Opal can be used for both Access Management and Access Reviews. Some customers prefer one, or the other, or both.
By default, Opal's access management capabilities are disabled. That means when you import different resources and groups into Opal, Opal will not allow you to make changes to these items in Opal, unless you are removing users from them as part of a user access review.
To enable Opal's access management capabilities, you should navigate to the Opal admin page (/admin) and then toggle the Manage resources and groups from Opal setting to ON:
Warning: enabling this setting will make Opal the source of truth for access control for your resources and groups.
Opal as the source of truth
This means that if you import a group into Opal, and then you remove a user from that group on the end system, Opal will impose its view on the end system, and add the user back to the group. The only way to delete the user is delete the user from Opal.
That said, the first time that Opal encounters a user on a resource or group, it will respect the end system as the source of truth, and import that user as part of the resource or group. All subsequent syncs for that item and user will be based on Opal as the source of truth.
User deprovisioning can be handled seamlessly in Opal. If Opal detects that a user's status has changed in the HR provider or the IDP provider, you can set the Enable IDP user deprovisioning setting so that Opal automatically removes these users from Opal automatically.