What You’ll Accomplish
Access Control lets you restrict which users can see and use specific resource roles. Instead of giving everyone access to everything, you can:- Limit production database access to senior engineers
- Give read-only access to analysts
- Restrict sensitive systems to specific teams
- Automatically sync permissions from your identity provider
How It Works
Access Control uses groups to manage permissions. Users belong to groups, and resource roles are configured to allow access from specific groups.Example
| User | Groups | Can Access |
|---|---|---|
| Alice | engineering, senior | prod-db, staging-db, dev-db |
| Bob | engineering | staging-db, dev-db |
| Carol | analytics | analytics-db (read-only) |
| Dave | support | support-db |
Groups and Roles
Access is granted to groups, not individual users. Groups come from two places:- Synced from your identity provider — when users log in, their group memberships (Okta, Auth0, Azure AD, etc.) are synced to Hoop automatically.
- Created in Hoop — you can also manage groups directly in the Web App.
Built-in Roles
| Role | Description |
|---|---|
admin | Full access to all resource roles and settings |
auditor | Read-only access to sessions and audit logs |
Admin users bypass Access Control and can access all resource roles. Use admin sparingly.
Common Patterns
Pattern 1: Environment-Based Access
Restrict production access to senior team members:| Resource Role | Allowed Groups |
|---|---|
| prod-db | senior-engineers, dba |
| staging-db | engineering |
| dev-db | engineering, contractors |
Pattern 2: Team-Based Access
Each team only sees their own resources:| Resource Role | Allowed Groups |
|---|---|
| payments-db | payments-team |
| inventory-db | inventory-team |
| analytics-db | analytics-team, data-science |
Pattern 3: Role-Based Access
Different access levels for different roles:| Resource Role | Allowed Groups |
|---|---|
| prod-db-readwrite | dba |
| prod-db-readonly | engineering, support |
| prod-db-analytics | analytics |
Pattern 4: Contractor Access
Temporary access for external contractors:- Create a
contractorsgroup - Add contractors to the group
- Only allow
contractorsgroup on specific, limited resource roles - Remove from group when contract ends
Combining with Other Features
Access Control works with other Hoop security features:| Feature | Combined Behavior |
|---|---|
| Access Requests | Users in allowed groups can request access; others can’t |
| Guardrails | Allowed users still subject to query restrictions |
| Live Data Masking | Allowed users see masked data |
| Session Recording | All access is audited regardless of permissions |
Example: Layered Security
For a production database:- Access Control: Only
senior-engineerscan see the resource role - Access Requests: Require JIT approval before connecting
- Guardrails: Block
DROP TABLEandDELETEwithout WHERE - Live Data Masking: Redact PII in query results
- Session Recording: Log all queries for audit
Best Practices
Least Privilege
Grant minimum access needed for each role
Use Groups, Not Users
Assign access to groups, not individual users
Regular Audits
Review access permissions quarterly
Document Policies
Write down who should have access to what
Access Review Checklist
Quarterly, review:- Are all group memberships still appropriate?
- Are there users who left but still have access?
- Are there resource roles that should have stricter access?
- Are contractors’ access limited to their engagement period?
Ready to set it up? The Access Control configuration guide walks through enabling Access Control, configuring resource roles, managing groups, and syncing groups from your identity provider.
Next Steps
Configuration Guide
Detailed configuration options
Identity Providers
Set up SSO and group sync
Access Requests
Add approval workflows
Guardrails
Block dangerous operations