OpalQuery
Ask Your Access Graph Anything
Access Visibility Hits a Wall
Every security team fields the same questions. The answer is always: give us a few hours.
Scattered Data
Access data lives across identity providers, cloud platforms, and access management systems -- never in one place
Custom Engineering Required
Answering a single access question means filing a ticket, writing SQL, or stitching API calls together
Stale by Arrival
Results arrive in spreadsheets already outdated by the time you open them. No live, on-demand visibility
Learning Curve Barrier
Multi-condition filters across entity types require deep data model familiarity. Non-technical users can't self-serve
Natural Language Meets Structured Precision
An AI-powered query environment embedded directly in Opal
Natural Language Input
Type plain-English questions. AI translates intent into structured filters against your live access graph.
AI Shows Its Work
Every query is decomposed into visible, editable structured filters. No black box -- inspect before executing.
Export-Ready Results
Tabular results with inline identity cards. Export as a ZIP containing a results CSV and metadata JSON — ready for audit evidence.
Saved Query Library
Queries are private by default. Make any query public to share it with all admins. Duplicate with Save as New Query to iterate without overwriting the original.
DEMO 1
Basic Entity Discovery
Your security team needs to know exactly which users have direct access to your AWS EC2 instances. In the old world, that's a ticket, an AWS CLI query, and a 2-day wait. In OpalQuery, type the question — and the answer is instant.
Demo 01: Basic Entity Discovery
···
🔒 Private · Users with Access to EC2
Describe what you're looking for... (press ↵ Enter to apply)✦
Entity Filters
⠿Entity Type ▾isUser ▾×
Access Filters
Has Access To×
⠿Entity Type ▾isAWS EC2 ▾×
2 Filters Applied
↺⌫
2 Results
Name
NC
Nathan Cross
nathan@opal.dev
BP
Blake Peters
blake@opal.dev
Key Capability
Filter by entity type and access type to instantly find which users have direct access to specific infrastructure resources
Key Insight
Cloud access reviews that used to take days now answer in seconds — two filters, one click.
DEMO 2
Access Footprint Analysis
An employee just resigned under difficult circumstances. Legal needs every resource they have access to — before they walk out the door. OpalQuery maps the complete access footprint across 79 resources in seconds. Not hours.
Demo 02: Access Footprint Analysis
···
🔒 Private · What does Matt Heffler have access to?
Describe what you're looking for... (press ↵ Enter to apply)✦
Entity Filters
Access Filters
Accessed By×
⠿Entity Type ▾isUser ▾×
⠿Entity ▾is
Matt Heffler ×
×2 Filters Applied
↺⌫
79 Results
Name
📦
data-science-243389
Google Cloud - Opal · Project · Limited
🔧
spano-test-service-account
Google Cloud - Opal · Service Account · Limited
🗃️
opal_test_bigquery_table
Google Cloud - Opal · Table · Limited
💻
adrian-test-instance
Google Cloud - Opal · Instance · Limited
Key Capability
Use Accessed By to surface every resource reachable by a specific user — spanning all connected apps in a single query
Key Insight
Full access footprint across 79 resources in under a second. Ideal for offboarding, incident response, and user access reviews.
DEMO 3
Access By — Who Can Reach an Entity?
Finance Apps hold your most sensitive data. The real question isn't who's a direct member — it's who has any path to get there, through any group, role, or permission chain. OpalQuery traces every route. All 100+ of them.
Demo 03: Access By - Who Can Reach an Entity
···
🔒 Private · Which users can access Finance Apps?
Describe what you're looking for... (press ↵ Enter to apply)✦
Entity Filters
⠿Entity Type ▾isUser ▾×
Access Filters
Has Access To×
⠿Entity Name ▾containsfinance×
2 Filters Applied
⌫
100+ Results
Name
IV
ivan.annikov
ivan.annikov@gmail.com
AH
Amiyah Hail
amiyahhail@opaltest.dev
AL
aldwin-gbdjpvngz9krsvtoczif…
aldwin-gbdjp…@dataseed.opal.dev
AG
Alex Garcia
alex.garcia@opaltest.dev
Key Capability
Use Has Access To with entity name filters to surface every principal with a path to any resource — direct or inherited through any group or role
Key Insight
The inverse of blast radius — find who reaches a target instead of what a user can reach.
