Configuring per-command approvals instead? See Action Access Requests Configuration.
Enabling JIT Access Requests
Via Web App
JIT Access Requests are configured as an Access Request rule of type Just-in-Time.Create a new rule
Click Create new Access Request rule. If you don’t have any rules yet, you’re taken straight to the rule form.
Choose the access request type
Select the Access request type:
- Just-in-Time — temporary access that expires automatically after a defined time range.
- by Command — execution-based access with a per-command approval workflow.
Select resource roles
Under Resource configuration, choose the resource roles this rule applies to. Optionally, use Attribute configuration to scope the rule further.
Set user groups
- Required user groups — the groups that must request access under this rule.
- Approval user groups — the groups that can approve access for this rule.
Tune approval controls (optional)
- Require all groups approval — require approval from at least one member of each approval group.
- Approval amount — the minimum number of approvals required per session.
- Force approval groups — groups allowed to bypass the other approval rules.
Via CLI
You can also configure access requests when creating a resource role:--reviewers flag specifies which groups can approve access requests.
Requesting JIT Access
Users request time-based access using the--duration flag:
Duration Formats
| Format | Duration |
|---|---|
10m | 10 minutes |
30m | 30 minutes |
1h | 1 hour |
2h | 2 hours |
8h | 8 hours |
24h | 24 hours |
Configuration Options
Maximum Access Duration
Limit how long users can request access. Configure in Manage > Resources > [resource role] > Settings.Multiple Approval Groups
When multiple groups are configured, all groups must approve before access is granted. Example: Configuredba-team and security-team as approvers:
- Request requires 1 approval from
dba-teamAND 1 approval fromsecurity-team - Either group can reject the request
Admin Auto-Approval
Admin users automatically approve their own requests. This is by design to ensure admins always have access. To test the full workflow, use a non-admin account.Integration with Slack
To receive and approve requests in Slack:- Configure the Slack integration
- Enable the
slackplugin on your resource role:
- Approvers subscribe with
/hoop subscribein Slack - Access requests appear as interactive messages
Troubleshooting
Request stuck in PENDING
Possible causes:- No active approvers — check that the approval groups have members available
- Multiple groups required — every configured approval group must approve
- Slack notifications not working — verify the Slack integration is configured
Admin users bypass approval
This is expected — admin users auto-approve their own requests. To test the full workflow, use a non-admin account.Access still works after the time limit
Possible causes:- Active session — a session actively in use may not terminate immediately
- Request not expired — check the request status in Access Request
Approval notification not appearing in Slack
Check:- The Slack app is installed correctly (setup guide)
- The resource role has the
slackplugin enabled - The approver has subscribed with
/hoop subscribe - The notification channel is configured in the Slack plugin settings
Environment Variables
These environment variables affect JIT Access Requests behavior on the gateway:| Variable | Description | Default |
|---|---|---|
REVIEW_TIMEOUT_SEC | How long to wait for approval before timing out | 3600 (1 hour) |
Related
JIT Access Requests Overview
Learn how JIT Access Requests work and common use cases
Action Access Requests
Configure per-command approval workflows
Slack Integration
Set up Slack for access request notifications
Access Control
Configure who can access which resource roles