Skip to main content
Action Access Requests require approval for each command before it executes. This page covers detailed configuration options.
For an introduction to Action Access Requests, see Action Access Requests Overview.
Configuring time-based access instead? See JIT Access Requests Configuration.

Enabling Action Access Requests

Via Web App

Action Access Requests are configured as an Access Request rule of type by Command.
1

Open Access Request

In the Web App sidebar, under Discover, click Access Request.
2

Create a new rule

Click Create new Access Request rule. If you don’t have any rules yet, you’re taken straight to the rule form.
3

Set rule information

Give the rule a Name and an optional Description.
4

Choose the access request type

Select the Access request type:
  • Just-in-Time — temporary access that expires automatically after a defined time range.
  • by Command — execution-based access with a per-command approval workflow.
Only resource roles that support the selected type can be added in the next step.
5

Select resource roles

Under Resource configuration, choose the resource roles this rule applies to. Optionally, use Attribute configuration to scope the rule further.
6

Set user groups

  • Required user groups — the groups that must request access under this rule.
  • Approval user groups — the groups that can approve access for this rule.
7

Tune approval controls (optional)

  • Require all groups approval — require approval from at least one member of each approval group.
  • Approval amount — the minimum number of approvals required per session.
  • Force approval groups — groups allowed to bypass the other approval rules.
8

Save

Click Save to create the rule.

Via CLI

Enable Action Access Requests when creating a resource role: 
hoop admin create connection prod-db \
  --agent default \
  --reviewers 'dba-team,security' \
  -- psql -h localhost -U postgres mydb
The --reviewers flag specifies which groups can approve commands. Add reviewers to an existing resource role: 
hoop admin create connection prod-db \
  --overwrite \
  --reviewers 'dba-team,security'

Approval Group Configuration

Single Approver Group

When one group is configured, any member of that group can approve: 
--reviewers 'dba-team'
Behavior: Any member of dba-team can approve or reject.

Multiple Approver Groups

When multiple groups are configured, all groups must approve: 
--reviewers 'dba-team,security-team'
Behavior:
  • Request requires 1 approval from dba-team AND 1 approval from security-team
  • Either group can reject the request
  • Request stays pending until all groups approve

Exempt Groups

Admin users automatically approve their own requests. To test the full workflow, use a non-admin account.

Timeout Configuration

Set how long to wait for approval before the request expires.

Gateway Environment Variable

REVIEW_TIMEOUT_SEC=3600  # 1 hour (default)
Common values:
ValueDurationUse Case
3005 minutesQuick ad-hoc queries
180030 minutesStandard operations
36001 hourComplex procedures
72002 hoursLong approval chains

What Happens on Timeout

When a request times out:
  • Status changes to EXPIRED
  • User sees a timeout error
  • Command is not executed
  • User must resubmit the command

Notification Configuration

Slack Integration

To receive and approve requests in Slack:
  1. Configure the Slack integration
  2. Enable the slack plugin on your resource role:
hoop admin create connection prod-db \
  --agent default \
  --reviewers 'dba-team' \
  --plugin slack \
  -- psql -h localhost -U postgres
  1. Approvers subscribe with /hoop subscribe in Slack
  2. Access requests appear as interactive messages with Approve/Reject buttons

Microsoft Teams Integration

To receive notifications in Teams:
  1. Configure the Teams integration
  2. Enable the webhooks plugin
  3. Notifications are sent to the configured Teams channel

Custom Webhooks

For custom integrations:
  1. Configure webhook endpoint in Integrations > Webhooks
  2. Receive POST requests for new access requests
  3. Call the API to approve/reject:
# Approve
curl -X PUT https://use.hoop.dev/api/reviews/{id}/approve \
  -H "Authorization: Bearer $HOOP_API_KEY"

# Reject
curl -X PUT https://use.hoop.dev/api/reviews/{id}/reject \
  -H "Authorization: Bearer $HOOP_API_KEY"

Common Configurations

Production Database - DBA Approval

Only DBAs can approve production database commands: 
hoop admin create connection prod-db \
  --agent default \
  --reviewers 'dba-team' \
  --plugin slack \
  -- psql -h prod-db.internal -U app_user proddb

Sensitive Operations - Dual Approval

Require both DBA and Security approval: 
hoop admin create connection sensitive-system \
  --agent default \
  --reviewers 'dba-team,security-team' \
  --plugin slack \
  -- psql -h sensitive.internal -U admin

Read-Only with Approval

Approval for read access to sensitive data: 
hoop admin create connection pii-database \
  --agent default \
  --reviewers 'privacy-team' \
  --plugin slack \
  -- psql -h pii-db.internal -U readonly_user piidb

Monitoring Access Requests

Viewing Pending Requests

Web App:
  1. Go to Access Requests in the sidebar
  2. Filter by Status: Pending
  3. Click any request to see details
CLI: 
hoop admin get reviews --status pending

Access Request Analytics

Track approval patterns:
MetricHow to Find
Average approval timeAccess Requests > Export > Calculate
Approval rateCount approved vs rejected
Top requestersGroup by user
Common commandsGroup by command pattern

Audit Trail

Every access request is logged with:
  • Who requested
  • What command
  • Who approved/rejected
  • When each action occurred
  • Full command output (if approved)

Troubleshooting

Notifications Not Arriving

Check Slack:
  1. Slack app is installed correctly
  2. Resource role has slack plugin enabled
  3. Approver has run /hoop subscribe
  4. Notification channel is configured
Check Teams:
  1. Webhook URL is valid
  2. webhooks plugin is enabled
  3. Teams channel allows incoming webhooks

Requests Auto-Approved

Admin users auto-approve their own requests. This is expected behavior. To test the full workflow:
  • Use a non-admin test account
  • Or create a resource role where the admin is NOT in the approvers group

Request Times Out Too Quickly

Increase the timeout: 
# On the gateway
REVIEW_TIMEOUT_SEC=7200  # 2 hours
Restart the gateway after changing.

Can’t Find Pending Request

Check:
  1. Request hasn’t already expired
  2. You’re looking at the correct resource role
  3. Filter is set to show Pending status

Environment Variables

VariableDescriptionDefault
REVIEW_TIMEOUT_SECSeconds before request expires3600

Action Access Requests

Feature overview and use cases

JIT Access Requests

Configure time-based access

Slack Integration

Set up Slack notifications

Teams Integration

Set up Teams notifications