Indeed, there's no such thing as the database passwd in Opa. The database is only accessed by a single application, which logics controls the access. For instance, your application code allows to create one admin user, who can choose a passwd which is stored in the database. Then, this user has the credentials to change all things when other users don't.
And of course, the database content is not covered by the AGPL license.