{
"lesson": {
"id": "hu-201-access-controls",
"slug": "access-controls-walkthrough",
"title": "Access Controls in Hoop",
"subtitle": "Define group-based access to your infrastructure that syncs with your identity provider",
"summary": "A walkthrough of Hoop's access control model, showing how to create user groups, assign resources, and grant developers scoped access. Demonstrated from three perspectives: admin setup, developer experience, and admin audit review.",
"description_long": "In most engineering organizations, infrastructure access is all or nothing. Developers either see everything or teams manually manage credentials across disparate systems. This lesson shows how Hoop replaces that model with group-based access that integrates directly with your identity provider. You'll watch an admin create a platform engineering group, assign a Postgres RDS resource to it, add a developer to the group, and then see the developer query the database through the Hoop Web UI. The session closes with the admin reviewing the full audit trail of the developer's actions.",
"status": "draft",
"language": "en",
"version": "1.0.0",
"published_at": null,
"updated_at": "2026-05-07T00:00:00Z"
},
"video": {
"provider": null,
"video_id": null,
"url": null,
"embed_url": null,
"thumbnail_url": null,
"duration_seconds": null,
"duration_formatted": null,
"captions_url": null,
"captions_languages": ["en"]
},
"curriculum": {
"track": "platform-fundamentals",
"module": "access-governance",
"lesson_number": 1,
"level": "beginner",
"estimated_time_minutes": 6,
"prerequisites": [
"hu-101-getting-started"
],
"next_lesson_id": "hu-202-data-masking",
"previous_lesson_id": null,
"learning_objectives": [
"Create a user group in the Hoop admin interface and assign infrastructure resources to it",
"Add users to groups so they inherit access to assigned resources",
"Understand how Hoop hides all resources from users by default until access is explicitly granted",
"Run a query as a developer through the Hoop Web UI against a connected database",
"Review session activity as an admin, including who ran what query and when"
]
},
"audience": {
"primary_persona": "platform-engineer",
"secondary_personas": ["security-engineer", "compliance-officer", "engineering-manager"],
"use_cases": [
"group-based-access-control",
"identity-provider-integration",
"session-auditing",
"least-privilege-access"
],
"industries": ["fintech", "saas", "healthcare", "regulated-industries"]
},
"content": {
"key_concepts": [
{
"term": "Control plane",
"definition": "Hoop acts as a central control plane for everything interacting with your critical infrastructure, with all activity tracked and monitored."
},
{
"term": "User group",
"definition": "A collection of users that shares access to the same set of resources. Access is defined at the group level rather than per individual."
},
{
"term": "Resource",
"definition": "A connected piece of infrastructure such as a database, server, or cloud service that users can interact with through Hoop."
},
{
"term": "Default-deny model",
"definition": "All connections and resources are hidden from users by default unless an admin explicitly grants access through group membership."
},
{
"term": "Identity provider sync",
"definition": "In production environments, Hoop groups sync automatically with identity providers like Okta, Azure AD, or Auth0. Group membership arrives with the user's token and Hoop enforces access accordingly."
},
{
"term": "Session recording",
"definition": "Every action taken through Hoop is automatically recorded and made available in the sessions tab, including the resource accessed, the user, timestamps, the exact query run, and its results."
}
],
"topics": [
"access-control",
"user-groups",
"rbac",
"identity-provider",
"session-recording",
"audit-log",
"least-privilege"
],
"tags": ["beginner", "access-controls", "admin", "rbac", "okta", "azure-ad"],
"products_mentioned": ["hoop-control-plane", "hoop-web-ui", "hoop-sessions"],
"competitors_mentioned": [],
"external_references": []
},
"transcript": {
"full_text": "All right, so today we're going to do a walkthrough of Hoop. And before we get into the feature that we're focusing on highlighting today, what you see in front of you is a, just think of it as a controlled plane for all things that are interacting and touching your critical infrastructure. It'll be tracked and monitored. You can do all of that here. So today we're going to be focusing on access control. [Full transcript continues, see segments below for structured version]",
"word_count": 870,
"language": "en",
"auto_generated": true,
"edited": false,
"segments": [
{
"index": 0,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "All right, so today we're going to do a walkthrough of Hoop. What you see in front of you is a control plane for all things that are interacting and touching your critical infrastructure. It'll be tracked and monitored."
