Skip to main content
See also: Action-based Access Requests — approve individual commands instead of granting time-boxed access.

What You’ll Accomplish

Just-in-Time (JIT) Access Requests let you grant temporary access to production resources with automatic expiration. Instead of giving permanent access, you can:
  • Grant a developer 2 hours of database access for debugging
  • Allow on-call engineers 8 hours of access during their shift
  • Enable break-glass access for emergencies with full audit trail
  • Reduce standing privileges by requiring approval for every access request
The key difference from Action Access Requests: JIT grants time-based access to a resource role. Once approved, the user can run any command within that time window. Action Access Requests require approval for each individual command.

How JIT Access Requests Work

1

User Requests Access

User runs hoop connect <connection> --duration 2h to request time-limited access
2

Request Created

An access request is created with status PENDING and approvers are notified via Slack/Teams
3

Approver Decides

Approver approves or rejects the request
4

Access Granted

If approved, user gets access for the requested duration. Access automatically expires when time runs out.

Request Statuses

StatusDescription
PENDINGWaiting for approval from designated groups
APPROVEDAccess granted, user can connect
REJECTEDAccess denied by an approver
REVOKEDAccess withdrawn after initial approval
EXECUTEDAccess period completed (expired)

Common Use Cases

1. Production Database Debugging

A developer needs to investigate a production issue: 
# Request 1 hour of access
hoop connect prod-db --duration 1h
DBA approves via Slack. Developer runs diagnostic queries. Access expires automatically.

2. On-Call Access

On-call engineers get temporary elevated access during their shift: 
# Request access for 8-hour shift
hoop connect all-prod-systems --duration 8h

3. Break-Glass Emergency Access

For urgent incidents, request immediate access with documentation: 
# Emergency access with explicit duration
hoop connect critical-system --duration 30m
Best practice: Set up a dedicated emergency-approvers group with 24/7 availability.

4. Contractor Time-Limited Access

Grant temporary access for external contractors: 
# Contractor requests access for their engagement period
hoop connect client-db --duration 4h

Best Practices

Set Reasonable Durations

Match access duration to task requirements. 2 hours for debugging, 8 hours for on-call shifts.

Use Multiple Groups for Sensitive Systems

Require both technical and security approval for production databases.

Configure Slack/Teams

Real-time notifications ensure fast approval turnaround.

Audit Regularly

Review access patterns in Sessions to identify unusual activity.
Ready to set it up? See the JIT Access Requests Configuration guide for creating the Access Request rule, approval groups, duration limits, and notifications.

Next Steps

Action Access Requests

Approve individual commands instead of time-based access

Slack Integration

Set up Slack for access request notifications

Session Recording

Audit what happened during approved sessions

Access Control

Configure who can access which resource roles