Special roles in Opal
The following roles in Opal are treated as resources—a user's access to a role may be time-bounded, indefinite, etc. These roles are not scoped by resource but apply across the Opal platform, while Group/Resource Admins' capabilities are limited to the group or resource.
The following are special roles in Opal:
- Admin: Super-admins who can add integrations to Opal, see and modify all settings, and manage all configurations for resources and groups
- Auditor: Users who can start and stop user access reviews. In addition, they can assign any reviewer to review
- Read-only Admin: Users who can see everything a super-admin can see, but otherwise have normal user privileges
- User Impersonation: Users with the ability to "impersonate" another Opal user, entering read-only mode to see what they see

Additionally, the following roles can be assigned in the product:
- Group/Resource Admins: Users with admin capabilities for the resources and groups that they own
Role capabilities
Global permissions:
Group/Resource permissions:
User Access Reviews:
User Impersonation
To enable the User Impersonation role, admins can go to Settings > Advanced and toggle Enable user impersonation.

Access requests for this resource require a specified user to impersonate, which you set as a Role when you add a user to the User Impersonation role.
Updated about 1 month ago