Configuring per-command approvals instead? See Action Access Requests Configuration.
Enabling JIT Access Requests
Via Web App
JIT Access Requests are configured as an Access Request rule of type Just-in-Time.1
Open Access Request
In the Web App sidebar, under Discover, click Access Request.
2
Create a new rule
Click Create new Access Request rule. If you don’t have any rules yet, you’re taken straight to the rule form.
3
Set rule information
Give the rule a Name and an optional Description.
4
Choose the access request type
Select the Access request type:
- Just-in-Time — temporary access that expires automatically after a defined time range.
- by Command — execution-based access with a per-command approval workflow.
5
Select resource roles
Under Resource configuration, choose the resource roles this rule applies to. Optionally, use Attribute configuration to scope the rule further.
6
Set user groups
- Required user groups — the groups that must request access under this rule.
- Approval user groups — the groups that can approve access for this rule.
7
Tune approval controls (optional)
- Require all groups approval — require approval from at least one member of each approval group.
- Approval amount — the minimum number of approvals required per session.
- Force approval groups — groups allowed to bypass the other approval rules.
8
Save
Click Save to create the rule.
Via CLI
You can also configure access requests when creating a resource role:--reviewers flag specifies which groups can approve access requests.
Requesting JIT Access
Users request time-based access using the--duration flag:
Duration Formats
Configuration Options
Maximum Access Duration
Limit how long users can request access. Configure in Manage > Resources > [resource role] > Settings.Multiple Approval Groups
When multiple groups are configured, all groups must approve before access is granted. Example: Configuredba-team and security-team as approvers:
- Request requires 1 approval from
dba-teamAND 1 approval fromsecurity-team - Either group can reject the request
Admin Auto-Approval
Admin users automatically approve their own requests. This is by design to ensure admins always have access. To test the full workflow, use a non-admin account.Integration with Slack
To receive and approve requests in Slack:- Configure the Slack integration
- Enable the
slackplugin on your resource role:
- Approvers subscribe with
/hoop subscribein Slack - Access requests appear as interactive messages
Troubleshooting
Request stuck in PENDING
Possible causes:- No active approvers — check that the approval groups have members available
- Multiple groups required — every configured approval group must approve
- Slack notifications not working — verify the Slack integration is configured
Admin users bypass approval
This is expected — admin users auto-approve their own requests. To test the full workflow, use a non-admin account.Access still works after the time limit
Possible causes:- Active session — a session actively in use may not terminate immediately
- Request not expired — check the request status in Access Request
Approval notification not appearing in Slack
Check:- The Slack app is installed correctly (setup guide)
- The resource role has the
slackplugin enabled - The approver has subscribed with
/hoop subscribe - The notification channel is configured in the Slack plugin settings
Environment Variables
These environment variables affect JIT Access Requests behavior on the gateway:Related
JIT Access Requests Overview
Learn how JIT Access Requests work and common use cases
Action Access Requests
Configure per-command approval workflows
Slack Integration
Set up Slack for access request notifications
Access Control
Configure who can access which resource roles