{
"lesson": {
"id": "hu-203-access-requests",
"slug": "access-requests-and-approvals",
"title": "Access Requests and Approval Workflows",
"subtitle": "Just-in-time access with Slack-native approvals and a complete audit trail",
"summary": "An end-to-end walkthrough of Hoop's access request feature in three acts: an admin configures the approval policy, an engineer requests access and waits for approval, and the admin reviews the audit trail. Includes Slack integration for one-click approvals without leaving your workflow.",
"description_long": "Production access without unilateral commands. This lesson walks through Hoop's access request feature from three perspectives. As an admin, you'll configure a per-command approval rule, bind it to a Postgres resource, scope it to a DBA team, and set up Slack notifications for approvers. As an engineer, you'll see the experience of running a command and watching it pause for approval. As a compliance reviewer, you'll inspect the session audit trail that captures who requested access, what command they ran, which system, when it happened, and who approved it. Designed to show how Hoop converts manual evidence collection for SOC 2 and ISO 27001 into automatic record-keeping.",
"status": "draft",
"language": "en",
"version": "1.0.0",
"published_at": null,
"updated_at": "2026-05-08T00:00:00Z"
},
"video": {
"provider": null,
"video_id": null,
"url": null,
"embed_url": null,
"thumbnail_url": null,
"duration_seconds": null,
"duration_formatted": null,
"captions_url": null,
"captions_languages": ["en"]
},
"curriculum": {
"track": "platform-fundamentals",
"module": "access-governance",
"lesson_number": 3,
"level": "intermediate",
"estimated_time_minutes": 6,
"prerequisites": [
"hu-201-access-controls",
"hu-202-data-masking"
],
"next_lesson_id": null,
"previous_lesson_id": "hu-202-data-masking",
"learning_objectives": [
"Configure a per-command access request rule and bind it to a specific resource",
"Scope approval rules to user groups and define how many approvers are required",
"Use force approval groups to enable break-glass access for SRE scenarios",
"Connect Slack so approvers can review and approve requests without leaving their workflow",
"Read the session audit trail to identify the requester, command, resource, timing, and approver",
"Map Hoop's audit records to SOC 2 and ISO 27001 evidence collection requirements"
]
},
"audience": {
"primary_persona": "platform-engineer",
"secondary_personas": ["security-engineer", "compliance-officer", "sre", "engineering-manager"],
"use_cases": [
"just-in-time-access",
"approval-workflows",
"production-database-access",
"break-glass-access",
"audit-evidence-collection",
"soc2-compliance",
"iso27001-compliance"
],
"industries": ["fintech", "saas", "healthcare", "regulated-industries"]
},
"content": {
"key_concepts": [
{
"term": "Access request rule",
"definition": "A policy that requires explicit approval before commands run against a protected resource. Rules can be scoped per command, bound to specific resources, and limited to specific user groups."
},
{
"term": "By command approval",
"definition": "An enforcement mode where every individual command executed against a resource requires its own approval before it runs. Prevents unilateral access to production."
},
{
"term": "Resource binding",
"definition": "An access request rule only enforces on the resources explicitly attached to it. This is what scopes the policy to the systems that need protection."
},
{
"term": "Approval user groups",
"definition": "The groups whose members can approve incoming requests. Combined with an approval count to require single or multi-party approval."
},
{
"term": "Force approval groups",
"definition": "A break-glass mechanism that lets specific groups, typically SRE, bypass the standard approval flow during urgent scenarios."
},
{
"term": "Slack approval flow",
"definition": "Approvers receive request notifications directly in Slack with the requester's name, email, target connection, exact command, and group membership. One-click approve or deny without leaving Slack."
},
{
"term": "Audit trail",
"definition": "A locked record of every step in the request: who requested access, what command they ran, which system, when it happened, and who approved it. Designed as evidence for SOC 2 and ISO 27001 audits."
}
],
"topics": [
"access-requests",
"approval-workflows",
"just-in-time-access",
"slack-integration",
"break-glass",
"audit-trail",
"compliance",
"soc2",
"iso27001"
],
"tags": ["intermediate", "approvals", "jit-access", "slack", "compliance", "audit"],
"products_mentioned": ["hoop-access-requests", "hoop-web-ui", "hoop-sessions", "hoop-slack-integration"],
"competitors_mentioned": [],
"external_references": [
{
"title": "SOC 2 compliance",
"url": null
},
{
"title": "ISO 27001",
"url": null
}
]
},
"transcript": {
"full_text": "All right, I'm going to walk through Hoop's access requests feature end to end. There are going to be three roles, three acts. First I'll configure the policy as an admin. Then we'll see what the engineer experiences when they request access. And finally, I'll show the audit trail after approval. [Full transcript continues, see segments below for structured version]",
"word_count": 750,
"language": "en",
"auto_generated": true,
"edited": false,
"segments": [
{
"index": 0,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "I'm going to walk through Hoop's access requests feature end to end. Three roles, three acts. First I'll configure the policy as an admin. Then we'll see what the engineer experiences when they request access. Finally, I'll show the audit trail after approval."
