Use Cases

How It Works

Customers

Resources

Company

Sign in

Request a Demo

Access Intelligence

Ask Your Access Graph Anything

Every security team has a version of the same conversation. An auditor asks, "Show me everyone with access to PCI-scoped systems." A VP asks, "Who on the platform team has admin access to production?" An incident responder asks, "Does this user have access to anything else sensitive?" The answer is always the same: "Give us a few hours." OpalQuery lets security teams explore who has access to what — and why — using natural language or a structured filter builder. Surface SoD conflicts, orphaned accounts, over-provisioned roles, and audit evidence in seconds. No SQL. No engineering tickets. No waiting for a quarterly report that's already stale.

Get a Demo

See the Platform

Access Intelligence

Ask Your Access Graph Anything

Every security team has a version of the same conversation. An auditor asks, "Show me everyone with access to PCI-scoped systems." A VP asks, "Who on the platform team has admin access to production?" An incident responder asks, "Does this user have access to anything else sensitive?" The answer is always the same: "Give us a few hours." OpalQuery lets security teams explore who has access to what — and why — using natural language or a structured filter builder. Surface SoD conflicts, orphaned accounts, over-provisioned roles, and audit evidence in seconds. No SQL. No engineering tickets. No waiting for a quarterly report that's already stale.

Get a Demo

See the Platform

Access Intelligence

Ask Your Access Graph Anything

Every security team has a version of the same conversation. An auditor asks, "Show me everyone with access to PCI-scoped systems." A VP asks, "Who on the platform team has admin access to production?" An incident responder asks, "Does this user have access to anything else sensitive?" The answer is always the same: "Give us a few hours." OpalQuery lets security teams explore who has access to what — and why — using natural language or a structured filter builder. Surface SoD conflicts, orphaned accounts, over-provisioned roles, and audit evidence in seconds. No SQL. No engineering tickets. No waiting for a quarterly report that's already stale.

Get a Demo

See the Platform

Access Intelligence

Ask Your Access Graph Anything

Every security team has a version of the same conversation. An auditor asks, "Show me everyone with access to PCI-scoped systems." A VP asks, "Who on the platform team has admin access to production?" An incident responder asks, "Does this user have access to anything else sensitive?" The answer is always the same: "Give us a few hours." OpalQuery lets security teams explore who has access to what — and why — using natural language or a structured filter builder. Surface SoD conflicts, orphaned accounts, over-provisioned roles, and audit evidence in seconds. No SQL. No engineering tickets. No waiting for a quarterly report that's already stale.

Get a Demo

See the Platform

TRUSTED BY LEADING COMPANIES

TRUSTED BY LEADING COMPANIES

TRUSTED BY LEADING COMPANIES

TRUSTED BY LEADING COMPANIES

The Problem

The Cost of Asking a Question About Access Is Unreasonably High

The data exists — scattered across identity providers, cloud platforms, and access management systems. But asking a question about it requires filing a ticket with engineering, waiting for someone to write a custom SQL query or stitch together API calls, and receiving a spreadsheet that's already stale by the time you open it. Most organizations rely on periodic reports — weekly, monthly, quarterly — that represent a snapshot of a world that has already moved on. There is no way to query the live state of access on demand, and no way for non-technical users to explore the access graph without help.

Hours to days

Time to answer a single ad-hoc access question today

Quarterly

The cadence most teams rely on for access reports — leaving 90 days of unmanaged drift

Engineering dependency

Every access question requires a custom query that security teams can't run themselves

The Problem

The Cost of Asking a Question About Access Is Unreasonably High

The data exists — scattered across identity providers, cloud platforms, and access management systems. But asking a question about it requires filing a ticket with engineering, waiting for someone to write a custom SQL query or stitch together API calls, and receiving a spreadsheet that's already stale by the time you open it. Most organizations rely on periodic reports — weekly, monthly, quarterly — that represent a snapshot of a world that has already moved on. There is no way to query the live state of access on demand, and no way for non-technical users to explore the access graph without help.

Hours to days

Time to answer a single ad-hoc access question today

Quarterly

The cadence most teams rely on for access reports — leaving 90 days of unmanaged drift

Engineering dependency

Every access question requires a custom query that security teams can't run themselves

The Problem

The Cost of Asking a Question About Access Is Unreasonably High

The data exists — scattered across identity providers, cloud platforms, and access management systems. But asking a question about it requires filing a ticket with engineering, waiting for someone to write a custom SQL query or stitch together API calls, and receiving a spreadsheet that's already stale by the time you open it. Most organizations rely on periodic reports — weekly, monthly, quarterly — that represent a snapshot of a world that has already moved on. There is no way to query the live state of access on demand, and no way for non-technical users to explore the access graph without help.

