Curate Resource Catalog
Decentralized Access Management
Owners can be used as Admins. Both Owners and Opal Admins can manage the configuration of approval and additional security settings by clicking into a resource's "Edit" menu.
Visibility
Every resource and group has a visibility setting. This is a "hard" visibility setting - a user who doesn't have access, isn't an admin, and isn't in a group that's been granted visibility cannot see the resources or groups in their catalog. Visibility enables you to hide resources from anyone who doesn't have access, or restrict requests to certain groups.
- No visibility restrictions: This resource/group is visible to all employees.
- Restrict to groups: Only users in certain groups (as well as users who have access to this item and admins) can see the item.
App-level Visibility
You can set Import Visibility at the connection level. This will create a default Visibility setting for all resources that are imported from the connection. Setting visibility at the app level will not change visibility settings for resources that have already been imported.
Security Settings
Opal recognizes that some resources are more sensitive than others, so we have created additional approval configuration:
- Require MFA to approve requests (and make connections): Requires MFA to approve requests via web and Slack. In addition, for certain resources, Opal will also require MFA before end users can connect to the resource.
- Maximum duration: Enforces the maximum amount of time a resource or group can be requested for
- Recommended duration: Shows the recommended duration as the default option in both Slack and web
- Require support ticket: Requires a support ticket to create a request
- Custom fields: Create a standard set of questions for employees to answer before submitting an access request
1. Maximum duration
If a maximum duration is selected, then time periods above the maximum duration cannot be selected
2. Recommended duration
If a recommended duration is selected, then it is the default option in Slack and the web
Note: Employees can still select other longer and shorter durations
3. Require support ticket
If this is enabled, then a support ticket must be submitted with an access request. This will enable an access request to be dynamically revoked if the support ticket has been completed. This enables a strong security posture as you can revoke access based on the completion of an activity.
Please note: You can only attach tickets that are assigned to you
Time-bounded and event-bounded access
If both a time duration and support ticket is enabled, then Opal will take the event that comes first.
4. Custom fields
Admins can customize questions for employees to answer before submitting an access request to a given resource.
- To create custom fields, Admins must first go to Templates under the Configuration section in the left-hand bar and then click on + Custom Access Request
- After creating the template, admins can set up custom fields by clicking on + Custom Field. Field options include the following types:
- Short Answer: Short text fields
- Paragraph: Longer text fields
- Checkbox: A binary selection
- Dropdown: A dropdown selection
Note: Each field can be either set to Required or Optional
- Once the template with its custom fields has been created and saved, you can click Edit on the resource and attach your Custom Field template:
5. Require MFA to approve requests (and make connections):
If configuration is enabled, then Opal will trigger an MFA prompt before approvals are actioned in Slack or web. The use case here is to protect sensitive resources and validate the approver's identity.
For some resources, Opal can be used to generate short-lived credentials via CLI or web. If MFA is enabled, then the end user will need to validate their identity before connecting to the resource.
Updated 4 months ago