BastionZero uses your SSO provider as the root-of-trust to authenticate users in your organization. The first time a user authenticates, an associated username is created within BastionZero with a BastionZero UUID for that user. If no policies exist, that user has access to the
zliclients but will be unable to use any of the features associated with BastionZero.
An administrator can choose to delete a user from BastionZero. In doing so, the administrator is removing the association between the SSO user and the BastionZero UUID. That has the net effect of removing that SSO user from all policies and immediately closing any open connections. However, their associated events, like command and connection logs, will remain within BastionZero and be accessible to the administrators. If the same SSO user is subsequently added back to BastionZero, that will create a new BastionZero-associated UUID and thus, new policies would need to be created for that same SSO user.
In addition, an administrator can take actions on behalf of the user, such as requiring a reset of a user's BastionZero MFA or optionally (and not recommended) disabling that user's MFA all together. An administrator may decide to close all existing user's connections. All administrative user actions can be found in our web app's Manage Users page.
As stated previously, BastionZero respects user authentication from your SSO provider, and as a result, BastionZero also adheres to its security posture. When a user is deactivated from your SSO provider, they are deactivated from BastionZero. This means they will fail the organization check by MrZAP. Any subsequent action attempted will expire with their security token.