},
{
"index": 1,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Today we're going to be focusing on access control. In most engineering organizations, access to infrastructure is all or nothing. Either a developer can see everything, has full visibility, or you have to manually manage credentials and permissions across different systems. Neither of those options are great. Hoop steps in by letting you define exactly which users or groups can see and connect to which resources, and it integrates directly with your identity provider."
},
{
"index": 2,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "I'm going to show you this from three different perspectives: as the admin, then as the developer or non-admin, and then back as the admin reviewing everything that took place in the sessions tab."
},
{
"index": 3,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "This is the admin interface. Your developers will not be able to see this. We can configure and create user groups, assign resources to them, and then assign users to those user groups that will then have access to those resources. Resources are essentially databases, servers, cloud services, and so on."
},
{
"index": 4,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Let's go back to access controls and create a user group. I'll give this a name, Platform, and assign it the database. Hit save. That's it for assigning a resource to the group."
},
{
"index": 5,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Now we need to assign users to the group. We're going to focus on assigning one user, our guinea pig developer Teo. In a real environment, these groups would sync automatically with your identity provider. Whether you're using Okta, Azure AD, or Auth0, when a user logs in, their group membership comes in with their token and Hoop enforces access automatically."
},
{
"index": 6,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Let me show you what it looks like for a developer non-admin who has access to no resources. After logging in as Teo, what you see is extremely important. Teo has access to no resources in your organization. It says: contact your organization administrator to get access. If we click on resources, he can't access any resources. All connections or all resources are hidden from users by default unless we explicitly grant access."
},
{
"index": 7,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Now we'll grant Teo access to the platform engineering group. Back in the admin account, navigate to settings, users, find Teo, click edit, select the platform engineering group we created, make sure the status is active, and hit update. The group has already been assigned resources, so Teo inherits that access."
},
{
"index": 8,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Back in Teo's account, hit refresh, and the resource appears. Teo can now interact with the terminal and run a query. You can run queries in the Web UI or in your IDE. We'll demo the Web UI: select all users, press enter, and we successfully get a result back from the database. That's essentially what access control is."
},
{
"index": 9,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Lastly, as an admin we get full visibility into everything that took place during Teo's session. We can see the resource he interacted with, who it was, when it started and finished, the exact query he ran, and the results he got."
},
{
"index": 10,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Three things to remember. First, you define access at the group level, not the individual level. It scales with your organization and stays in sync with your identity provider automatically. Second, developers see only what they're supposed to see and nothing else. There's no friction and it's straight to the point. Third, every session is automatically recorded and auditable, giving your security and compliance teams the visibility they need without extra instrumentation."
},
{
"index": 11,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "In the next demo, I'll build on this and show you data masking, which adds an additional layer of protection on top of this access model."
}
]
},
"chapters": [
{
"title": "Introduction to the Hoop control plane",
"start_seconds": null,
"end_seconds": null,
"summary": "Framing Hoop as a control plane for infrastructure access and introducing the access controls focus of this lesson."
},
{
"title": "Why group-based access matters",
"start_seconds": null,
"end_seconds": null,
"summary": "The problem with all-or-nothing access in most engineering organizations and how Hoop solves it through identity-provider-integrated groups."
},
{
"title": "Admin perspective: creating a user group",
"start_seconds": null,
"end_seconds": null,
"summary": "Walkthrough of creating a Platform group in the admin interface and assigning a database resource to it."
},
{
"title": "Identity provider sync",
"start_seconds": null,
"end_seconds": null,
"summary": "How groups sync from Okta, Azure AD, or Auth0 in production environments via tokens at login."
},
{
"title": "Developer perspective: default-deny in action",
"start_seconds": null,
"end_seconds": null,
"summary": "Logging in as Teo to confirm zero resources are visible until access is granted."
