Opal connector
Automate Access Governance and Identity Workflows with Opal Integrations
Connect Opal to your security stack, ITSM tools, and HR systems to clean up access reviews, provisioning, and least-privilege enforcement at scale.
What can you do with the Opal connector?
Opal is a modern access control platform that lets teams manage permissions, run access reviews, and enforce least-privilege policies across cloud resources and SaaS apps. Integrating Opal with the rest of your tech stack cuts out manual provisioning bottlenecks and makes sure identity events — new hires, role changes, offboarding — trigger the right access actions without anyone having to babysit them. With tray.ai, you can connect Opal to HR systems, ticketing platforms, SIEM tools, and directory services to build end-to-end identity lifecycle workflows without writing custom glue code.
Automate & integrate Opal
Automating Opal business process or integrating Opal data is made easy with tray.ai
Use case
Automated Employee Onboarding Access Provisioning
When a new employee record is created in your HRIS — Workday, BambooHR, or similar — Opal automatically provisions the right resource groups and permission sets based on department, role, and location. No more back-and-forth between HR, IT, and engineering while someone waits to do their actual job.
Use case
Offboarding and Access Revocation Workflows
When a termination event fires in your HRIS or identity provider, Opal revokes access immediately or on a schedule. Slack and email notifications go out to IT and security, and the revocation event gets logged to your SIEM or ticketing system before anyone has to ask.
Use case
Periodic Access Review Automation
Schedule recurring access review campaigns in Opal and automatically notify resource owners and managers via Slack or email with direct review links. Review outcomes sync back to Jira or ServiceNow, closing associated tickets and updating CMDB records with current permission states.
Use case
Just-in-Time Access Request and Approval Routing
Opal access requests get routed through your existing approval workflows in Jira Service Management, PagerDuty, or similar tools based on resource sensitivity, requester role, or time of day. Access is granted temporarily on approval and revoked automatically when the window expires.
Use case
Security Incident Access Lockdown
When a security alert fires in your SIEM, EDR, or threat detection platform, Opal's API suspends access for flagged users or resources while an investigation runs. Incident context goes to your incident management platform and the security team gets notified through existing channels — no manual steps required.
Use case
Cross-System Permission Drift Detection and Remediation
Permissions granted in Opal get continuously compared against source-of-truth role definitions in your HRIS or identity provider. When drift shows up — say, a user still has access after a role change — a remediation workflow updates Opal and alerts the resource owner before it becomes an audit finding.
Use case
Access Analytics and Reporting Pipeline
Opal access events, review outcomes, and provisioning logs export on a schedule into your data warehouse or BI platform — Snowflake, Looker, or similar. The result is dashboards that actually show you over-privileged users, review completion rates, and time-to-revoke metrics for executive and compliance reporting.
Build Opal Agents
Give agents secure and governed access to Opal through Agent Builder and Agent Gateway for MCP.
Data Source
Look Up Access Request Details
Retrieve details of specific access requests including requester, resource, status, and approval history. An agent can use this to give context-aware responses or kick off downstream workflows based on request state.
Data Source
Query Resources and Permissions
Fetch information about available resources, apps, and their associated permission levels within Opal. An agent can then tell users what access options exist and what they're eligible to request.
Data Source
List User Access Entitlements
Retrieve the current permissions and resource access granted to a specific user. An agent can use this to audit access, catch over-provisioning, or answer user questions about what they currently have access to.
Data Source
Fetch Group Membership Information
Pull membership details for access groups and roles defined in Opal. An agent can use this to check whether a user belongs to a group before recommending access changes or escalations.
Data Source
Monitor Access Review Status
Retrieve the current state of ongoing access reviews including pending approvals, assigned reviewers, and completion rates. An agent can surface this data to compliance teams or send reminders when reviews are running late.
Agent Tool
Submit Access Request
Programmatically create an access request on behalf of a user for a specified resource or permission level. An agent can submit requests based on user intent or business logic, cutting out manual steps in provisioning workflows.
Agent Tool
Approve or Deny Access Requests
Take approval or denial actions on pending access requests within Opal. An agent can handle routine approvals based on policy rules or route edge cases to a human reviewer.
Agent Tool
Revoke User Access
Remove a user's access to a specific resource or group in Opal. An agent can trigger revocations automatically when someone is offboarded, violates a policy, or fails an access review.
Agent Tool
Add or Remove Group Members
Modify membership of access groups by adding or removing users. An agent can keep group memberships in sync with HR systems or org changes without anyone doing it by hand.
Agent Tool
Trigger Access Review
Initiate a new access review campaign for a specific resource, group, or user population. An agent can schedule or trigger reviews in response to compliance deadlines, new audit requirements, or detected anomalies.
Agent Tool
Update Resource Configurations
Modify settings or metadata for resources managed within Opal, such as visibility, ownership, or approval workflows. An agent can keep resource configurations current as security policies change, without manual intervention.
Get started with our Opal connector today
If you would like to get started with the tray.ai Opal connector today then speak to one of our team.
Opal Challenges
What challenges are there when working with Opal and how will using Tray.ai help?
Challenge
Manual Access Provisioning Creates Security and Productivity Gaps
IT and security teams manually processing access requests through tickets frustrate employees waiting for day-one access and produce inconsistent provisioning that generates audit findings. Teams spend hours per week on access tickets instead of work that actually moves the needle.
How Tray.ai Can Help:
tray.ai connects your HRIS and directory to Opal so provisioning triggers automatically on HR events. Role-to-resource mappings defined once in the workflow apply consistently every time, removing humans from the critical path of routine access grants.
