Request on behalf rules

Learn how request configurations and visibility settings affect requesting access on behalf of other users.

Certain users—Opal Admins, resource and group admins, and managers—can request access in Opal on behalf of other users. Refer to this guide to determine whether users can request on behalf of others, given the applied request configurations and group membership.

Prerequisites

To enable the ability to request on behalf in an organization, admins must enable the Global requestor role in Organization Settings > Access Requests.

Multiple request configurations

The following table applies to resources and groups which have one or more request configurations applied.

Request configuration are applied after visibility checks. If your resources and groups have limited visibility, first apply visibility rules, then the request configurations tables.

First matching configurationDefault configurationRequesterTarget UserCan requester request
With group -> Not requestableRequestableIn groupNot in group
WIth group -> Not requestableRequestableNot in groupIn group
With group -> Not requestableRequestableIn groupIn group
With group -> Not requestableRequestableNot in groupNot in group
With group -> Not requestableNot requestableIn groupNot in group
With group -> Not requestableNot requestableNot in groupNot in group
With group -> RequestableNot requestableIn groupNot in group
With group -> RequestableNot requestableIn groupIn group
With group -> RequestableNot requestableNot in groupIn group
With group -> RequestableNot requestableNot in groupNot in group
Default onlyRequestablen/an/a
Default onlyNot requestablen/an/a

For example, the first With group -> Not requestable row means if requester R is a member of group G, and the configuration disallows requests from members of group G, requester R can still request on behalf of user B, because user B is not a member of group G.

Visibility rules

The following table applies groups and resources which have limited visibility settings applied.

Requester visibilityTarget user visibilityCan requester request
Can view itemCan view item
Can view itemCan’t view item
Can’t view itemCan view item
Can’t view itemCan’t view item

If the target user cannot view the requested item, but the request is created, they cannot see the item until the request is approved—creating the request does not escalate view privileges.