Curate Resource Catalog

Decentralized Access Management

Owners can be used as Admins. Both Owners and Opal Admins can manage the configuration of approval and additional security settings by clicking into a resource's "Edit" menu.

Visibility

Every resource and group has a visibility setting. This is a "hard" visibility setting - a user who doesn't have access, isn't an admin, and isn't in a group that's been granted visibility cannot see the resources or groups in their catalog. Visibility enables you to hide resources from anyone who doesn't have access, or restrict requests to certain groups.

  • No visibility restrictions: This resource/group is visible to all employees.
  • Restrict to groups: Only users in certain groups (as well as users who have access to this item and admins) can see the item.
2262

📘

App-level Visibility

You can set Import Visibility at the connection level. This will create a default Visibility setting for all resources that are imported from the connection. Setting visibility at the app level will not change visibility settings for resources that have already been imported.

2262 2262

Security Settings

Opal recognizes that some resources are more sensitive than others, so we have created additional approval configuration:

  1. Require MFA to approve requests (and make connections): Requires MFA to approve requests via web and Slack. In addition, for certain resources, Opal will also require MFA before end users can connect to the resource.
  2. Maximum duration: Enforces the maximum amount of time a resource or group can be requested for
  3. Recommended duration: Shows the recommended duration as the default option in both Slack and web
  4. Require support ticket: Requires a support ticket to create a request
  5. Custom fields: Create a standard set of questions for employees to answer before submitting an access request
2262

1. Maximum duration

If a maximum duration is selected, then time periods above the maximum duration cannot be selected

2. Recommended duration

If a recommended duration is selected, then it is the default option in Slack and the web
Note: Employees can still select other longer and shorter durations

3. Require support ticket

If this is enabled, then a support ticket must be submitted with an access request. This will enable an access request to be dynamically revoked if the support ticket has been completed. This enables a strong security posture as you can revoke access based on the completion of an activity.

Please note: You can only attach tickets that are assigned to you

📘

Time-bounded and event-bounded access

If both a time duration and support ticket is enabled, then Opal will take the event that comes first.

4. Custom fields

Admins can customize questions for employees to answer before submitting an access request to a given resource.

  1. To create custom fields, Admins must first go to Templates under the Configuration section in the left-hand bar and then click on + Custom Access Request
2262
  1. After creating the template, admins can set up custom fields by clicking on + Custom Field. Field options include the following types:
  • Short Answer: Short text fields
  • Paragraph: Longer text fields
  • Checkbox: A binary selection
  • Dropdown: A dropdown selection

Note: Each field can be either set to Required or Optional

2354 2354
  1. Once the template with its custom fields has been created and saved, you can click Edit on the resource and attach your Custom Field template:
2264

5. Require MFA to approve requests (and make connections):

If configuration is enabled, then Opal will trigger an MFA prompt before approvals are actioned in Slack or web. The use case here is to protect sensitive resources and validate the approver's identity.

For some resources, Opal can be used to generate short-lived credentials via CLI or web. If MFA is enabled, then the end user will need to validate their identity before connecting to the resource.