Challenge
Disconnected Tools Leave Access Review Outcomes Siloed
Opal access review results often don't automatically update downstream systems like ticketing platforms, CMDBs, or data warehouses. Security teams manually export results and update records, which creates lag and leaves systems out of sync.
How Tray.ai Can Help:
tray.ai workflows listen for completed review events from Opal and automatically push outcomes to ServiceNow, Jira, Snowflake, or any other downstream tool. Your system of record stays synchronized without the security team having to touch it.
Challenge
Slow Incident Response Due to Manual Access Revocation Steps
During a security incident, responders have to manually identify which systems a compromised user can access and revoke each grant one by one. That process can take hours, giving a potential breach more time to spread.
How Tray.ai Can Help:
tray.ai connects your SIEM or EDR alerts directly to Opal's API so access suspension happens in seconds as part of an automated incident response playbook. The workflow also creates the incident ticket and notifies the team, so responders can focus on investigation rather than manual access management.
Challenge
Permission Drift Goes Undetected Between Review Cycles
Access granted for a project or temporary role change often sticks around long after the need has passed, especially when role changes in the HRIS aren't automatically reflected in Opal. That drift quietly piles up until it shows up as an audit finding.
How Tray.ai Can Help:
tray.ai runs scheduled reconciliation workflows that compare live HRIS role data against Opal grants and triggers remediation automatically when drift appears. Access stays aligned with current job function without waiting for the next scheduled review cycle.
Challenge
Building and Maintaining Custom Integration Scripts Is Expensive
Engineering teams often build bespoke Python scripts or Lambda functions to wire Opal into other systems, but these scripts need ongoing maintenance, lack observability, and break when APIs change. The result is hidden technical debt sitting in the security team's infrastructure.
How Tray.ai Can Help:
tray.ai has a no-code and low-code workflow builder with a native Opal connector, built-in error handling, and workflow versioning. Security and IT ops teams can build and maintain integrations themselves without engineering support, and tray.ai handles API changes and retries transparently.
Talk to our team to learn how to connect Opal with your stack
Find the tray.ai connector with one of the 700+ other connectors in the tray.ai connector library to integrate your stack.
Start using our pre-built Opal templates today
Start from scratch or use one of our pre-built Opal templates to quickly solve your most common use cases.
Template
HRIS New Hire to Opal Access Provisioning
Automatically provisions the correct Opal resource groups and permission sets when a new employee is created in Workday or BambooHR, based on mapped role and department attributes.
Steps:
- Trigger on new employee created event in Workday or BambooHR
- Map employee department and role to Opal resource group definitions
- Call Opal API to provision access to mapped groups and resources
- Send confirmation message to IT and the new employee's manager in Slack
- Log provisioning event to audit trail in your ticketing system
Connectors Used: Opal, Workday REST, BambooHR, Slack
Template
Employee Offboarding Access Revocation
Revokes all Opal access when an employee termination is detected in the HRIS, notifies security and IT teams, and logs the event to the SIEM and ticketing system.
Steps:
- Trigger on employee termination event in Workday
- Fetch all active Opal access grants for the departing user
- Revoke all identified access grants via Opal API
- Create a ServiceNow offboarding ticket with revocation evidence attached
- Post summary of revoked access to the security team's Slack channel
- Forward revocation log to Splunk for SIEM ingestion
Connectors Used: Opal, Workday REST, ServiceNow, Slack, Splunk HTTP Event Collector
Template
Opal Access Review Reminder and Escalation
Sends automated Slack and email reminders to pending access reviewers in Opal and escalates to their manager if reviews aren't completed before the deadline.
Steps:
- Poll Opal API on a schedule to identify overdue or pending access reviews
- Send personalized Slack DM to each reviewer with a direct link to their review queue
- If review remains incomplete after 48 hours, send escalation email via Gmail to the reviewer's manager fetched from Workday
- Update review status tracking sheet or dashboard with completion metrics
Connectors Used: Opal, Slack, Gmail, Workday REST
Template
SIEM Alert to Opal Emergency Access Suspension
Automatically suspends a user's Opal access when a high-severity security alert fires in Splunk or Datadog, and creates an incident ticket in PagerDuty.
Steps:
- Trigger on high-severity alert webhook from Splunk or Datadog
- Extract affected user identity from alert payload
- Call Opal API to suspend all active access for the flagged user
- Create PagerDuty incident with alert context and list of revoked resources
- Notify security on-call team in Slack with incident summary and Opal action taken
Connectors Used: Opal, Splunk HTTP Event Collector, PagerDuty, Slack
Template
Opal Access Event Export to Snowflake Data Warehouse
Exports Opal access provisioning, revocation, and review events to Snowflake on a schedule to power compliance dashboards and security analytics.
Steps:
- Run scheduled workflow on a daily or hourly cadence
- Fetch new access events and review outcomes from Opal API since last export timestamp
- Transform and normalize event payload to match Snowflake target schema
- Upsert records into Snowflake access_events table
- Post export summary with record count to a monitoring Slack channel
Connectors Used: Opal, Snowflake, Slack
Template
Role Change Permission Update in Opal
Detects role or department changes in the HRIS and automatically updates the user's Opal access to match the new role's permission profile, removing old access and granting new access in a single workflow.
Steps:
- Trigger on employee role change event in BambooHR
- Look up current Opal access grants for the affected user
- Determine delta between current grants and target role's permission profile
- Revoke stale access grants and provision new role-appropriate access via Opal API
- Open a Jira ticket documenting the access change for audit purposes
- Notify user and their new manager in Slack confirming access has been updated
Connectors Used: Opal, BambooHR, Jira, Slack