> ## Documentation Index
> Fetch the complete documentation index at: https://hoopdev-docs-improve-idp-sso-pages.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Control Configuration

> Configure group-based access policies for your connections

<Frame>
  <img src="https://mintcdn.com/hoopdev-docs-improve-idp-sso-pages/quDT6RZSG6Ua5zfL/images/learn/features/access-control-app.png?fit=max&auto=format&n=quDT6RZSG6Ua5zfL&q=85&s=ee119619b5f4f1f4342e61d853870ba5" alt="Access Control Configuration" width="1690" height="882" data-path="images/learn/features/access-control-app.png" />
</Frame>

Access Control lets you restrict which users can see and access specific connections based on their group memberships. This page covers detailed configuration options.

<Note>
  For an introduction to Access Control concepts, see [Access Control Overview](/learn/features/access-control).
</Note>

***

## Enabling Access Control

<Warning>
  Enabling Access Control will immediately hide connections from users who don't have explicit access. Plan your group assignments before enabling.
</Warning>

### Step 1: Activate Access Control

<Steps>
  <Step title="Navigate to Access Control">
    Go to **Manage > Access Control** in the sidebar

    <Frame>
      <img src="https://mintcdn.com/hoopdev-docs-improve-idp-sso-pages/quDT6RZSG6Ua5zfL/images/learn/features/access-control-app.png?fit=max&auto=format&n=quDT6RZSG6Ua5zfL&q=85&s=ee119619b5f4f1f4342e61d853870ba5" alt="Access Control menu" width="1690" height="882" data-path="images/learn/features/access-control-app.png" />
    </Frame>
  </Step>

  <Step title="Review the Warning">
    Read the activation warning carefully. Understand that:

    * Users without group assignments will lose access
    * You'll need to configure each connection individually
    * Changes take effect immediately

    <Frame>
      <img src="https://mintcdn.com/hoopdev-docs-improve-idp-sso-pages/quDT6RZSG6Ua5zfL/images/learn/features/access-control-confirm.png?fit=max&auto=format&n=quDT6RZSG6Ua5zfL&q=85&s=37a33847ba6eddb7bd54cf8804609638" alt="Activation warning" width="1687" height="859" data-path="images/learn/features/access-control-confirm.png" />
    </Frame>
  </Step>

  <Step title="Click Activate">
    Click **Activate** to enable Access Control for your organization
  </Step>
</Steps>

### Step 2: Configure Connections

After activation, configure access for each connection:

<Steps>
  <Step title="Select a Connection">
    Find the connection in the list and click to configure

    <Frame>
      <img src="https://mintcdn.com/hoopdev-docs-improve-idp-sso-pages/quDT6RZSG6Ua5zfL/images/learn/features/access-control-activated.png?fit=max&auto=format&n=quDT6RZSG6Ua5zfL&q=85&s=4fd99515a19dd2df8b7a607e7d4b3f85" alt="Connection list" width="1695" height="882" data-path="images/learn/features/access-control-activated.png" />
    </Frame>
  </Step>

  <Step title="Enable Access Control">
    Toggle the Access Control switch for this connection
  </Step>

  <Step title="Add Allowed Groups">
    Select which groups can access this connection

    <Frame>
      <img src="https://mintcdn.com/hoopdev-docs-improve-idp-sso-pages/quDT6RZSG6Ua5zfL/images/learn/features/access-control-add-groups.png?fit=max&auto=format&n=quDT6RZSG6Ua5zfL&q=85&s=79c2582c221f85506715dcf0574ed514" alt="Add groups" width="1685" height="940" data-path="images/learn/features/access-control-add-groups.png" />
    </Frame>
  </Step>

  <Step title="Save">
    Click **Save** to apply the configuration
  </Step>
</Steps>

***

## Group Management

### Creating Groups

Groups can be created in two ways:

**Option A: Manual Creation (in Hoop)**

1. Go to **Manage > Users & Groups**
2. Click the **Groups** tab
3. Click **Create Group**
4. Enter a group name (e.g., `prod-access`, `analytics-team`)
5. Add users to the group

**Option B: Sync from Identity Provider**

Groups can be automatically synced when users log in:

1. Configure your IdP to include `groups` claim in the ID token
2. Users' groups are synced on each login
3. See [Identity Provider Configuration](/setup/configuration/idp/get-started)

### Built-in Groups

| Group     | Description    | Permissions                                 |
| --------- | -------------- | ------------------------------------------- |
| `admin`   | Administrators | Full access to all connections and settings |
| `auditor` | Audit access   | Read-only access to sessions and logs       |

<Note>
  Admin users bypass Access Control and can access all connections regardless of group configuration.
</Note>

### Group Naming Conventions

Recommended naming patterns:

| Pattern     | Example                               | Use Case                 |
| ----------- | ------------------------------------- | ------------------------ |
| Environment | `prod-access`, `staging-access`       | Environment-based access |
| Team        | `engineering`, `analytics`, `support` | Team-based access        |
| Role        | `dba`, `developer`, `viewer`          | Role-based access        |
| Combined    | `prod-dba`, `staging-dev`             | Specific combinations    |

***

## Permission Types

### Connection Visibility

When Access Control is enabled on a connection:

| User's Groups         | Connection Visibility                    |
| --------------------- | ---------------------------------------- |
| In allowed groups     | Connection is visible and accessible     |
| Not in allowed groups | Connection is hidden completely          |
| Admin group           | Always visible (bypasses Access Control) |

### Combining with Access Requests

Access Control and Access Requests work together:

| Access Control | Access Requests | Result                         |
| -------------- | --------------- | ------------------------------ |
| Allowed        | Not enabled     | Direct access                  |
| Allowed        | JIT enabled     | Must request time-based access |
| Allowed        | Action enabled  | Each command needs approval    |
| Not allowed    | Any             | Connection not visible         |