},
{
"title": "Granting access through group membership",
"start_seconds": null,
"end_seconds": null,
"summary": "Adding Teo to the platform engineering group and watching the resource appear in his account."
},
{
"title": "Running a query as a developer",
"start_seconds": null,
"end_seconds": null,
"summary": "Executing a select all users query through the Hoop Web UI and viewing the results."
},
{
"title": "Admin audit review",
"start_seconds": null,
"end_seconds": null,
"summary": "Reviewing the session in the sessions tab: resource, user, timestamps, query, and results."
},
{
"title": "Recap and what's next",
"start_seconds": null,
"end_seconds": null,
"summary": "Three takeaways on group-level access, default-deny, and automatic session recording. Preview of the data masking lesson."
}
],
"code_snippets": [
{
"id": "snippet-1",
"title": "Query run by the developer in the Web UI",
"language": "sql",
"code": "SELECT * FROM users;",
"context": "Demonstrates a developer running a query against the Postgres RDS resource through the Hoop Web UI after being granted access via group membership.",
"appears_at_seconds": null
}
],
"resources": [
{
"type": "documentation",
"title": "Hoop access controls documentation",
"url": "https://hoop.dev/docs/access-controls"
},
{
"type": "documentation",
"title": "Identity provider integrations",
"url": "https://hoop.dev/docs/integrations/identity"
}
],
"quiz": {
"enabled": true,
"questions": [
{
"id": "q1",
"type": "single_choice",
"prompt": "By default, what does a new user in Hoop see when they log in?",
"options": [
"Every resource in the organization",
"Only resources tagged as public",
"No resources until an admin grants access through a group",
"Only databases, but not servers or cloud services"
],
"correct_index": 2,
"explanation": "Hoop uses a default-deny model. All connections and resources are hidden from users until access is explicitly granted via group membership."
},
{
"id": "q2",
"type": "single_choice",
"prompt": "Where should access be defined in Hoop for it to scale with your organization?",
"options": [
"At the individual user level for fine-grained control",
"At the resource level by tagging users",
"At the group level, synced with your identity provider",
"At the query level using row-based policies"
],
"correct_index": 2,
"explanation": "Defining access at the group level lets Hoop scale with your organization and stay in sync automatically with identity providers like Okta, Azure AD, or Auth0."
},
{
"id": "q3",
"type": "multi_choice",
"prompt": "What does Hoop capture in the sessions tab for an admin to review?",
"options": [
"The resource the user interacted with",
"The user's identity",
"Start and end timestamps of the session",
"The exact query and its results",
"The user's local IDE configuration"
],
"correct_indices": [0, 1, 2, 3],
"explanation": "Hoop records the resource, user, timestamps, query, and results for every session. Local IDE configuration is not captured."
}
]
},
"seo": {
"meta_title": "Access Controls in Hoop | Hoop University",
"meta_description": "Learn how to define group-based infrastructure access in Hoop, sync with your identity provider, and audit every session.",
"og_image": null,
"canonical_url": "https://hoop.dev/university/access-controls-walkthrough",
"keywords": [
"infrastructure access control",
"rbac",
"identity provider integration",
"session recording",
"least privilege",
"okta",
"azure ad"
]
},
"agent_metadata": {
"extracted_at": "2026-05-07T00:00:00Z",
"extraction_model": "claude-opus-4-7",
"extraction_version": "1.0.0",
"human_reviewed": false,
"reviewer": null,
"confidence_score": 0.88,
"extraction_notes": "Source transcript is auto-generated and lacks timestamps, so all start_seconds and end_seconds fields are null and should be backfilled when the video file is processed. Speaker labels in the source transcript appear inconsistent (Speaker 1 narrates throughout, then Speaker 2 begins one sentence at the end which appears to be a continuation by the same host based on context). All segments labeled 'Host' for now. Lesson order assumed to be the first in the access-governance module based on the host's framing and reference to a follow-up data masking lesson; verify against curriculum plan."
}
}
