Skip to main content
Access Control Configuration
Access Control lets you restrict which users can see and access specific connections based on their group memberships. This page covers detailed configuration options.
For an introduction to Access Control concepts, see Access Control Overview.

Enabling Access Control

Enabling Access Control will immediately hide connections from users who don’t have explicit access. Plan your group assignments before enabling.

Step 1: Activate Access Control

1

Navigate to Access Control

Go to Manage > Access Control in the sidebar
Access Control menu
2

Review the Warning

Read the activation warning carefully. Understand that:
  • Users without group assignments will lose access
  • You’ll need to configure each connection individually
  • Changes take effect immediately
Activation warning
3

Click Activate

Click Activate to enable Access Control for your organization

Step 2: Configure Connections

After activation, configure access for each connection:
1

Select a Connection

Find the connection in the list and click to configure
Connection list
2

Enable Access Control

Toggle the Access Control switch for this connection
3

Add Allowed Groups

Select which groups can access this connection
Add groups
4

Save

Click Save to apply the configuration

Group Management

Creating Groups

Groups can be created in two ways: Option A: Manual Creation (in Hoop)
  1. Go to Manage > Users & Groups
  2. Click the Groups tab
  3. Click Create Group
  4. Enter a group name (e.g., prod-access, analytics-team)
  5. Add users to the group
Option B: Sync from Identity Provider Groups can be automatically synced when users log in:
  1. Configure your IdP to include groups claim in the ID token
  2. Users’ groups are synced on each login
  3. See Identity Provider Configuration

Built-in Groups

GroupDescriptionPermissions
adminAdministratorsFull access to all connections and settings
auditorAudit accessRead-only access to sessions and logs
Admin users bypass Access Control and can access all connections regardless of group configuration.

Group Naming Conventions

Recommended naming patterns:
PatternExampleUse Case
Environmentprod-access, staging-accessEnvironment-based access
Teamengineering, analytics, supportTeam-based access
Roledba, developer, viewerRole-based access
Combinedprod-dba, staging-devSpecific combinations

Permission Types

Connection Visibility

When Access Control is enabled on a connection:
User’s GroupsConnection Visibility
In allowed groupsConnection is visible and accessible
Not in allowed groupsConnection is hidden completely
Admin groupAlways visible (bypasses Access Control)

Combining with Access Requests

Access Control and Access Requests work together:
Access ControlAccess RequestsResult
AllowedNot enabledDirect access
AllowedJIT enabledMust request time-based access
AllowedAction enabledEach command needs approval
Not allowedAnyConnection not visible

Configuration Patterns

Pattern 1: Environment-Based

Separate access by environment: 
Connection: prod-database
  Allowed Groups: senior-engineers, dba

Connection: staging-database
  Allowed Groups: engineering, qa

Connection: dev-database
  Allowed Groups: engineering, contractors

Pattern 2: Team-Based

Each team accesses their own resources: 
Connection: payments-db
  Allowed Groups: payments-team

Connection: inventory-db
  Allowed Groups: inventory-team

Connection: analytics-warehouse
  Allowed Groups: analytics-team, data-science

Pattern 3: Read/Write Separation

Create separate connections with different access levels: 
Connection: prod-db-readonly
  Allowed Groups: engineering, analytics, support
  (Configured with read-only database user)

Connection: prod-db-readwrite
  Allowed Groups: dba, senior-engineers
  (Configured with read-write database user)

Pattern 4: Contractor Access

Limited access for external contractors: 
Connection: contractor-db
  Allowed Groups: contractors
  (Limited database, Live Data Masking enabled)

Identity Provider Integration

Syncing Groups from IdP

To automatically sync groups from your identity provider:
  1. Configure IdP to include groups claim: In your IdP (Okta, Auth0, Azure AD, etc.), configure the OIDC application to include a groups claim in the ID token.
  2. Set environment variables on gateway: 
    IDP_GROUPS_CLAIM=groups
    Or for custom claim names: 
    IDP_GROUPS_CLAIM=https://mycompany.com/groups
  3. Groups sync on login: When users log in, their groups are automatically synced from the IdP.

Provider-Specific Guides

Okta

Configure Okta group sync

Auth0

Configure Auth0 group sync

Azure AD

Configure Azure AD group sync

Google

Configure Google Workspace groups

Auditing Access

Viewing User Permissions

To see what a user can access:
  1. Go to Manage > Users
  2. Click on a user
  3. View their group memberships
  4. Cross-reference with connection configurations

Access Logs

All access attempts are logged:
  1. Go to Sessions
  2. Filter by user or connection
  3. See successful connections and denied attempts

Exporting Access Report

Generate a report of who can access what: 
hoop admin get connections -o json | \
  jq '.[] | {name, allowed_groups}'

Troubleshooting

User Can’t See a Connection

Checklist:
  1. Is Access Control enabled on the connection?
    • Go to connection settings
    • Check if Access Control toggle is on
  2. Is the user in an allowed group?
    • Go to Manage > Users
    • Check user’s group memberships
    • Verify groups match connection’s allowed groups
  3. Has the user logged out and back in?
    • Groups sync on login
    • Have user log out and log in again
  4. Is the IdP sending groups correctly?
    • Check IdP configuration
    • Verify groups claim in ID token
Debug steps: 
# Check user's groups
hoop admin get user <email>

# Check connection's allowed groups
hoop admin get connection <name>

User Sees Connection But Can’t Connect

This is likely NOT an Access Control issue. Check:
  1. Access Requests: Is JIT or Action approval required?
  2. Guardrails: Are there blocking rules?
  3. Connection status: Is the agent online?

Groups Not Syncing from IdP

Check:
  1. IdP is configured to include groups claim
  2. IDP_GROUPS_CLAIM environment variable is set correctly
  3. User has groups assigned in the IdP
  4. Gateway was restarted after configuration
Debug:
  • Decode the ID token to verify groups claim is present
  • Check gateway logs for group sync errors

Best Practices

Start Restrictive

Begin with minimal access and expand as needed

Use Groups, Not Users

Always assign access to groups, never individuals

Document Policies

Maintain a document of who should access what

Regular Reviews

Audit access quarterly

Before Enabling Access Control

  1. Inventory all connections
  2. Identify who needs access to each
  3. Create groups in IdP or Hoop
  4. Assign users to groups
  5. Document the access policy
  6. Test with a non-production connection first

Quarterly Access Review

  1. Export current access configuration
  2. Review with team leads
  3. Remove departed employees
  4. Verify contractor access is time-limited
  5. Update documentation

Access Control Overview

Learn Access Control concepts

Identity Providers

Configure SSO and group sync

Access Requests

Add approval workflows

Managing Access

User and group management in Web App