Action Access Requests Configuration - Hoop.dev - Automated Access and Data Protection

Action Access Requests require approval for each command before it executes. This page covers detailed configuration options.

For an introduction to Action Access Requests, see Action Access Requests Overview.

Enabling Action Access Requests

Via Web App

Navigate to Connection

Go to Connections and select the connection you want to configure

Open Configuration

Click the Additional Configuration tab

Enable Access Requests

Toggle on Access Requests

Configure Approvers

Select which groups can approve commands:

Click Add Group
Select one or more groups
Groups members will receive approval notifications

Save

Click Save to apply the configuration

Via CLI

Enable Action Access Requests when creating a connection:

hoop admin create connection prod-db \
  --agent default \
  --reviewers 'dba-team,security' \
  -- psql -h localhost -U postgres mydb

The --reviewers flag specifies which groups can approve commands. Add reviewers to an existing connection:

hoop admin create connection prod-db \
  --overwrite \
  --reviewers 'dba-team,security'

Approval Group Configuration

Single Approver Group

When one group is configured, any member of that group can approve:

--reviewers 'dba-team'

Behavior: Any member of dba-team can approve or reject.

Multiple Approver Groups

When multiple groups are configured, all groups must approve:

--reviewers 'dba-team,security-team'

Behavior:

Request requires 1 approval from dba-team AND 1 approval from security-team
Either group can reject the request
Request stays pending until all groups approve

Exempt Groups

Admin users automatically approve their own requests. To test the full workflow, use a non-admin account.

Timeout Configuration

Set how long to wait for approval before the request expires.

Gateway Environment Variable

REVIEW_TIMEOUT_SEC=3600  # 1 hour (default)

Common values:

Value	Duration	Use Case
`300`	5 minutes	Quick ad-hoc queries
`1800`	30 minutes	Standard operations
`3600`	1 hour	Complex procedures
`7200`	2 hours	Long approval chains

What Happens on Timeout

When a request times out:

Status changes to EXPIRED
User sees a timeout error
Command is not executed
User must resubmit the command

Notification Configuration

Slack Integration

To receive and approve requests in Slack:

Configure the Slack integration
Enable the slack plugin on your connection:

hoop admin create connection prod-db \
  --agent default \
  --reviewers 'dba-team' \
  --plugin slack \
  -- psql -h localhost -U postgres

Approvers subscribe with /hoop subscribe in Slack
Access requests appear as interactive messages with Approve/Reject buttons

Microsoft Teams Integration

To receive notifications in Teams:

Configure the Teams integration
Enable the webhooks plugin
Notifications are sent to the configured Teams channel

Custom Webhooks

For custom integrations:

Configure webhook endpoint in Integrations > Webhooks
Receive POST requests for new access requests
Call the API to approve/reject:

# Approve
curl -X PUT https://use.hoop.dev/api/reviews/{id}/approve \
  -H "Authorization: Bearer $HOOP_API_KEY"

# Reject
curl -X PUT https://use.hoop.dev/api/reviews/{id}/reject \
  -H "Authorization: Bearer $HOOP_API_KEY"

Common Configurations

Production Database - DBA Approval

Only DBAs can approve production database commands:

hoop admin create connection prod-db \
  --agent default \
  --reviewers 'dba-team' \
  --plugin slack \
  -- psql -h prod-db.internal -U app_user proddb

Sensitive Operations - Dual Approval

Require both DBA and Security approval:

hoop admin create connection sensitive-system \
  --agent default \
  --reviewers 'dba-team,security-team' \
  --plugin slack \
  -- psql -h sensitive.internal -U admin

Read-Only with Approval

Approval for read access to sensitive data:

hoop admin create connection pii-database \
  --agent default \
  --reviewers 'privacy-team' \
  --plugin slack \
  -- psql -h pii-db.internal -U readonly_user piidb

Combining with Other Features

Action + Guardrails

Use both for defense in depth:

Guardrails: Automatically block obviously dangerous commands
Action: Require approval for everything else

Example: Guardrails block DROP TABLE, but DELETE still requires approval.

Action + Live Data Masking

Even approved queries show masked results:

Approver sees the command being run
User sees masked results after execution
PII is protected even from approved queries

Action + Access Control

Access Control determines visibility; Action adds approval:

Access Control	Action	Result
Not allowed	Any	Connection not visible
Allowed	Disabled	Direct execution
Allowed	Enabled	Each command needs approval

Monitoring Access Requests

Viewing Pending Requests

Web App:

Go to Access Requests in the sidebar
Filter by Status: Pending
Click any request to see details

CLI:

hoop admin get reviews --status pending

Access Request Analytics

Track approval patterns:

Metric	How to Find
Average approval time	Access Requests > Export > Calculate
Approval rate	Count approved vs rejected
Top requesters	Group by user
Common commands	Group by command pattern

Audit Trail

Every access request is logged with:

Who requested
What command
Who approved/rejected
When each action occurred
Full command output (if approved)

Troubleshooting

Notifications Not Arriving

Check Slack:

Slack app is installed correctly
Connection has slack plugin enabled
Approver has run /hoop subscribe
Notification channel is configured

Check Teams:

Webhook URL is valid
webhooks plugin is enabled
Teams channel allows incoming webhooks

Requests Auto-Approved

Admin users auto-approve their own requests. This is expected behavior. To test the full workflow:

Use a non-admin test account
Or create a connection where the admin is NOT in the approvers group

Request Times Out Too Quickly

Increase the timeout:

# On the gateway
REVIEW_TIMEOUT_SEC=7200  # 2 hours

Restart the gateway after changing.

Can’t Find Pending Request

Check:

Request hasn’t already expired
You’re looking at the correct connection
Filter is set to show Pending status

Environment Variables

Variable	Description	Default
`REVIEW_TIMEOUT_SEC`	Seconds before request expires	`3600`