Introducing Conditional Approvals

Today, we’re announcing the launch of conditional approvals – now available on V1.0.477

Customer Context

Opal enables security teams to enforce powerful access policies that are easy to implement and scale across the organization. For example, companies can mandate that sensitive applications require multi-stage approvals, 2FA, and maximum request durations.

However, applying universal policies on resources does not take the requester's context into consideration. Enterprises need additional flexibility and want to set different approval policies depending on the requester's team or role. Ultimately, this enables companies to be more productive and secure. Administrators can implement more dynamic policies – streamlining or elevating security configurations based on additional context.

Here are use cases that we have heard from our customers:

• If an engineer wanted to get access to Cluster Admin role for a Kubernetes cluster, this request might go to the InfoSec team and Platform Engineering for review. However, if a platform engineer requested access, then the request would just require manager approval only since the platform team manages Kubernetes.
• If employees at Acme Corp request access to Zoom, then this request will go to the IT team for approval as they will need to weigh the cost-benefit analysis. However, if customer-facing teams at Acme Corp request access to Zoom, then this request will be auto-approved since it is likely that they will need the paid subscription for Zoom.

Product Deep Dive

1. Opal admins can navigate to Resources and click on Edit to manage Request Configurations. All resources will start with the default condition – policies that will apply to all users in your organization.

2. By clicking on add a new configuration, Opal admins can select the group that they want the configuration to apply to. Opal ingests a wide variety of group providers, such as Okta, AzureAD, LDAP, Google Groups, and more.

3. If there are multiple conditions, Opal admins can also configure the order of the conditional approvals in which they are applied. Employees are subject to the first matching configuration if they are part of multiple groups. For example, if an employee is part of both DevOps Group and Engineering, they will be subject to the policies applied on the DevOps Group since it is the first in the configuration order.

About Opal

Opal is the unified identity platform for modern enterprises. Opal aggregates identity and access data to provide visibility and defense-in-depth infrastructure for mission-critical systems. Enterprises can discover anomalous identity risks with the product and remediate them in minutes. The world's best companies trust Opal to govern and adapt sensitive access.

Want to see it yourself? Contact sales@opal.dev or book a meeting here for a personalized demo.