DEMO 4
Resource by Name
You need to inventory every admin-level resource in AWS IAM Identity Center before your next access review. OpalQuery lets you search by name — 'contains Admin' returns every admin role, permission set, and Identity Center role in your environment. 12 results, no custom query required.
Demo 04: Resource by Name
···
🔒 Private · List AWS resources with names containing Admin
Describe what you're looking for... (press ↵ Enter to apply)✦
Entity Filters
🗑 Remove Group
⠿Entity Name ▾containsAdmin×
⠿App ▾is
AWS IAM Identity Center ×
×Access Filters
2 Filters Applied
↺⌫
12 Results
Name
🔑
AdminSERRole
AWS IAM Identity Center · IAM Role · Global
🔑
DatabaseAdministrator
AWS IAM Identity Center · Identity Center Role · Global
🔑
SystemAdministrator
AWS IAM Identity Center · Identity Center Role · Global
🔑
AdministratorAccess
AWS IAM Identity Center · Identity Center Role · Global
Key Capability
Filter by entity name and app source to instantly inventory all resources matching a naming pattern — no SQL, no scripts
Key Insight
Pre-access-review inventory that used to take hours of manual lookup now runs in under two seconds.
DEMO 5
Regional Data Residency & GDPR
Patrick is an engineer in your UK office with access to a US-hosted AWS IAM role — a potential data residency violation. OpalQuery cross-references user country tags with resource country tags, surfacing every cross-border exposure before your compliance audit finds it first.
Demo 05: Regional Data Residency and GDPR
···
🔒 Private · Which UK-based users have access to US-based AWS IAM Role
Entity Filters
🗑 Remove Group
⠿Entity Type ▾isUser ▾×
⠿Entity Tag ▾is
country:United Kingdom ×
×Access Filters
Has Access To×
⠿Entity Type ▾isAWS IAM Role ▾×
⠿Entity Tag ▾is
country:United States ×
×4 Filters Applied
⌫
1 Result
Name
PA
patrick
patrick@opal.dev
Key Capability
Cross-reference user country tags with resource country tags to catch cross-border access violations across your entire access graph
Key Insight
Data residency violations are invisible to single-system reviews. OpalQuery finds them at the intersection of user attributes and resource tags.
DEMO 6
Unnecessary Access — HR Manager with AWS
Your auditor wants to know which high-privilege AWS roles are reachable by HR personnel. OpalQuery lets you query from the resource side — find every AWS IAM Role that any HR-tagged user can reach. Two admin roles exposed, two immediate remediation targets confirmed.
Demo 06: Unnecessary Access - HR Manager with AWS
···
🔒 Private · Which AWS IAM Roles can be accessed by HR personnel
Describe what you're looking for... (press ↵ Enter to apply)✦
Entity Filters
⠿Entity Type ▾isAWS IAM Role ▾×
Access Filters
Accessed By×
⠿Entity Type ▾isUser ▾×
⠿Entity Tag ▾is
department:HR ×
×3 Filters Applied
⌫
2 Results
Name
🔑
NetworkAdministrator
Prod AWS Account · IAM Role · Global
🔑
AdministratorAccess
Prod AWS Account · IAM Role · Global
Key Capability
Query from the resource perspective — find which privileged roles are accessible to a specific department or user group using Accessed By
Key Insight
HR access to AWS admin roles is almost never intentional — it's inherited drift that only shows up when you query it.
DEMO 7
Unnecessary Access — Engineering Team with ADP
ADP holds your employees' salaries, bank accounts, and social security numbers. Access should be tightly scoped to Finance and HR. But engineers in your organization have ADP access — the same system storing every paycheck and tax record. OpalQuery finds every one of them in one query, ready for immediate revocation.
