> ## Documentation Index
> Fetch the complete documentation index at: https://mintlify.hoop.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Resource Provisioning Hub

> Bulk-provision and manage PostgreSQL roles across every database connected to Hoop — with a plan/apply dry-run workflow and full audit trail.

## What You'll Accomplish

The **Provisioning** hub gives platform and security teams a single place to own the full lifecycle of database access roles across all PostgreSQL resources connected to Hoop:

* Import your databases into a managed **Inventory** catalog
* Configure **admin credentials** that Hoop uses to apply changes
* Declare the roles you need and let Hoop compute a **dry-run plan** before touching anything
* **Apply** approved plans and watch every SQL operation captured in an audit session
* Retrieve generated credentials from the Hoop Resource Role that Hoop creates for each provisioned role

The workflow mirrors Terraform: `plan` → review → `apply`. Nothing changes in Postgres until you explicitly approve it.

***

## How It Works

Hoop connects to Postgres using the admin credentials you supply, introspects the live catalog state, computes the minimum SQL diff required to reach the desired role configuration, and executes it — recording every statement in a session for audit.

<Steps>
  <Step title="Inventory">
    Import your PostgreSQL instances into the catalog. Each resource tracks host, port, type, and setup progress.
  </Step>

  <Step title="Manage">
    Supply an admin account (username + password) per resource. Hoop uses this account to run `CREATE ROLE`, `GRANT`, and `REVOKE` statements.
  </Step>

  <Step title="Provision">
    Define roles, scopes, and privileges. Run a plan to see the exact SQL diff, then apply it. Hoop creates a Resource Role for each provisioned role so team members can start using it immediately.
  </Step>
</Steps>

***

## Role Types

### Managed

Hoop fully owns the role:

* Creates the role if it does not exist
* Manages the password (rotates on each apply when `--rotate-password` is used)
* Grants the specified `USAGE` on schemas and `SELECT / INSERT / …` on tables within each scope
* Reconciles grants on each apply — adding or revoking as the scope list changes

Use `managed` when you want Hoop to issue credentials that Hoop itself controls end-to-end.

### External

Hoop creates the role (if missing) and runs `GRANT <source_role> TO <new_role>`, giving the new role all privileges the source role has. No per-table grants are managed.

Use `external` when an existing superuser or read-all role already covers the access needed — for example, `inherits pg_read_all_data`.

***

<Note>
  Ready to set it up? The [Resource Provisioning configuration guide](/setup/configuration/resource-provisioning-configuration) walks through building the inventory, configuring admin accounts, provisioning roles with the plan/apply workflow (Web App or CLI), and reading the audit sessions.
</Note>

## After Provisioning

Once a role is applied, Hoop automatically creates or updates a **Resource Role** for that role. Team members can connect via the Web App or CLI using that resource role — Hoop injects the credentials at session time without exposing them to users.

<CardGroup cols={2}>
  <Card title="Access Control" icon="lock" href="/learn/features/access-control">
    Restrict provisioned Resource Roles to specific user groups
  </Card>

  <Card title="Session Recording" icon="film" href="/learn/features/session-recording">
    Every plan and apply is recorded — review the full SQL audit trail
  </Card>

  <Card title="Live Data Masking" icon="mask" href="/learn/features/live-data-masking">
    Mask sensitive columns in query output even for provisioned roles
  </Card>

  <Card title="CLI Reference" icon="terminal" href="/clients/cli-resources">
    Full flag reference for `hoop resources plan`, `apply`, and more
  </Card>
</CardGroup>