},
{
"index": 1,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "I've already created an access request rule. Let me show you what's configured and why each piece matters. I've set this to by command, meaning every command executed against this resource requires approval before it runs. No one touches production unilaterally, which is a governance story we hear time to time."
},
{
"index": 2,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Resource rules: it's bound to our Postgres demo resource. This is the critical link. The rule only enforces on resources explicitly attached here and no other."
},
{
"index": 3,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "User groups: I've selected this to be only for the DBA team, just for this demo. Approval user groups: I've set it to myself so I can approve. The approval amount will be set to 1. If your setup is different and you need two approvals, you can click 2. We'll leave it at 1."
},
{
"index": 4,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Before I hit save, force approval groups are for break-glass scenarios. Your SRE will be able to bypass this approval for specific scenarios. Let's hit save. It's already saved, but you would hit save."
},
{
"index": 5,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "What's really important is we're going to make sure Slack is connected. When a request comes in, the approver gets notified directly in Slack. They can either approve or deny without leaving their workflow, which is actually very convenient."
},
{
"index": 6,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Switching to the engineer's perspective. Go to resources, and you can see the resources this engineer has access to as part of the DBA team: the Postgres demo and the MySQL RDS resource. The engineer's experience doesn't change. They open the resource they need, go to the web terminal, and run their command exactly as they normally would. You can do this in your native client and it works the same way."
},
{
"index": 7,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Let's run a command and watch what happens. Instead of executing immediately, we see this message. Hoop is intercepting the command. The engineer sees that this needs approval, with the request marked pending. The ball is now in the approver's court."
},
{
"index": 8,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Switching to Slack. The notification clearly shows the name of the individual making this request, their email, the connection they're trying to query, the exact script they're executing, the group they're a part of, and the type of connection. In a normal situation you would get a notification if you've configured that, or you can configure this specific channel to surface notifications. Because I'm recording my screen, the notification doesn't pop up automatically."
},
{
"index": 9,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "It's a one-click approval. Click approve. The session is ready to be executed and it gives you the time."
},
{
"index": 10,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Switching back to the engineer. Hit refresh. The request has been approved. We can now execute the command. The command runs and the developer takes the data they need from the request. That's the Slack flow. Worth noting: if an approver prefers to review in the Hoop UI and approve directly from there, they can do that as well."
},
{
"index": 11,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "Back to the admin account. Go to the sessions log to review what happened. This is the audit trail. This is what your compliance team actually cares about. Every single step was recorded: who requested access, what command they ran, which system, when it happened, and who approved it."
},
{
"index": 12,
"start_seconds": null,
"end_seconds": null,
"speaker": "Host",
"text": "This isn't just access control, it's an evidence trail for your auditor. The approval itself is locked: not just that it was approved, but by whom and at what time. If you're going through SOC 2 or ISO 27001, this is the kind of record that turns a manual evidence collection process into something automatic."
}
]
},
"chapters": [
{
"title": "Three roles, three acts",
"start_seconds": null,
"end_seconds": null,
"summary": "Lesson framing: admin configures the policy, engineer experiences the request, admin reviews the audit trail."
},
{
"title": "Configuring a by-command approval rule",
"start_seconds": null,
"end_seconds": null,
"summary": "Walkthrough of the access request rule: by-command enforcement, resource binding to a Postgres demo, scoped to the DBA team."
},
{
"title": "Approver groups and approval count",
"start_seconds": null,
"end_seconds": null,
"summary": "Setting who can approve and how many approvals are needed. Single approver for this demo, two for higher-stakes setups."
},
{
"title": "Force approval groups for break-glass",
"start_seconds": null,
"end_seconds": null,
"summary": "How SRE can bypass approval flows in urgent scenarios using force approval groups."
},
{
"title": "Connecting Slack",
"start_seconds": null,
"end_seconds": null,
"summary": "Why Slack integration matters: approvers get notified and act without leaving their workflow."
