **Queries** in the admin sidebar — is an interactive tool for admins to query entities (users, resources, and groups) across your organization. Use it to understand who has access to what, audit access patterns across connections and entity types, and export results.

Use OpalQuery to:

* Find entities with certain attributes (e.g. type, tags)
* Find principals that have access to a scope of entitlements
* Find entitlements that are accessible by a scope of principals
* Save and share queries with other admins
* Export query results for reporting

<video autoPlay muted loop playsInline className="w-full aspect-video rounded-xl" src="https://mintcdn.com/opalsecurity/lyzDwzIgz_fkPc3N/videos/OpalQuery720.mp4?fit=max&auto=format&n=lyzDwzIgz_fkPc3N&q=85&s=ecfd00ab8991d1a43d0e8738af328aed" data-path="videos/OpalQuery720.mp4" />

## Requirements

You must be an [Opal Admin or Read-only Admin](/docs/roles-in-opal) to access OpalQuery.

| Capability            | Admin | Read-only Admin |
| --------------------- | :---: | :-------------: |
| View queries          |   ✓   | ✓ (public only) |
| Run queries           |   ✓   | ✓ (public only) |
| Export results        |   ✓   | ✓ (public only) |
| Create queries        |   ✓   |                 |
| Edit queries          |   ✓   |                 |
| Make public / private |   ✓   |                 |

## Build a query

Queries use two types of filters: **node filters** and **access filters**. You can use node filters alone, or combine them with access filters to query across relationships.

### Entity Filters

Entity Filters narrow down entities by their properties.

| Filter                     | Description                                                                     |
| -------------------------- | ------------------------------------------------------------------------------- |
| **Entity**                 | A specific entity (user, resource, or group)                                    |
| **Entity Type**            | Users, Resource Types (e.g., AWS IAM Role), or Group Types (e.g., Google Group) |
| **Entity Name**            | Match by name: EQUALS, CONTAINS, STARTS\_WITH, ENDS\_WITH                       |
| **App**                    | Entities imported from a specific App (e.g., AWS Identity Center)               |
| **Tag**                    | Key-value tags applied to entities                                              |
| **Access Level Remote ID** | Filter by access level remote ID                                                |

### Access Filters

Access Filters traverse access edges between entities. Each relationship contains its own set of filters to define the related entity.

| Relationship      | Question it answers                   |
| ----------------- | ------------------------------------- |
| **Has access to** | What does this entity have access to? |
| **Accessible by** | Who has access to this entity?        |

Combine multiple filters and relationships using **All of** / **Any of** boolean logic to narrow or broaden your results. Each entity filter operator can also be flipped from **is** to **is NOT** to exclude matching entities — for example, "users who are NOT in the Engineering group."

### Building queries

You can build queries two ways:

**Visual builder** — add filters and relationships manually using the query builder.

<video autoPlay muted loop playsInline className="w-full aspect-video rounded-xl" src="https://mintcdn.com/opalsecurity/DRAwGKUXMxLRQouh/videos/query-builder-example.mp4?fit=max&auto=format&n=DRAwGKUXMxLRQouh&q=85&s=67ac16026181ace0444e610d7f6194ab" data-path="videos/query-builder-example.mp4" />

**Natural language** — describe what you want in plain English and OpalQuery will translate it into filters. Natural language input supports the same filters and relationships available in the visual builder.

Examples:

* "Users with access to AWS IAM roles"
* "Who can access the Finance group?"
* "Show me users that have access to X Github repo with write access and deploy group" (Toxic Combination)
* "Users in the Engineering group who do NOT have access to the production database" (Negation)

<Info>
  Natural language queries are powered by AI and can be enabled/disabled in *Configuration > Organization Settings > AI Features*.
</Info>

<video autoPlay muted loop playsInline className="w-full aspect-video rounded-xl" src="https://mintcdn.com/opalsecurity/DRAwGKUXMxLRQouh/videos/query-studio-nl-input-example.mp4?fit=max&auto=format&n=DRAwGKUXMxLRQouh&q=85&s=ad4ec0a3f30a7d9edcdc79f6acc7ee3d" data-path="videos/query-studio-nl-input-example.mp4" />

## Run a query

Click **Run** or press `Cmd+Enter` (macOS) / `Ctrl+Enter` (Windows/Linux) to execute the query.

Results include entities with both direct and indirect access and will appear in a table with clickable entity names. Scroll down to load more results.

## Save and manage queries

### Saving a query

Click **Save** to save your query filters. The query title and description are saved automatically on edit — or let the AI generate a title/description.

<Info>
  AI-generated Titles and Descriptions can be enabled/disabled in *Configuration > Organization Settings > AI Features*.
</Info>

### Private vs. Public Queries

Queries are **private by default**, meaning only you can see them. To change
visibility, open the query and select **Make Public** or **Make Private** from
the more options menu.

* **Private** — visible only to you
* **Public** — visible and runnable by all admins in your organization

<img src="https://mintcdn.com/opalsecurity/DRAwGKUXMxLRQouh/images/docs/query-studio-buttons.png?fit=max&auto=format&n=DRAwGKUXMxLRQouh&q=85&s=cabc796fd289fcad8081678bd540abf2" style={{ height: "auto", width: "400px", display: "block", margin: "0 auto" }} width="1002" height="434" data-path="images/docs/query-studio-buttons.png" />

### Export results

**Export** downloads the query results as a ZIP file containing results CSV and metadata JSON. Start an export job from the more button or result table header.

<Warning>
  Export jobs have a 60-second timeout. Queries returning a large number of
  results may not complete within this limit. If an export times out, try
  narrowing your query filters before exporting.
</Warning>

<img src="https://mintcdn.com/opalsecurity/DRAwGKUXMxLRQouh/images/docs/query-studio-export-more.png?fit=max&auto=format&n=DRAwGKUXMxLRQouh&q=85&s=3c91323043ccc9b126435eda9be769b5" style={{ height: "auto", width: "400px", display: "block", margin: "0 auto" }} width="672" height="388" data-path="images/docs/query-studio-export-more.png" />

<img src="https://mintcdn.com/opalsecurity/DRAwGKUXMxLRQouh/images/docs/query-studio-export-button.png?fit=max&auto=format&n=DRAwGKUXMxLRQouh&q=85&s=21c133564cc863ccbe86259bf9d2c097" width="1834" height="954" data-path="images/docs/query-studio-export-button.png" />

### Duplicate a query

Use **Save as New Query** to create a variation of an existing query without modifying the original.

## Limitations

OpalQuery currently supports **node-based searches only** — queries return entities (users, resources, groups) that match your filters at the present moment. The following are not yet supported:

* Distinguishing indirect vs. direct access
* Time-based filters (e.g., "users who logged in within the last 30 days")

Natural language queries are constrained by the same limitations.