Documentation

Special roles in Opal

Suggest Edits

The following roles in Opal are treated as resources—a user's access to a role may be time-bounded, indefinite, etc. These roles are not scoped by resource but apply across the Opal platform, while Group/Resource Admins' capabilities are limited to the group or resource.

The following are special roles in Opal:

  • Admin: Super-admins who can add integrations to Opal, see and modify all settings, and manage all configurations for resources and groups
  • Auditor: Users who can start and stop user access reviews. In addition, they can assign any reviewer to review
  • Read-only Admin: Users who can see everything a super-admin can see, but otherwise have normal user privileges
  • User Impersonation: Users with the ability to "impersonate" another Opal user, entering read-only mode to see what they see

Additionally, the following roles can be assigned in the product:

  • Group/Resource Admins: Users with admin capabilities for the resources and groups that they own

Role capabilities

Global permissions:

Group/Resource permissions:

User Access Reviews:

User Impersonation

To enable the User Impersonation role, admins can go to Settings > Advanced and toggle Enable user impersonation.

Access requests for this resource require a specified user to impersonate, which you set as a Role when you add a user to the User Impersonation role.

Updated 2 months ago