Skip to main content
Action Access Requests

What You’ll Accomplish

Action Access Requests require approval for each command before it executes. Unlike JIT Access Requests (which grant time-based access), Action requests give you command-level control:
  • Review the exact query before it runs
  • Approve or modify commands in real-time
  • Block dangerous operations even from authorized users
  • Create an audit trail of every approved action
The key difference from JIT Access Requests: Action requires approval for each command. JIT grants a time window where all commands are allowed.

How It Works

1

User Submits Command

User runs a command through Hoop (CLI, Web App, or API)
2

Command Held

Hoop holds the command and creates an access request with status PENDING
3

Approvers Notified

Designated approvers receive a notification (Slack, Teams, or Web App)
4

Approver Reviews

Approver sees the exact command and can:
  • Approve - Execute the command as-is
  • Reject - Block the command
5

Command Executes

If approved, the command runs and results are returned to the user

What the User Sees

$ hoop exec prod-db -i "UPDATE users SET status = 'inactive' WHERE id = 123"
 Waiting for approval...
The command waits until an approver takes action.

What the Approver Sees

In Slack (or Teams): 
🔔 Access Request from alice@company.com

Connection: prod-db
Command: UPDATE users SET status = 'inactive' WHERE id = 123

[Approve] [Reject]

Quick Start

Prerequisites

To get the most out of this guide, you will need to:
  • A connection configured with an agent
  • At least one user group for approvers
  • (Optional) Slack or Teams integration

Step 1: Enable Action Access Requests

1

Navigate to Connection Settings

Go to Connections and select your connection
2

Open Additional Configuration

Click the Additional Configuration tab
3

Enable Access Requests

Toggle on Access Requests
4

Select Approval Groups

Choose which groups can approve commands
5

Save

Click Save to apply changes

Step 2: Test the Workflow

As a non-admin user, run a command: 
hoop exec prod-db -i "SELECT COUNT(*) FROM users"
You should see: 
⣷ Waiting for approval at https://use.hoop.dev/access-requests/abc123...

Step 3: Approve the Command

As an approver: Option A: Via Slack
  1. Find the notification in your Slack channel
  2. Review the command
  3. Click Approve
Option B: Via Web App
  1. Go to Access Requests in the sidebar
  2. Find the pending request
  3. Review the command details
  4. Click Approve or Reject

Step 4: Command Executes

Once approved, the user’s terminal shows the results: 
count
-------
 12345
(1 row)

Configuration Options

Approval Groups

Configure which groups can approve commands:
ConfigurationBehavior
Single group (dba-team)Any member of dba-team can approve
Multiple groups (dba-team, security)One member from each group must approve

Groups Requiring Approval

Configure which groups need their commands approved:
SettingBehavior
All usersEvery command requires approval
Specific groupsOnly commands from those groups need approval
Exempt groupsSome groups (like admin) bypass approval

Request Timeout

Set how long to wait for approval before the request expires:
SettingUse Case
5 minutesQuick ad-hoc queries
30 minutesStandard operations
1 hourComplex procedures

Use Cases

1. Production Database Changes

All write operations on production require approval: 
# This will wait for approval
hoop exec prod-db -i "UPDATE orders SET status = 'shipped' WHERE id = 123"
The DBA reviews the exact UPDATE statement before it runs.

2. Dangerous Commands

Block risky operations unless approved: 
# This will definitely need approval
hoop exec prod-db -i "DELETE FROM logs WHERE created_at < '2024-01-01'"
Security team can verify the WHERE clause is correct.

3. Junior Developer Oversight

Junior team members get their commands reviewed:
  • Configure juniors’ group to require approval
  • Senior team members’ group can approve
  • Learning opportunity for juniors to see corrections

4. Compliance Requirements

Some regulations require dual approval for data access:
  • Configure multiple approval groups
  • Both groups must approve before execution
  • Full audit trail for compliance reporting

Integration Options

Slack

Receive and approve commands directly in Slack:
  1. Set up Slack integration
  2. Configure notification channel
  3. Approvers click buttons to approve/reject

Microsoft Teams

Same workflow in Teams:
  1. Set up Teams integration
  2. Configure webhook URL
  3. Notifications appear in your channel

Webhooks

For custom integrations:
  1. Configure a webhook endpoint
  2. Receive POST requests for new access requests
  3. Call the API to approve/reject

Comparison: Action vs JIT

AspectActionJIT
Approval scopeEach commandTime window
User experienceWait for each commandRequest once, run freely
Security levelHighestHigh
Use caseWrite operations, sensitive queriesRead access, debugging sessions
Approver loadHigher (more requests)Lower (one per session)

When to Use Action

  • Production write operations (UPDATE, DELETE, INSERT)
  • Sensitive data access
  • Compliance-required dual approval
  • Training/oversight scenarios

When to Use JIT

  • Debugging sessions (many queries)
  • Read-only access
  • On-call access
  • Time-limited elevated access

Troubleshooting

Command Times Out

If the command expires before approval: Check:
  1. Approvers received the notification
  2. Slack/Teams integration is working
  3. Request timeout is long enough
Solutions:
  • Increase timeout in connection settings
  • Verify notification channel configuration
  • Add more approvers for faster response

Approver Can’t See Request

Check:
  1. Approver is in an approval group
  2. Approver has subscribed to notifications (/hoop subscribe in Slack)
  3. Notification channel is configured

Admin Users Bypass Approval

This is expected—admin users auto-approve their own requests. To test the full workflow:
  • Use a non-admin test account
  • Or temporarily remove yourself from admin group

Request Shows “Rejected” But Shouldn’t

Check the rejection reason:
  1. Go to Access Requests in Web App
  2. Find the rejected request
  3. Click to see who rejected and why

Best Practices

Clear Policies

Document which commands need approval and why

Fast Approvers

Have approvers available during work hours

Backup Approvers

Configure multiple approvers for coverage

Reasonable Timeouts

Set timeouts based on operational needs

For Approvers

  1. Review carefully - Check the exact command being run
  2. Verify context - Who is running it and why
  3. Respond quickly - Don’t leave requesters waiting
  4. Document rejections - Explain why if you reject

Next Steps

JIT Access Requests

Time-based access for debugging sessions

Configuration Guide

Detailed configuration options

Slack Integration

Set up Slack notifications

Guardrails

Block dangerous commands automatically