Curate end-user catalog

The following settings are available from a resource's Edit page. Use them to customize who can edit resources and how resources appear to end users in the catalog.

Resource admins

Owners can be used as Admins of a resource, allowing you to decentralize access management. Both Owners and Opal Admins can manage the configuration of approval and additional security settings from a resource's Edit page.

Visibility

Every resource and group has a visibility setting. This is a "hard" visibility setting: a user who doesn't have access, isn't an admin, and isn't in a group that's been granted visibility cannot see the resources or groups in their catalog. Visibility enables you to hide resources from anyone who doesn't have access, or restrict requests to certain groups.

• No visibility restrictions: This resource/group is visible to all employees.
• Restrict to groups: Only users in certain groups, admins, and users who have direct access to this item can see the item.

📘

App-level Visibility

You can set Import Visibility at the app level. This creates a default Visibility setting for all resources that are imported from the app. Setting visibility at the app level does not change visibility settings for resources that have already been imported.

Security settings

Some resources are more sensitive than others. You can apply the following settings to your critical resources:

1. Require MFA to approve requests (and make connections): Requires MFA to approve requests via web and Slack. In addition, for certain resources, Opal will also require MFA before end users can connect to the resource.
2. Maximum duration: Enforces the maximum amount of time a resource or group can be requested for
3. Recommended duration: Shows the recommended duration as the default option in both Slack and web
4. Require support ticket: Requires a support ticket to create a request
5. Custom fields: Create a standard set of questions for employees to answer before submitting an access request

1. Maximum duration

If a maximum duration is selected, then time periods above the maximum duration cannot be selected

2. Recommended duration

If a recommended duration is selected, then it is the default option in Slack and the web
Note: Employees can still select other longer and shorter durations

3. Require support ticket

If this is enabled, then a support ticket must be submitted with an access request. This will enable an access request to be dynamically revoked if the support ticket has been completed. This enables a strong security posture as you can revoke access based on the completion of an activity.

Please note: You can only attach tickets that are assigned to you

📘

Time-bounded and event-bounded access

If both a time duration and support ticket is enabled, then Opal will take the event that comes first.

4. Custom fields

Admins can customize questions for employees to answer before submitting an access request to a given resource.

1. To create custom fields, Admins must first go to Templates under the Configuration section in the left-hand bar and then click on + Custom Access Request

2. After creating the template, admins can set up custom fields by clicking on + Custom Field. Field options include the following types:

• Short Answer: Short text fields
• Paragraph: Longer text fields
• Checkbox: A binary selection
• Dropdown: A dropdown selection

Note: Each field can be either set to Required or Optional.

3. Once the template with its custom fields has been created and saved, you can click Edit on the resource and attach your Custom Field template:

5. Require MFA to approve requests

If MFA to approve requests is enabled, Opal triggers an MFA prompt before reviewers can approve requests in Slack and web. This protects sensitive resources and validates the approver's identity.

For some resources, Opal can be used to generate short-lived credentials via CLI or web. If MFA is enabled for these resources, end users must validate their identities before connecting to the resource.