LogoLogo
Main SiteStart Now
  • Home
    • What Is BastionZero?
      • Server Access
      • Database Access
      • Kubernetes Access
      • Web Server Access
    • Product Security
    • Architecture
    • Taxonomy
  • Deployment
    • Getting Started
    • Installing the ZLI
    • Installing the Agent
    • Installing the Desktop App
  • Automation & Integrations
    • CircleCI
    • GitHub Actions
    • Go SDK
    • Google Cloud Run
    • Slack
      • Using the BastionZero app for Slack
    • Terraform
    • Third-Party Clients
  • Admin Guide
    • Authentication
      • SSO Management
      • User Management
      • MFA Management
      • Service Accounts Management
    • Authorization
    • Auditing
    • Target and Connection Management
  • How To Guides
    • Passwordless Database Access
      • Passwordless Access to MySQL and Postgres on GCP Cloud SQL
      • Passwordless Access to AWS RDS PostgreSQL
      • Passwordless Access to AWS RDS MySQL
      • Passwordless Access to Self-Hosted Postgres
    • How to use BastionZero to connect to a Linux Host using the ZLI
    • How to use BastionZero to manage SSH Keys
  • User Guide
    • Installing the ZLI
    • ZLI Cheat Sheet
    • Connecting to Your Targets
    • Troubleshooting Guide
  • ZLI Reference Manual
  • API Specification
  • Getting Help
  • Security Policy
  • Open Source Software Credits
    • Backend Services
    • Bzero Agent
    • Client Daemon
    • Desktop App
    • Go SDK
    • Helm Provider
    • Terraform Provider
    • Web App
    • ZLI
  • Product Changes
  • Service Status
  • GitHub
Powered by GitBook

Copyright © 2024

On this page
  • First Time Users
  • Deleting a User
  • Account Security
  1. Admin Guide
  2. Authentication

User Management

PreviousSSO ManagementNextMFA Management

Last updated 6 months ago

The BastionZero product is maintained for existing BastionZero customers only.

Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s service.

First Time Users

BastionZero uses your SSO provider as the root-of-trust to authenticate users in your organization. The first time a user authenticates, an associated username is created within BastionZero with a BastionZero UUID for that user. If no policies exist, that user has access to the zli clients but will be unable to use any of the features associated with BastionZero.

Deleting a User

An administrator can choose to delete a user from BastionZero. In doing so, the administrator is removing the association between the SSO user and the BastionZero UUID. That has the net effect of removing that SSO user from all policies and immediately closing any open connections. However, their associated events, like command and connection logs, will remain within BastionZero and be accessible to the administrators. If the same SSO user is subsequently added back to BastionZero, that will create a new BastionZero-associated UUID and thus, new policies would need to be created for that same SSO user.

Account Security

In addition, an administrator can take actions on behalf of the user, such as requiring a reset of a user's BastionZero MFA or optionally (and not recommended) disabling that user's MFA all together. An administrator may decide to close all existing user's connections. All administrative user actions can be found in our web app's page.

As stated previously, BastionZero respects user authentication from your SSO provider, and as a result, BastionZero also adheres to its security posture. When a user is deactivated from your SSO provider, they are deactivated from BastionZero. This means they will fail the organization check by . Any subsequent action attempted will expire with their security token.

Access for Infrastructure
Link to User Management on BastionZero's Web App
Manage Users
MrZAP