## What You'll Accomplish
Access Control lets you restrict which users can see and use specific resource roles. Instead of giving everyone access to everything, you can:
* Limit production database access to senior engineers
* Give read-only access to analysts
* Restrict sensitive systems to specific teams
* Automatically sync permissions from your identity provider
***
## How It Works
Access Control uses **groups** to manage permissions. Users belong to groups, and resource roles are configured to allow access from specific groups.
User logs in via your identity provider (Okta, Auth0, etc.)
User's group memberships are synced from the identity provider
When accessing a resource role, Hoop checks if the user's groups are allowed
User sees the resource role if allowed, or gets an access denied error
### Example
| User | Groups | Can Access |
| ----- | ----------------------- | --------------------------- |
| Alice | `engineering`, `senior` | prod-db, staging-db, dev-db |
| Bob | `engineering` | staging-db, dev-db |
| Carol | `analytics` | analytics-db (read-only) |
| Dave | `support` | support-db |
***
## Groups and Roles
Access is granted to **groups**, not individual users. Groups come from two places:
* **Synced from your identity provider** — when users log in, their group memberships (Okta, Auth0, Azure AD, etc.) are synced to Hoop automatically.
* **Created in Hoop** — you can also manage groups directly in the Web App.
### Built-in Roles
| Role | Description |
| --------- | ---------------------------------------------- |
| `admin` | Full access to all resource roles and settings |
| `auditor` | Read-only access to sessions and audit logs |
Admin users bypass Access Control and can access all resource roles. Use admin sparingly.
***
## Common Patterns
### Pattern 1: Environment-Based Access
Restrict production access to senior team members:
| Resource Role | Allowed Groups |
| ------------- | ---------------------------- |
| prod-db | `senior-engineers`, `dba` |
| staging-db | `engineering` |
| dev-db | `engineering`, `contractors` |
### Pattern 2: Team-Based Access
Each team only sees their own resources:
| Resource Role | Allowed Groups |
| ------------- | -------------------------------- |
| payments-db | `payments-team` |
| inventory-db | `inventory-team` |
| analytics-db | `analytics-team`, `data-science` |
### Pattern 3: Role-Based Access
Different access levels for different roles:
| Resource Role | Allowed Groups |
| ----------------- | ------------------------ |
| prod-db-readwrite | `dba` |
| prod-db-readonly | `engineering`, `support` |
| prod-db-analytics | `analytics` |
Create multiple resource roles to the same database with different credentials for different access levels.
### Pattern 4: Contractor Access
Temporary access for external contractors:
1. Create a `contractors` group
2. Add contractors to the group
3. Only allow `contractors` group on specific, limited resource roles
4. Remove from group when contract ends
***
## Combining with Other Features
Access Control works with other Hoop security features:
| Feature | Combined Behavior |
| --------------------- | -------------------------------------------------------- |
| **Access Requests** | Users in allowed groups can request access; others can't |
| **Guardrails** | Allowed users still subject to query restrictions |
| **Live Data Masking** | Allowed users see masked data |
| **Session Recording** | All access is audited regardless of permissions |
### Example: Layered Security
For a production database:
1. **Access Control:** Only `senior-engineers` can see the resource role
2. **Access Requests:** Require JIT approval before connecting
3. **Guardrails:** Block `DROP TABLE` and `DELETE` without WHERE
4. **Live Data Masking:** Redact PII in query results
5. **Session Recording:** Log all queries for audit
***
## Best Practices
Grant minimum access needed for each role
Assign access to groups, not individual users
Review access permissions quarterly
Write down who should have access to what
### Access Review Checklist
Quarterly, review:
* Are all group memberships still appropriate?
* Are there users who left but still have access?
* Are there resource roles that should have stricter access?
* Are contractors' access limited to their engagement period?
***
Ready to set it up? The [Access Control configuration guide](/setup/configuration/access-control-configuration) walks through enabling Access Control, configuring resource roles, managing groups, and syncing groups from your identity provider.
## Next Steps
Detailed configuration options
Set up SSO and group sync
Add approval workflows
Block dangerous operations