Using the BastionZero app for Slack

The guide below will show you how to set up and use the BastionZero app for Slack to request, approve, and monitor just-in-time (JIT) access for your organization.

The BastionZero product is maintained for existing BastionZero customers only.

Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s Access for Infrastructure service.

Looking for something specific? Here are the topics covered below:

Setting up just-in-time with BastionZero app for Slack

To enable just-in-time with your BastionZero organization, ensure you are both a BastionZero administrator and an administrator in the Slack workspace where you'd like to install the BastionZero app.

Enable the Slack integration from cloud.bastionzero.com. Log in to the web app and navigate to the integrations page by following the settings gear in the top righthand corner -> platform settings -> app integrations. Select the "Slack" tab and click "Integrate with Slack."
Authorize the BastionZero app via Slack. Once you click "Integrate with Slack," you will be redirected to the Slack OAuth page. It will detail the permissions needed by the BastionZero app. Before proceeding, make sure that the upper righthand corner displays the Slack workspace you wish to install the BastionZero app in.
It is critical that you are an administrator in the Slack workspace you are installing the BastionZero app in and that you use the same SSO organization for both your Slack workspace and BastionZero. Otherwise, this integration will not succeed.
Add BastionZero to your Slack workspace. From your Slack workspace, navigate to "Apps." This could be from the top menu bar: Go -> Apps or at the bottom of your navigation menu on the lefthand side of your Slack window. Search for and select BastionZero to add it to your workspace.
Congratulations! Your organization can now manage just-in-time access through Slack!

Up next: If you don't have any JIT policies set up yet, continue reading here to learn more about how to create and manage your just-in-time policies.

Requesting just-in-time access

To request JIT access, try `/bz-list-targets` from any window in your Slack workspace

When you use this command, BastionZero will return all the targets available to you for just-in-time access.

To request access to a specific target, click the "Request Access" button to the right of the target name. Next, complete the form with the target user (and if needed for Kubernetes clusters, the target group), the policy action, and the request reason for why you need access to the target. Note that request reason is required.

Once you've filled in the details, click "Request."

If the JIT policy governing that target allows automatic approval, you will see a message from BastionZero confirming your access immediately. If the target requires explicit approval from a BastionZero admin, you'll get a notification from BastionZero when your request is approved.

For additional guidance within the BastionZero app, try /bz-list-targets help

If you require additional access to the target beyond what your initial JIT request allows, you must wait until the initial request expires. Only then will you be able to submit another access request.

Connecting to your just-in-time target

Once you've received approval to access your just-in-time target, it becomes like any other target in BastionZero. Use the zli to connect to your target. For help, see our guide to connecting to your targets.

Granting just-in-time access

For BastionZero administrators who are on the approving end of a just-in-time request, the experience with the BastionZero app will look slightly different.

When a user requests access to a target, you'll receive a notification from the BastionZero app. This notification will be sent to all BastionZero administrators.

Any access request, whether accepted or denied, will be logged in the bzero-jit-log channel.

A full audit trail of just-in-time access decisions is available in the private bzero-jit-log channel that is created when BastionZero is installed to your Slack workspace. This channel automatically adds all BastionZero administrators in your organization. It is at the admins' discretion whether or not to include additional members.

Uninstalling the BastionZero app for Slack

Disable the Slack integration from cloud.bastionzero.com. Log in to the web app and navigate to the integrations page by following the settings gear in the top righthand corner -> platform settings -> app integrations. Select the "Slack" tab and click "Remove Integration."
Remove the BastionZero app from your Slack workspace. Select the BastionZero app from your Slack workspace. Go to "About" -> "Configuration." This will take you to the BastionZero Slack app's webpage. Scroll to the bottom of the page and click "Remove App" to remove the BastionZero app from your workspace.

We're sorry to see you go! If you're willing to share why you chose not to use our app for Slack, please reach out to product@bastionzero.com.

Good to knows

For convenience, we've brought together the few "good to knows" from the BastionZero app for Slack and the just-in-time feature documentation.

To author just-in-time policy, you must first enable the BastionZero app for Slack from Settings -> App Integrations -> Slack.
If you require additional access to the target beyond your initial JIT request, you must wait until the initial request's time expires. Only then will you be able to submit another access request.
A full audit trail of just-in-time access decisions is available in the private bzero-jit-log channel that is created when BastionZero is installed to your Slack workspace. This channel automatically adds all BastionZero administrators in your organization. It is at the admins' discretion whether or not to include additional members.