Hours to days

Time to answer a single ad-hoc access question today

Quarterly

The cadence most teams rely on for access reports — leaving 90 days of unmanaged drift

Engineering dependency

Every access question requires a custom query that security teams can't run themselves

The Problem

The Cost of Asking a Question About Access Is Unreasonably High

The data exists — scattered across identity providers, cloud platforms, and access management systems. But asking a question about it requires filing a ticket with engineering, waiting for someone to write a custom SQL query or stitch together API calls, and receiving a spreadsheet that's already stale by the time you open it. Most organizations rely on periodic reports — weekly, monthly, quarterly — that represent a snapshot of a world that has already moved on. There is no way to query the live state of access on demand, and no way for non-technical users to explore the access graph without help.

Hours to days

Time to answer a single ad-hoc access question today

Quarterly

The cadence most teams rely on for access reports — leaving 90 days of unmanaged drift

Engineering dependency

Every access question requires a custom query that security teams can't run themselves

How Opal Solves It

From Filing Tickets to Typing Questions

OpalQuery is an AI-powered query environment embedded directly in Opal. Type what you're looking for in plain English — "who has admin access to production databases?" — and get structured, exportable results in seconds. The AI translates your intent into precise, composable filters against Opal's full identity and access graph. But here's what makes it different from a chatbot: the AI always shows its work. Every query is decomposed into visible, editable structured filters that you can inspect, adjust, and re-run before anything executes. No black box.

Natural language or structured filters — your choice · AI that shows its work — every interpretation is editable · Results in seconds — not hours, not days

Key Capabilites

Key Capabilites

01

Natural Language That Resolves to Real Entities

Natural Language That Resolves to Real Entities

OpalQuery doesn't do fuzzy search. When you type "users with access to Engineering Production," the AI resolves that term against your actual resource and group catalog — matching to a specific entity, not a best guess. Intent parsing identifies the target entity type, access relationships, and boolean logic implied by your phrasing, then populates structured filter panels for you to review before running.

  • Catalog-aware entity resolution against your real Opal environment

  • Supports AND/OR logic, nested conditions, and multi-relationship queries

  • Undo control lets you revert AI-generated filters instantly — you're never locked in

02

A Structured Filter Builder for Precision

A Structured Filter Builder for Precision

Not every query starts with natural language. OpalQuery's structured builder gives you direct control over entity filters (User, Resource, Group, by name, type, app, or tag) and access filters ("Has Access To" / "Accessed By") with full boolean composition — AND/OR grouping, nested condition groups, drag-and-drop reordering.

Start with the AI and refine by hand, or build from scratch. The filter panels are always the source of truth for what runs.

03

Saved Queries and Shared Knowledge

Saved Queries and Shared Knowledge

One-off queries are useful. Reusable queries are powerful. Save any query — filters, natural language prompt, title, and description — to a personal or shared library. Private queries stay with you. Public queries are visible to every admin in your organization, creating a shared repository of investigative patterns anyone can run. The query you built last quarter for SOC 2 evidence is one click away when audit season comes around again.

  • AI-generated titles and descriptions from your current filter state — so saved queries are actually findable

  • Private and Public visibility controls

  • Searchable, sortable query library in the sidebar

04

Built for Audit Season

Built for Audit Season

If you've ever spent a day assembling access evidence for an auditor, OpalQuery is built for you. Type a question that matches the auditor's ask, review the structured filters, run it, and export the results as a timestamped archive ready to drop into your evidence repository. Prepare your standard audit queries once as saved public queries and re-run them each cycle. No more rebuilding from scratch every quarter.

Impact

Seconds

Time from query input to structured results

Seconds

Time from query input to structured results

<5 minutes

Audit evidence compilation down from hours or days

<5 minutes

Audit evidence compilation down from hours or days

100%

of results exportable as timestamped, structured archives

100%

of results exportable as timestamped, structured archives

What You Can Ask

What You Can Ask

OpalQuery operates against Opal's unified identity and access graph;
users, resources, and groups from every connected system. A few examples:

OpalQuery operates against Opal's unified identity and access graph; users, resources, and groups from every connected system. A few examples:

"Show me all users with access to Engineering Production and AdministratorAccess"

Finds users satisfying multiple access conditions simultaneously

"Show me all users with access to Engineering Production and AdministratorAccess"

Finds users satisfying multiple access conditions simultaneously

"Get me all resources that Person X has access to"

Explores an individual's full access footprint

"List all Google Groups that this user belongs to"

Filters by app and entity type in a single query

"Users with access to both payment processing and payment approval"

Surfaces toxic access combinations for separation of duties analysis

"Users whose name contains 'admin'"

String-based pattern matching across your identity graph

Beyond Access Intelligence

Beyond Access Intelligence

The Platform Advantage

The Platform Advantage

OpalQuery is the visibility layer in Opal's See → Encode → Enforce loop. The access posture it reveals informs the policies you write in OpalScript and the decisions Paladin makes in the approval chain. Every query you run deepens Opal's understanding of your identity surface — sharpening AI-driven recommendations over time.

