Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.hoop.dev/docs/llms.txt

Use this file to discover all available pages before exploring further.

Action Access Requests require approval for each command before it executes. This page covers detailed configuration options.
For an introduction to Action Access Requests, see Action Access Requests Overview.

Enabling Action Access Requests

Via Web App

1

Navigate to Connection

Go to Connections and select the connection you want to configure
2

Open Configuration

Click the Additional Configuration tab
3

Enable Access Requests

Toggle on Access Requests
4

Configure Approvers

Select which groups can approve commands:
  • Click Add Group
  • Select one or more groups
  • Groups members will receive approval notifications
5

Save

Click Save to apply the configuration

Via CLI

Enable Action Access Requests when creating a connection: 
hoop admin create connection prod-db \
  --agent default \
  --reviewers 'dba-team,security' \
  -- psql -h localhost -U postgres mydb
The --reviewers flag specifies which groups can approve commands. Add reviewers to an existing connection: 
hoop admin create connection prod-db \
  --overwrite \
  --reviewers 'dba-team,security'

Approval Group Configuration

Single Approver Group

When one group is configured, any member of that group can approve: 
--reviewers 'dba-team'
Behavior: Any member of dba-team can approve or reject.

Multiple Approver Groups

When multiple groups are configured, all groups must approve: 
--reviewers 'dba-team,security-team'
Behavior:
  • Request requires 1 approval from dba-team AND 1 approval from security-team
  • Either group can reject the request
  • Request stays pending until all groups approve

Exempt Groups

Admin users automatically approve their own requests. To test the full workflow, use a non-admin account.

Timeout Configuration

Set how long to wait for approval before the request expires.

Gateway Environment Variable

REVIEW_TIMEOUT_SEC=3600  # 1 hour (default)
Common values:
ValueDurationUse Case
3005 minutesQuick ad-hoc queries
180030 minutesStandard operations
36001 hourComplex procedures
72002 hoursLong approval chains

What Happens on Timeout

When a request times out:
  • Status changes to EXPIRED
  • User sees a timeout error
  • Command is not executed
  • User must resubmit the command

Notification Configuration

Slack Integration

To receive and approve requests in Slack:
  1. Configure the Slack integration
  2. Enable the slack plugin on your connection:
hoop admin create connection prod-db \
  --agent default \
  --reviewers 'dba-team' \
  --plugin slack \
  -- psql -h localhost -U postgres
  1. Approvers subscribe with /hoop subscribe in Slack
  2. Access requests appear as interactive messages with Approve/Reject buttons

Microsoft Teams Integration

To receive notifications in Teams:
  1. Configure the Teams integration
  2. Enable the webhooks plugin
  3. Notifications are sent to the configured Teams channel

Custom Webhooks

For custom integrations:
  1. Configure webhook endpoint in Integrations > Webhooks
  2. Receive POST requests for new access requests
  3. Call the API to approve/reject:
# Approve
curl -X PUT https://use.hoop.dev/api/reviews/{id}/approve \
  -H "Authorization: Bearer $HOOP_API_KEY"

# Reject
curl -X PUT https://use.hoop.dev/api/reviews/{id}/reject \
  -H "Authorization: Bearer $HOOP_API_KEY"

Common Configurations

Production Database - DBA Approval

Only DBAs can approve production database commands: 
hoop admin create connection prod-db \
  --agent default \
  --reviewers 'dba-team' \
  --plugin slack \
  -- psql -h prod-db.internal -U app_user proddb

Sensitive Operations - Dual Approval

Require both DBA and Security approval: 
hoop admin create connection sensitive-system \
  --agent default \
  --reviewers 'dba-team,security-team' \
  --plugin slack \
  -- psql -h sensitive.internal -U admin

Read-Only with Approval

Approval for read access to sensitive data: 
hoop admin create connection pii-database \
  --agent default \
  --reviewers 'privacy-team' \
  --plugin slack \
  -- psql -h pii-db.internal -U readonly_user piidb

Combining with Other Features

Action + Guardrails

Use both for defense in depth:
  • Guardrails: Automatically block obviously dangerous commands
  • Action: Require approval for everything else
Example: Guardrails block DROP TABLE, but DELETE still requires approval.

Action + Live Data Masking

Even approved queries show masked results:
  • Approver sees the command being run
  • User sees masked results after execution
  • PII is protected even from approved queries

Action + Access Control

Access Control determines visibility; Action adds approval:
Access ControlActionResult
Not allowedAnyConnection not visible
AllowedDisabledDirect execution
AllowedEnabledEach command needs approval

Monitoring Access Requests

Viewing Pending Requests

Web App:
  1. Go to Access Requests in the sidebar
  2. Filter by Status: Pending
  3. Click any request to see details
CLI: 
hoop admin get reviews --status pending

Access Request Analytics

Track approval patterns:
MetricHow to Find
Average approval timeAccess Requests > Export > Calculate
Approval rateCount approved vs rejected
Top requestersGroup by user
Common commandsGroup by command pattern

Audit Trail

Every access request is logged with:
  • Who requested
  • What command
  • Who approved/rejected
  • When each action occurred
  • Full command output (if approved)

Troubleshooting

Notifications Not Arriving

Check Slack:
  1. Slack app is installed correctly
  2. Connection has slack plugin enabled
  3. Approver has run /hoop subscribe
  4. Notification channel is configured
Check Teams:
  1. Webhook URL is valid
  2. webhooks plugin is enabled
  3. Teams channel allows incoming webhooks

Requests Auto-Approved

Admin users auto-approve their own requests. This is expected behavior. To test the full workflow:
  • Use a non-admin test account
  • Or create a connection where the admin is NOT in the approvers group

Request Times Out Too Quickly

Increase the timeout: 
# On the gateway
REVIEW_TIMEOUT_SEC=7200  # 2 hours
Restart the gateway after changing.

Can’t Find Pending Request

Check:
  1. Request hasn’t already expired
  2. You’re looking at the correct connection
  3. Filter is set to show Pending status

Environment Variables

VariableDescriptionDefault
REVIEW_TIMEOUT_SECSeconds before request expires3600

Action Access Requests

Feature overview and use cases

JIT Access Requests

Configure time-based access

Slack Integration

Set up Slack notifications

Teams Integration

Set up Teams notifications