Platform Fundamentals · Lesson 03

Access Requests and Approval Workflows

Just-in-time access with Slack-native approvals and a complete audit trail

6 min·intermediate·Platform Engineer

intermediate
approvals
jit-access
slack
compliance
audit

Chapters

9 sections

01
Three roles, three acts
Lesson framing: admin configures the policy, engineer experiences the request, admin reviews the audit trail.
02
Configuring a by-command approval rule
Walkthrough of the access request rule: by-command enforcement, resource binding to a Postgres demo, scoped to the DBA team.
03
Approver groups and approval count
Setting who can approve and how many approvals are needed. Single approver for this demo, two for higher-stakes setups.
04
Force approval groups for break-glass
How SRE can bypass approval flows in urgent scenarios using force approval groups.
05
Connecting Slack
Why Slack integration matters: approvers get notified and act without leaving their workflow.
06
Engineer perspective: pending request
Engineer runs a command in the web terminal or native client and sees Hoop intercept it pending approval.
07
Slack approval in action
What the approver sees in Slack: requester, email, connection, command, group, and connection type. One-click approve.
08
Engineer executes after approval
Engineer refreshes, sees the approval, executes the command, and gets the data they need.
09
Audit trail and compliance evidence
Reviewing the sessions log as an admin. Locked record of requester, command, system, timing, and approver. Maps directly to SOC 2 and ISO 27001 evidence.

What you’ll learn

Outcomes and concepts.

Learning objectives

01Configure a per-command access request rule and bind it to a specific resource
02Scope approval rules to user groups and define how many approvers are required
03Use force approval groups to enable break-glass access for SRE scenarios
04Connect Slack so approvers can review and approve requests without leaving their workflow
05Read the session audit trail to identify the requester, command, resource, timing, and approver
06Map Hoop's audit records to SOC 2 and ISO 27001 evidence collection requirements

Key concepts

Access request rule

A policy that requires explicit approval before commands run against a protected resource. Rules can be scoped per command, bound to specific resources, and limited to specific user groups.

By command approval

An enforcement mode where every individual command executed against a resource requires its own approval before it runs. Prevents unilateral access to production.

Resource binding

An access request rule only enforces on the resources explicitly attached to it. This is what scopes the policy to the systems that need protection.

Approval user groups

The groups whose members can approve incoming requests. Combined with an approval count to require single or multi-party approval.

Force approval groups

A break-glass mechanism that lets specific groups, typically SRE, bypass the standard approval flow during urgent scenarios.

Slack approval flow

Approvers receive request notifications directly in Slack with the requester's name, email, target connection, exact command, and group membership. One-click approve or deny without leaving Slack.

Audit trail

A locked record of every step in the request: who requested access, what command they ran, which system, when it happened, and who approved it. Designed as evidence for SOC 2 and ISO 27001 audits.

Watch this lesson

Access Requests and Approval Workflows

Outcomes and concepts.

4 questions. No score, no clock.

You finished the lesson.