Documentation

Manage access with ticketing

Suggest Edits

Sometimes after a user’s access is approved or revoked in an end system, additional manual work is necessary to provision or update access. Opal lets you use ticketing systems—Jira, Linear, or ServiceNow—to propagate access and gain visibility into what requires manual provisioning.

In Opal, you can:

  • Reference existing tickets—require that requesting users link access requests to existing tickets
  • Audit access by creating a ticket for every request or revocation
  • Propagate access using tickets—Opal can automatically file tickets when access is approved, revoked, or both

Requirements

To integrate with your ticketing provider in any form, you must first connect it as a Productivity Integration. Opal supports Jira, Linear, and ServiceNow as ticketing providers.

You can connect to your ticketing provider to any resource, including custom resources, that a user can request to access.

Reference existing tickets on access requests

To require users to connect to existing tickets when they request access, first go to the Inventory, then the Edit page for the resource in question. In the Request configuration section under Request Information, set Must link ticket that auto-expires access setting to Required.

When users request access to the resource, they must now select a ticket to submit the request. Access is automatically revoked when the ticket closes or when the selected time interval has elapsed.

You can also enable this setting for your entire organization. Go to Settings > Access Requests, then select Requests must link ticket that auto-expires access.

Create audit tickets

To create an audit ticket for every access request in Opal, go to Settings > Access Requests and select Create audit ticket for all access requests created in Opal, then enter your ticket provider details.

Whenever a user requests access in Opal, Opal creates a ticket in your ticketing provider, allowing you to audit every access request in your own system. Audit tickets are auto-closed by Opal when access expires. You can manually close audit tickets in your provider, but this has no effect in Opal.

Propagate access with tickets

When ticket propagation is enabled, Opal files a ticket on your ticket provider whenever a user is added to or removed from a specific resource in Opal. Tickets are unassigned when they are created. When tickets are updated, Opal syncs the access change and updates access accordingly.

Example

Suppose Josh requests access to a custom resource called My Role. The required reviewers for My Role are notified in Slack that they have a request to review.

When the request is approved, Opal creates a Jira ticket to assign and track the task of making the access change on the end system. In Jira, you can see a reference to the ticket from the My Role resource page on the Users tab. If you click the ticket's identifier, a modal displays with a link to the ticket.

The ticket appears on the ticketing provider as follows.

When the access change has been made on the end system, the assignee should mark the ticket as Done. Opal then records the access change as complete. This appears as a green sync icon next to the user's access.

Note that it may take several minutes for Opal to sync the ticket's status. If you're the admin of the resource, you can also force a sync by clicking the sync button on the top right of the resource's page.

Configure ticket propagation

To enable ticket propagation, from the Inventory page, edit the resource. Toggle on Ticket provider for access propagation in the left panel and specify the provider, project, and conditions to create tickets.

2312

If you don’t see the Ticket provider for access propagation option, ensure you’re editing the resource, not the app.

Updated 25 days ago