},
{
"title": "Engineer perspective: pending request",
"start_seconds": null,
"end_seconds": null,
"summary": "Engineer runs a command in the web terminal or native client and sees Hoop intercept it pending approval."
},
{
"title": "Slack approval in action",
"start_seconds": null,
"end_seconds": null,
"summary": "What the approver sees in Slack: requester, email, connection, command, group, and connection type. One-click approve."
},
{
"title": "Engineer executes after approval",
"start_seconds": null,
"end_seconds": null,
"summary": "Engineer refreshes, sees the approval, executes the command, and gets the data they need."
},
{
"title": "Audit trail and compliance evidence",
"start_seconds": null,
"end_seconds": null,
"summary": "Reviewing the sessions log as an admin. Locked record of requester, command, system, timing, and approver. Maps directly to SOC 2 and ISO 27001 evidence."
}
],
"code_snippets": [],
"resources": [
{
"type": "documentation",
"title": "Access requests configuration",
"url": "https://hoop.dev/docs/access-requests"
},
{
"type": "documentation",
"title": "Slack integration setup",
"url": "https://hoop.dev/docs/integrations/slack"
},
{
"type": "documentation",
"title": "Session audit trail",
"url": "https://hoop.dev/docs/sessions"
}
],
"quiz": {
"enabled": true,
"questions": [
{
"id": "q1",
"type": "single_choice",
"prompt": "What does the by-command enforcement mode do?",
"options": [
"Approves all commands from a user once they've been approved for a session",
"Requires approval for every individual command executed against the resource",
"Approves commands automatically based on a regex allowlist",
"Approves only data-modifying commands and skips reads"
],
"correct_index": 1,
"explanation": "By-command means every command executed against the protected resource requires its own approval before running, preventing unilateral production access."
},
{
"id": "q2",
"type": "single_choice",
"prompt": "What are force approval groups used for?",
"options": [
"To require additional approvers for sensitive resources",
"To force users to approve their own requests",
"To allow specific groups, like SRE, to bypass the standard approval flow during break-glass scenarios",
"To force approvals to expire after a fixed time window"
],
"correct_index": 2,
"explanation": "Force approval groups are a break-glass mechanism that lets designated groups bypass the normal approval flow during urgent scenarios."
},
{
"id": "q3",
"type": "multi_choice",
"prompt": "Which details does an approver see in the Slack request notification?",
"options": [
"Requester name and email",
"The exact script being executed",
"The connection and connection type",
"The requester's group membership",
"The requester's IDE configuration"
],
"correct_indices": [0, 1, 2, 3],
"explanation": "Slack shows the requester's name, email, target connection, exact script, group, and connection type. IDE configuration is not part of the notification."
},
{
"id": "q4",
"type": "single_choice",
"prompt": "Why does the host emphasize the audit trail for SOC 2 and ISO 27001?",
"options": [
"Because auditors require live access to the production system",
"Because the trail turns a manual evidence collection process into something automatic",
"Because compliance frameworks require all approvals to happen in Slack",
"Because the audit trail replaces the need for an external auditor"
],
"correct_index": 1,
"explanation": "The locked record of who requested, what command, which system, when, and who approved converts manual evidence gathering into automatic record-keeping for auditors."
}
]
},
"seo": {
"meta_title": "Access Requests and Approval Workflows in Hoop | Hoop University",
"meta_description": "Configure per-command approval policies, approve requests in Slack with one click, and turn every session into automatic SOC 2 and ISO 27001 evidence.",
"og_image": null,
"canonical_url": "https://hoop.dev/university/access-requests-and-approvals",
"keywords": [
"access requests",
"approval workflow",
"just-in-time access",
"slack approvals",
"break glass access",
"audit trail",
"soc 2 evidence",
"iso 27001 evidence"
]
},
"agent_metadata": {
"extracted_at": "2026-05-08T00:00:00Z",
"extraction_model": "claude-opus-4-7",
"extraction_version": "1.0.0",
"human_reviewed": false,
"reviewer": null,
"confidence_score": 0.9,
"extraction_notes": "Source transcript is auto-generated and lacks timestamps and a clear speaker label, so all timing fields are null and segments are labeled 'Host'. The transcript ends mid-sentence ('And so now,') suggesting it may be truncated; verify against the full recording. Curriculum slot assumed as lesson 3 in access-governance after access controls and data masking, since the host treats group-based access and Slack/identity context as already familiar. No code snippets were extracted because the host references a query but never shows the literal SQL. External references for SOC 2 and ISO 27001 were left without URLs since the host doesn't link to specific authorities; backfill as needed."
}
}
