See also: Just-in-Time (JIT) Access Requests — grant time-boxed access to a resource instead of approving each command.
What You’ll Accomplish
Action Access Requests require approval for each command before it executes. Unlike JIT Access Requests (which grant time-based access), Action requests give you command-level control:- Review the exact query before it runs
- Approve or modify commands in real-time
- Block dangerous operations even from authorized users
- Create an audit trail of every approved action
How It Works
Approver Reviews
Approver sees the exact command and can:
- Approve - Execute the command as-is
- Reject - Block the command
What the User Sees
What the Approver Sees
In Slack (or Teams):Use Cases
1. Production Database Changes
Every write operation on production is reviewed before it runs:- A developer submits a command that updates production data
- The request pauses and notifies the DBA group for approval
- The DBA reviews the exact statement before it executes
- The command only runs once it’s approved
2. Dangerous Commands
High-risk operations are caught before they can cause damage:- An engineer submits a destructive command, such as a bulk delete
- The request is held and routed to the security team
- The security team verifies the scope and conditions are correct
- The command is approved or denied based on what they see
3. Junior Developer Oversight
Junior team members get their commands reviewed:- Configure juniors’ group to require approval
- Senior team members’ group can approve
- Learning opportunity for juniors to see corrections
4. Compliance Requirements
Some regulations require dual approval for data access:- Configure multiple approval groups
- Both groups must approve before execution
- Full audit trail for compliance reporting
Comparison: Action vs JIT
| Aspect | Action | JIT |
|---|---|---|
| Approval scope | Each command | Time window |
| User experience | Wait for each command | Request once, run freely |
| Security level | Highest | High |
| Use case | Write operations, sensitive queries | Read access, debugging sessions |
| Approver load | Higher (more requests) | Lower (one per session) |
When to Use Action
- Production write operations (UPDATE, DELETE, INSERT)
- Sensitive data access
- Compliance-required dual approval
- Training/oversight scenarios
When to Use JIT
- Debugging sessions (many queries)
- Read-only access
- On-call access
- Time-limited elevated access
Best Practices
Clear Policies
Document which commands need approval and why
Fast Approvers
Have approvers available during work hours
Backup Approvers
Configure multiple approvers for coverage
Reasonable Timeouts
Set timeouts based on operational needs
For Approvers
- Review carefully - Check the exact command being run
- Verify context - Who is running it and why
- Respond quickly - Don’t leave requesters waiting
- Document rejections - Explain why if you reject
Ready to set it up? See the Action Access Requests Configuration guide for step-by-step instructions, approval group options, timeout settings, and notification setup.
Next Steps
JIT Access Requests
Time-based access for debugging sessions
Configuration Guide
Detailed configuration options
Slack Integration
Set up Slack notifications
Guardrails
Block dangerous commands automatically