***

## Configuration Patterns

### Pattern 1: Environment-Based

Separate access by environment:

```
Connection: prod-database
  Allowed Groups: senior-engineers, dba

Connection: staging-database
  Allowed Groups: engineering, qa

Connection: dev-database
  Allowed Groups: engineering, contractors
```

### Pattern 2: Team-Based

Each team accesses their own resources:

```
Connection: payments-db
  Allowed Groups: payments-team

Connection: inventory-db
  Allowed Groups: inventory-team

Connection: analytics-warehouse
  Allowed Groups: analytics-team, data-science
```

### Pattern 3: Read/Write Separation

Create separate connections with different access levels:

```
Connection: prod-db-readonly
  Allowed Groups: engineering, analytics, support
  (Configured with read-only database user)

Connection: prod-db-readwrite
  Allowed Groups: dba, senior-engineers
  (Configured with read-write database user)
```

### Pattern 4: Contractor Access

Limited access for external contractors:

```
Connection: contractor-db
  Allowed Groups: contractors
  (Limited database, Live Data Masking enabled)
```

***

## Identity Provider Integration

### Syncing Groups from IdP

To automatically sync groups from your identity provider:

1. **Configure IdP to include groups claim:**

   In your IdP (Okta, Auth0, Azure AD, etc.), configure the OIDC application to include a `groups` claim in the ID token.

2. **Set environment variables on gateway:**

   ```bash theme={null}
   IDP_GROUPS_CLAIM=groups
   ```

   Or for custom claim names:

   ```bash theme={null}
   IDP_GROUPS_CLAIM=https://mycompany.com/groups
   ```

3. **Groups sync on login:**

   When users log in, their groups are automatically synced from the IdP.

### Provider-Specific Guides

<CardGroup cols={2}>
  <Card title="Okta" href="/setup/configuration/idp/okta">
    Configure Okta group sync
  </Card>

  <Card title="Auth0" href="/setup/configuration/idp/auth0">
    Configure Auth0 group sync
  </Card>

  <Card title="Azure AD" href="/setup/configuration/idp/azure">
    Configure Azure AD group sync
  </Card>

  <Card title="Google" href="/setup/configuration/idp/google">
    Configure Google Workspace groups
  </Card>
</CardGroup>

***

## Auditing Access

### Viewing User Permissions

To see what a user can access:

1. Go to **Manage > Users**
2. Click on a user
3. View their group memberships
4. Cross-reference with connection configurations

### Access Logs

All access attempts are logged:

1. Go to **Sessions**
2. Filter by user or connection
3. See successful connections and denied attempts

### Exporting Access Report

Generate a report of who can access what:

```bash theme={null}
hoop admin get connections -o json | \
  jq '.[] | {name, allowed_groups}'
```

***

## Troubleshooting

### User Can't See a Connection

**Checklist:**

1. **Is Access Control enabled on the connection?**
   * Go to connection settings
   * Check if Access Control toggle is on

2. **Is the user in an allowed group?**
   * Go to **Manage > Users**
   * Check user's group memberships
   * Verify groups match connection's allowed groups

3. **Has the user logged out and back in?**
   * Groups sync on login
   * Have user log out and log in again

4. **Is the IdP sending groups correctly?**
   * Check IdP configuration
   * Verify `groups` claim in ID token

**Debug steps:**

```bash theme={null}
# Check user's groups
hoop admin get user <email>

# Check connection's allowed groups
hoop admin get connection <name>
```

### User Sees Connection But Can't Connect

This is likely NOT an Access Control issue. Check:

1. **Access Requests:** Is JIT or Action approval required?
2. **Guardrails:** Are there blocking rules?
3. **Connection status:** Is the agent online?

### Groups Not Syncing from IdP

**Check:**

1. IdP is configured to include `groups` claim
2. `IDP_GROUPS_CLAIM` environment variable is set correctly
3. User has groups assigned in the IdP
4. Gateway was restarted after configuration

**Debug:**

* Decode the ID token to verify `groups` claim is present
* Check gateway logs for group sync errors

***

## Best Practices

<CardGroup cols={2}>
  <Card title="Start Restrictive" icon="lock">
    Begin with minimal access and expand as needed
  </Card>

  <Card title="Use Groups, Not Users" icon="users">
    Always assign access to groups, never individuals
  </Card>

  <Card title="Document Policies" icon="file-lines">
    Maintain a document of who should access what
  </Card>

  <Card title="Regular Reviews" icon="calendar-check">
    Audit access quarterly
  </Card>
</CardGroup>

### Before Enabling Access Control

1. [ ] Inventory all connections
2. [ ] Identify who needs access to each
3. [ ] Create groups in IdP or Hoop
4. [ ] Assign users to groups
5. [ ] Document the access policy
6. [ ] Test with a non-production connection first

### Quarterly Access Review

1. [ ] Export current access configuration
2. [ ] Review with team leads
3. [ ] Remove departed employees
4. [ ] Verify contractor access is time-limited
5. [ ] Update documentation

***

## Related

<CardGroup cols={2}>
  <Card title="Access Control Overview" icon="lock" href="/learn/features/access-control">
    Learn Access Control concepts
  </Card>

  <Card title="Identity Providers" icon="id-card" href="/setup/configuration/idp/get-started">
    Configure SSO and group sync
  </Card>

  <Card title="Access Requests" icon="clock" href="/learn/features/access-requests/jit">
    Add approval workflows
  </Card>

  <Card title="Managing Access" icon="users" href="/clients/webapp/managing-access">
    User and group management in Web App
  </Card>
</CardGroup>