Demo 07: Unnecessary Access - Engineering Team with ADP
···
🔒 Private · Engineers with ADP Access
Describe what you're looking for... (press ↵ Enter to apply)✦
Entity Filters
⠿Entity Tag ▾is
organization:Engineering ×
×Access Filters
Has Access To×
⠿Entity Name ▾containsADP×
2 Filters Applied
⌫
3 Results
Name
FC
Florie Cai
florie@opal.dev
MA
Murad Akhundov
murad@opal.dev
SR
Sravan Reddy
sravan@opal.dev
Key Capability
Combine organization tag filters with access name filters to isolate which team members hold access to sensitive payroll systems
Key Insight
Payroll systems are a top insider-threat target. Engineering access to ADP is almost never intentional — it's inherited access nobody caught.
DEMO 8
SoD — Developer with Cloud Admin
A developer who can also reconfigure your cloud infrastructure can escalate their own permissions, disable logging, or spin up rogue workloads without a second pair of eyes. OpalQuery finds every engineering user with access to an AWS IAM admin role — exposing every SoD violation before your SOC 2 auditor does.
Demo 08: SoD - Developer with Cloud Admin
···
🔒 Private · Developer with Infra Admin Access
Entity Filters
🗑 Remove Group
⠿Entity Type ▾isUser ▾×
⠿Entity Tag ▾is
department:Engineering ×
×Access Filters
Has Access To×
⠿Entity Type ▾isAWS IAM Role ▾×
⠿Entity Name ▾containsAdmin×
4 Filters Applied
⌫
1 Result
Name
RB
Rishikesh Balaji
rishikesh@opal.dev
Key Capability
Combine job-function tags with role-level access filters to isolate the exact intersection of developer identity and admin privilege
Key Insight
Developer + cloud-admin is the most common over-privileged combo in growing engineering teams. It's usually inherited, never intentional.
DEMO 9
Cross-System Finance Risk: Coupa + ADP
Coupa manages purchase orders. ADP holds payroll and banking data. Anyone with access to both systems can approve spend and manipulate payroll — a financial fraud vector that no single-system review would ever catch. OpalQuery's multi-access-filter approach finds this dangerous intersection in one query.
Demo 09: Cross-System Finance Risk - Coupa + ADP
···
🔒 Private · Users with Access to Coupa and ADP
Describe what you're looking for... (press ↵ Enter to apply)✦
Entity Filters
⠿Entity Type ▾isUser ▾×
Access Filters
Has Access To×
⠿Entity Name ▾containsCoupa×
AND
Has Access To×
⠿Entity Name ▾containsADP×
3 Filters Applied
⌫
1 Result
Name
MH
Matt Heffler
matt@opal.dev
Key Capability
Chain multiple Has Access To filters with AND logic to find users holding access to two or more conflicting systems simultaneously
Key Insight
Procurement fraud rarely shows up in a single system. The risk lives in the gap between systems — and OpalQuery is the only tool that queries across both.
Three Layers Working Together
AI translation, structured filtering, and instant results in a seamless workflow
Natural Language Search
Plain-English questions parsed by AI. Resolves entity references against your actual resource catalog.
Structured Filter Builder
Composable boolean logic -- AND/OR grouping, nested conditions. Build by hand or refine AI output.
Results & Export
Tabular results with clickable entity names. Export as a ZIP with results CSV and metadata JSON. Export jobs have a 60-second timeout — narrow your filters if results are large.
Saved Query Library
Save to personal or shared library. Public queries create a shared repository of investigative patterns.
Expanding OpalQuery
Read-only queries are just the beginning. The architecture supports action, automation, and policy.
Scheduled Queries & Diffing
BETA
Run queries on a recurring schedule. Get notified when results change -- new users gaining admin, access drift detection
Action from Results
PLANNED
Revoke access, initiate a review, or create an access policy directly from query results without navigating away
Query-to-Policy Pipeline
PLANNED
Promote a saved query into a standing policy or access review scope. Your audit query becomes your review population
Paladin Integration
VISION
Paladin surfaces risk findings as pre-built OpalQuery queries -- connecting automated risk detection with investigation
Try OpalQuery Today
Available now for Opal Admins and Read-only Admins. Natural language queries. Structured filters. Export-ready results.
NL → SQL
AI Translation
< 30s
Blast Radius
1-Click
Audit Export
Home
Product Roadmap
OpalScript
Paladin
UAR Reimagined
In Practice