For an introduction to what the Provisioning hub does and how the plan/apply model works, see the Resource Provisioning overview.
Prerequisites
- Either create an account in our managed instance or deploy your own hoop.dev instance
- Have admin access to your hoop.dev instance
- At least one PostgreSQL Resource Role registered in Hoop
- Admin credentials (username + password) for each database you want to manage
- The agent serving those Resource Roles must be online
Step 1: Build the Inventory
Navigate to Provisioning in the left sidebar. The Resource Catalog opens on the Inventory tab.

Step 2: Configure Admin Accounts
After import, the Manage funnel counter shows how many resources still need admin credentials. Click Set up admin next to any resource (or select multiple and use the bulk action bar) to open the admin account editor.
postgres or another superuser) and the corresponding Password for each resource. You can also import credentials from a CSV if you’re configuring many resources at once.
Select the Agent that has network access to the databases — the dropdown shows all online agents. Click Apply changes to save. Hoop validates connectivity before storing the credentials.
Once every resource has credentials, the Manage counter drops to zero and the Provision counter shows the pending count.
Step 3: Provision Roles
Open the Provision tab. Resources that have admin credentials but no provisioned roles appear here.
Option A: Import from CSV
Click Import CSV to upload a role definition file. Each row defines one role:Option B: Provision roles individually
Click Provision roles next to a specific resource to open the role configuration wizard for that resource.Running the Plan
After configuring your roles, click Provision all (or select individual resources and click Provision roles). Hoop runs a dry-run plan — it connects to each Postgres cluster, inspects the live catalog state, and computes the exact SQL statements needed.
- The generated role name (e.g.
hoopdev_analytics_ro_6079a443) - The target scopes or inherited role
- A View session link to inspect the full plan output
- Plan ready status — meaning the plan computed successfully and is safe to apply
Role names follow the pattern
hoopdev_<resource>_<label>_<8-char-hash>. The hash is derived from the role configuration and keeps names unique and deterministic while staying within Postgres’ 63-byte identifier limit.Applying the Plan
Review the plan sessions to confirm the SQL looks correct. When satisfied, click Apply on individual roles or Apply N roles to apply all at once. Hoop executes the SQL against each Postgres cluster.

Audit Sessions
Every plan and apply step creates an administrative session that captures the full SQL output. Click View session on any role in the Provision view (or navigate to Sessions in the Provision tab) to inspect the raw output.
config — The role definition as submitted: type, target role name, scopes, privileges, and whether a password rotation was requested.
current_state — A snapshot of the live Postgres cluster at plan time. exists: false means the role does not yet exist. Each scope entry shows how many tables were found and whether the scope is out-of-sync/unprovisioned (needs work) or in-sync (already correct). The requires_migration: true flag tells Hoop the plan must be applied.
sql_plan — The exact SQL that will be executed on apply, organized per database. For a new managed role this includes CREATE ROLE with a randomly generated password, followed by GRANT CONNECT, GRANT USAGE ON SCHEMA, and GRANT SELECT ON ALL TABLES for each scope.
sql_plan_checksum — A SHA-256 digest of the plan. Hoop re-computes this checksum at apply time and rejects the apply if the live Postgres state has drifted since the plan was run, preventing stale plans from being applied.
Sessions are queryable in the Sessions page and are included in any connected SIEM or webhook export.
Managing via the CLI
All provisioning operations available in the Web App are also accessible from thehoop resources command group.
This makes it straightforward to automate provisioning from CI pipelines or scripts.
Health Check
Test connectivity to a resource before running a plan:status: ok on success. On failure the agent error is returned.
Plan
Compute a dry-run SQL diff for a single resource:current_state, sql_plan, and sql_plan_checksum). To save the result for a later apply, pipe it to a file with -o:
-f:
To inspect the output of an existing plan session:
Apply
Apply a plan using the SID returned byplan:
out-of-sync status are sent to Postgres — already-in-sync entries are skipped automatically):