Documentation

Access Reviews

Suggest Edits

Opal can be used to automate user access reviews. The platform lets compliance teams:

  1. Snapshot user access at the time the review is started
  2. Intelligently assign reviews for resource owners to review in a self-service way
  3. Scope reviews by resource and group attributes
  4. Generate a report to summarize all actions for audit purposes

Starting a User Access Review

Assuming the Opal Auditor role

To start a user review, you must have the Opal Auditor role.

In the Apps tab, select Opal. Here you'll find the Opal Auditor role. 

2262

📘

Note

If you're an Opal Admin, you can add yourself directly to the resource by navigating to the Users tab and clicking on the pencil icon.

If you are not, you can request access to the role.

Configurations for User Access Reviews

  1. Name of User Access Review:  Customize the name of the review

  2. Access review deadline:  Set the deadline that reviewers have the complete the review by

  3. Filter by Tags: Automatically specify the scope of the review using tags

  4. New review notifications: Notify users on Slack and Email if they are selected as a reviewer

  5. Reminder notifications:  Preset campaign reminders to reviewers with incomplete reviews

  6. Reviewer auto-assignment: Automatically set the reviewer to be the admins of owning teams, managers, or manually assign reviewers.

  7. Timezone: Set the timezone that will be used across reviews

  8. Self-review warning: Enable Opal to enable warnings for self-reviews

2262

Types of Reviews

In Opal, you can review Resources, Groups, Applications

  • In the Resources tab, you can review users with direct access to a resource or permission

  • In the Groups tab, you can review the users in a group and the resources they get access to when they join.

  • In the Applications tab, you are able to de-provision users to an application

In Opal, we also have Users and Access changes tabs:

  • In the Users tab, you can review the resources and groups by users

  • In the Access changes tab, you can review all proposed access changes

For connected applications, Opal automatically revokes access on the end system based on the reviewer's decision.

For custom connections, Opal cannot connect to the end system and won't revoke access automatically. In this case, customers use Opal as a system of record and trigger project management workflows with ticketing systems.

Updated about 2 years ago