Modern enterprises rely on a staggering array of applications to run daily operations. CRMs track every sale, hyperscalers sustain critical infrastructure, and developer tools keep engineers productive. All these tools are easily secured by Opal with its pre-built API integrations. Still, innovative enterprises need their own tools to manage complex financial, legal, and technical processes. The average employee uses 40 applications to do their job—typically a combination of in-house tools and third-party SaaS applications.

Companies build these tools (sometimes in-house) to solve problems, and they inevitably access sensitive data and processes, under the purview of SOX, SOC2 and HIPAA audits. Many enterprises get buried in manual access control and review processes for their homegrown applications. That’s why leading enterprises keep every application in their arsenal secure using Opal’s custom connectors, enabling just-in-time access, user access reviews and continuous risk monitoring.

Custom Connectors bring every application under control 

Opal designed custom connectors to be easy to build, quick to deploy, and efficient to maintain. They are implemented as a set of API endpoints. During each sync, Opal sends requests to these API endpoints to retrieve the current state of your application. When access changes are made in Opal, they are propagated to your application by the appropriate API endpoints. 

The power of Opal’s custom connectors lies in the flexibility of their architecture. Without an opinionated SDK in the way, there’s no limit to what entities, entitlements, and attributes Custom Connectors can keep in sync. Let’s walk through the four ways your apps can interact with Opal, even without native connectors:

1. Through a standard REST API

2. Through a SCIM-style API

3. Through a database connector

4. Through an ACL file

Connect to your application’s API

If your application has a public API for access control, your custom connector can act as a pass-through client. For example, you can use Opal custom connectors to manage user accounts in your application if it exposes an /accounts API.

API access is probably the most comprehensive and well-specified way to access applications: API endpoints typically process requests in a validated fashion, avoiding, for example, some of the risks that come with accessing an application’s database directly.

Connect to your application’s SCIM API

You already put in the work to bring your application under your IdP’s control using SCIM. You can write a custom connector that uses these APIs to bring them under Opal’s control. SCIMs are typically segmented on users, and because Opal can publish to one or many SCIMs, Opal is well suited to integrate additional apps via SCIM. This is also a structured format, reducing the risk of unwanted side effects through direct database access or other mechanisms.

Connect to your application’s database

Your applications are built to solve problems, not connect with Opal. If your application does not have a public API, but stores access control information in a database, Opal custom connectors can talk directly to your application’s database for the purposes of both access management and compliance. It’s even possible to integrate directly with a database (typically the users table), even if that same database is a managed entitlement within Opal.

Connect to your application’s access control files

Your applications may use files storing access control information, and even these types of apps are not beyond Opal’s reach. Custom connectors can be written to connect to wherever these files are stored, whether behind SSH, FTP or cloud object storage.

Custom Connectors live wherever you need them

Opal’s custom connectors were explicitly designed with best practices in mind, but that doesn’t mean they require special treatment when it comes to deployment. Opal custom connectors live alongside your existing tooling, even if your existing tooling does not use code. You can continue using your existing deployment, secrets management, and logging infrastructure with our Custom Connectors. Opal Custom Connectors don’t depend on a specific SDK, which gives our customers ultimate flexibility in how and where they deploy their connectors.

Opal Custom Connectors can be written with your no-code tools

If you and your team would rather not write code, you can skip tedious debugging sessions and get straight to JIT by implementing your Opal custom connectors using your favorite no-code workflow tool. Any workflow that supports synchronous responses can be used to implement an Opal custom connector by simply implementing the required endpoints. Take a look at our Tines example to see how much control you can achieve with no code. 

Opal Custom Connectors can be deployed with your serverless tools

On the other hand, some more complex custom connectors may require code, but they do not require complex deployments. Opal custom connectors only need to be available for sync, so they can be easily deployed in simple, cost-effective serverless tools such as AWS Lambda, Azure Function Apps or GCP Cloud Run functions.

Opal Custom Connectors support multi-tenant deployments

The most sophisticated enterprises deploy a fleet of custom connectors to secure every application, but you can simplify their deployment by making one simple deployment exposing a single API. Simply check the app_id parameter, and one API can manage access control for every application.

Custom Connectors give you the full power of Opal

Opal custom connectors aren’t a stop-gap solution, they give you the full power of Opal’s powerful identity governance and administration tooling. You can learn more about Custom Connectors in Opal’s documentation, or schedule a demo with a member of our team today.