OpalQuery operates against Opal's unified identity and access graph; users, resources, and groups from every connected system. A few examples:

Programmable governance

OpalScript encodes the policies that OpalQuery surfaces the need for: SoD constraints, JIT rules, approval workflows, and break-glass procedures — all as version-controlled code

AI-powered reviews

Paladin draws on the same identity graph OpalQuery exposes, evaluating every access request against identity context, access history, and peer norms

Just-in-time access

OpalQuery surfaces the over-provisioned standing access that JIT policies eliminate — connecting visibility to action

Agent identity governance

Query across human, machine, and AI agent identities in a single interface — no identity type is invisible

Trusted by security teams that ship fast and sleep well.

86K

Time-bound access requests

JIT Access and UARs Enhance Productivity and Security at Databricks

See customer story

Trusted by security teams that ship fast and sleep well.

86K

Time-bound access requests

JIT Access and UARs Enhance Productivity and Security at Databricks

See customer story

Trusted by security teams that ship fast and sleep well.

  • 86K

    Time-bound access requests

    JIT Access and UARs Enhance Productivity and Security at Databricks

    See customer story

  • 5,353

    Okta entitlements governed

    How Mercari Built Zero-Touch Access to Production

    See customer story

  • 5,000

    Employees secured

    Blend Transforms Identity Security with Deterministic Logic

    See customer story

  • 150+

    Apps under governance

    Superhuman Reduced Access Risk While Improving End-User Experience

    See customer story

Trusted by security teams that ship fast and sleep well.

86K

Time-bound access requests

JIT Access and UARs Enhance Productivity and Security at Databricks

See customer story

Stop Waiting for Answers About Your Own Access Graph

The data is already there. OpalQuery gives every security team the investigative reach of a data engineer — in seconds, with no code required. Ask the question. Get the answer. Export the evidence.

Book a Demo

See the Platform

Stop Waiting for Answers About Your Own Access Graph

The data is already there. OpalQuery gives every security team the investigative reach of a data engineer — in seconds, with no code required. Ask the question. Get the answer. Export the evidence.

Book a Demo

See the Platform

Stop Waiting for Answers About Your Own Access Graph

The data is already there. OpalQuery gives every security team the investigative reach of a data engineer — in seconds, with no code required. Ask the question. Get the answer. Export the evidence.

Book a Demo

See the Platform

Stop Waiting for Answers About Your Own Access Graph

The data is already there. OpalQuery gives every security team the investigative reach of a data engineer — in seconds, with no code required. Ask the question. Get the answer. Export the evidence.

Book a Demo

See the Platform

Stop Reviewing.

Start Enforcing.

Use Cases

Just-in-Time Access

AI-Powered Access Reviews

Programmable Governance

Access Intelligence

Security for AI Agents

How it Works

Platform

Integrations

Intelligence

Customers

Blend

Databricks

Mercari

Superhuman

All Case Studies

Resources

Resource Center

Documentation

Features

Blog

Media & Press

Events

Glossary

Brand Resouces

Company

About

Careers

Trust Center

Legal

Terms of Service

Privacy Policy

Stop Reviewing.

Start Enforcing.

Use Cases

Just-in-Time Access

AI-Powered Access Reviews

Programmable Governance

Access Intelligence

Security for AI Agents

How it Works

Platform

Integrations

Intelligence

Customers

Blend

Databricks

Mercari

Superhuman

All Case Studies

Resources

Resource Center

Documentation

Features

Blog

Media & Press

Events

Glossary

Brand Resouces

Company

About

Careers

Trust Center

Legal

Terms of Service

Privacy Policy

Stop Reviewing.

Start Enforcing.

Use Cases

Just-in-Time Access

AI-Powered Access Reviews

Programmable Governance

Access Intelligence

Security for AI Agents

How it Works

Platform

Integrations

Intelligence

Customers

Blend

Databricks

Mercari

Superhuman

All Case Studies

Resources

Resource Center

Documentation

Features

Blog

Media & Press

Events

Glossary

Brand Resouces

Company

About

Careers

Trust Center

Legal

Terms of Service

Privacy Policy

Stop Reviewing.

Start Enforcing.

Use Cases

Just-in-Time Access

AI-Powered Access Reviews

Programmable Governance

Access Intelligence

Security for AI Agents

How it Works

Platform

Integrations

Intelligence

Customers

Blend

Databricks

Mercari

Superhuman

All Case Studies

Resources

Resource Center

Documentation

Features

Blog

Media & Press

Events

Glossary

Brand Resouces

Company

About

Careers

Trust Center

Legal

Terms of Service

Privacy Policy