> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Special roles in Opal

The following roles in Opal are treated as resources—a user's access to a role may be time-bounded, indefinite, etc. These roles are not scoped by resource but apply across the Opal platform, while Group/Resource Admins' capabilities are limited to the group or resource.

The following are special roles in Opal:

* **Admin**: Super-admins who can add integrations to Opal, see and modify all settings, and manage all configurations for resources and groups
* **Auditor**: Users who can start and stop user access reviews. In addition, they can assign any reviewer to review
* **Read-only Admin**: Users who can see everything a super-admin can see, but otherwise have normal user privileges
* **User Impersonation**: Users with the ability to "impersonate" another Opal user, entering read-only mode to see what they see
* **Global Requester**: Gives users visibility into the entire catalog, regardless of visibility rules, and gives users the ability to request resources and groups [on behalf of](/docs/end-user-faq#request-access-in-the-opal-ui) other users

<img src="https://mintcdn.com/opalsecurity/lt0M-hBs5yNe5ff5/images/docs/a4eec22b55593d31c03b5faa4b35e2aa1522b6092d340ae127969a44ceb3e99d-opal-roles.png?fit=max&auto=format&n=lt0M-hBs5yNe5ff5&q=85&s=08ad189698ccca80b99a0243784f03e5" alt="" width="2558" height="1394" data-path="images/docs/a4eec22b55593d31c03b5faa4b35e2aa1522b6092d340ae127969a44ceb3e99d-opal-roles.png" />

Additionally, the following roles can be assigned in the product:

* **Group/Resource Admins:** Users with admin capabilities for the resources and groups that they own

## Role capabilities

Global permissions:

<img src="https://mintcdn.com/opalsecurity/odnvD_MsXBxTor9u/images/docs/7feac38-Screen_Shot_2022-08-05_at_2.38.13_PM.png?fit=max&auto=format&n=odnvD_MsXBxTor9u&q=85&s=95cefd29e6b849289d02acd72f30c82e" alt="" width="3578" height="1330" data-path="images/docs/7feac38-Screen_Shot_2022-08-05_at_2.38.13_PM.png" />

Group/Resource permissions:

<img src="https://mintcdn.com/opalsecurity/lt0M-hBs5yNe5ff5/images/docs/af1e715-Screen_Shot_2022-09-14_at_10.19.10_AM.png?fit=max&auto=format&n=lt0M-hBs5yNe5ff5&q=85&s=05addc67bcc0e9800f33597ab972aa1b" alt="" width="2432" height="1154" data-path="images/docs/af1e715-Screen_Shot_2022-09-14_at_10.19.10_AM.png" />

User [Access Reviews](/docs/access-reviews):

<img src="https://mintcdn.com/opalsecurity/odnvD_MsXBxTor9u/images/docs/7b96638-Screen_Shot_2022-08-05_at_2.34.25_PM.png?fit=max&auto=format&n=odnvD_MsXBxTor9u&q=85&s=a062bd226d48455cb189557e3d867704" alt="" width="3354" height="738" data-path="images/docs/7b96638-Screen_Shot_2022-08-05_at_2.34.25_PM.png" />

<img src="https://mintcdn.com/opalsecurity/KunPWigry5GIeB5g/images/docs/4c1a801-Screen_Shot_2022-08-05_at_2.34.32_PM.png?fit=max&auto=format&n=KunPWigry5GIeB5g&q=85&s=8d08c942f00a26294fbcc4b7f94dd174" alt="" width="1936" height="256" data-path="images/docs/4c1a801-Screen_Shot_2022-08-05_at_2.34.32_PM.png" />

## User Impersonation

To enable the User Impersonation role, admins can go to **Organization Settings > Advanced** and toggle **Enable user impersonation**.

<img src="https://mintcdn.com/opalsecurity/fu-nWazMe1LxLhxi/images/docs/25bb9d460b0dad69d4d0f5d4b71527c2965b184c9af30f7381b1e13dc93ee770-user-impersonation.png?fit=max&auto=format&n=fu-nWazMe1LxLhxi&q=85&s=bbeecb27ae54213962261c162a6973b0" alt="" width="3738" height="1641" data-path="images/docs/25bb9d460b0dad69d4d0f5d4b71527c2965b184c9af30f7381b1e13dc93ee770-user-impersonation.png" />

Access requests for this resource require a specified user to impersonate, which you set as a **Role** when you add a user to the **User Impersonation** role.

## Global requestor

To enable the Global Requestor role, go to **Organization Settings > Access Requests** and toggle **Enable global requestor role**. See [request on behalf rules](/docs/request-on-behalf) to learn about how visibility settings and request configurations affect the global requestor role.

<img src="https://mintcdn.com/opalsecurity/4Xj9diJ3E3kX-9Xd/images/docs/e72604252f0e77933b5b6b921bee481b018dc0d9041d2a43701f22d9b3e473af-global-requestor-enable.png?fit=max&auto=format&n=4Xj9diJ3E3kX-9Xd&q=85&s=316b4e69f469ca8b0ab95b603d6452c7" alt="" width="3722" height="1626" data-path="images/docs/e72604252f0e77933b5b6b921bee481b018dc0d9041d2a43701f22d9b3e473af-global-requestor-enable.png" />

***