Using the BastionZero app for Slack
The guide below will show you how to set up and use the BastionZero app for Slack to request, approve, and monitor just-in-time (JIT) access for your organization.
Looking for something specific? Here are the topics covered below:
To enable just-in-time with your BastionZero organization, ensure you are both a BastionZero administrator and an administrator in the Slack workspace where you'd like to install the BastionZero app.
- 1.Enable the Slack integration from cloud.bastionzero.com. Log in to the web app and navigate to the integrations page by following the settings gear in the top righthand corner -> platform settings -> app integrations. Select the "Slack" tab and click "Integrate with Slack."
- 2.Authorize the BastionZero app via Slack. Once you click "Integrate with Slack," you will be redirected to the Slack OAuth page. It will detail the permissions needed by the BastionZero app. Before proceeding, make sure that the upper righthand corner displays the Slack workspace you wish to install the BastionZero app in.It is critical that you are an administrator in the Slack workspace you are installing the BastionZero app in and that you use the same SSO organization for both your Slack workspace and BastionZero. Otherwise, this integration will not succeed.
- 3.Add BastionZero to your Slack workspace. From your Slack workspace, navigate to "Apps." This could be from the top menu bar: Go -> Apps or at the bottom of your navigation menu on the lefthand side of your Slack window. Search for and select BastionZero to add it to your workspace.
- 4.Congratulations! Your organization can now manage just-in-time access through Slack!
Up next: If you don't have any JIT policies set up yet, continue reading here to learn more about how to create and manage your just-in-time policies.
When you use this command, BastionZero will return all the targets available to you for just-in-time access.
Example output from using
bz-list-targetsTo request access to a specific target, click the "Request Access" button to the right of the target name. Next, complete the form with the
target user (and if needed for Kubernetes clusters, the target group), the policy action, and the request reason for why you need access to the target. Note that request reason is required.
Example of a just-in-time request to the
bzero-clusterOnce you've filled in the details, click "Request."
Example of a submitted just-in-time request
If the JIT policy governing that target allows automatic approval, you will see a message from BastionZero confirming your access immediately. If the target requires explicit approval from a BastionZero admin, you'll get a notification from BastionZero when your request is approved.
Example of a just-in-time request decision
For additional guidance within the BastionZero app, try
/bz-list-targets helpIf you require additional access to the target beyond what your initial JIT request allows, you must wait until the initial request expires. Only then will you be able to submit another access request.
Once you've received approval to access your just-in-time target, it becomes like any other target in BastionZero. Use the
zli to connect to your target. For help, see our guide to connecting to your targets. For BastionZero administrators who are on the approving end of a just-in-time request, the experience with the BastionZero app will look slightly different.
When a user requests access to a target, you'll receive a notification from the BastionZero app. This notification will be sent to all BastionZero administrators.
An example of what a just-in-time access request looks like from the administrator's perspective
Any access request, whether accepted or denied, will be logged in the
bzero-jit-log channel.A full audit trail of just-in-time access decisions is available in the private
bzero-jit-log channel that is created when BastionZero is installed to your Slack workspace. This channel automatically adds all BastionZero administrators in your organization. It is at the admins' discretion whether or not to include additional members.
Example entries from the BastionZero JIT audit log
- 1.Disable the Slack integration from cloud.bastionzero.com. Log in to the web app and navigate to the integrations page by following the settings gear in the top righthand corner -> platform settings -> app integrations. Select the "Slack" tab and click "Remove Integration."
- 2.Remove the BastionZero app from your Slack workspace. Select the BastionZero app from your Slack workspace. Go to "About" -> "Configuration." This will take you to the BastionZero Slack app's webpage. Scroll to the bottom of the page and click "Remove App" to remove the BastionZero app from your workspace.
We're sorry to see you go! If you're willing to share why you chose not to use our app for Slack, please reach out to [email protected].
For convenience, we've brought together the few "good to knows" from the BastionZero app for Slack and the just-in-time feature documentation.
- 1.To author just-in-time policy, you must first enable the BastionZero app for Slack from Settings -> App Integrations -> Slack.
- 2.If you require additional access to the target beyond your initial JIT request, you must wait until the initial request's time expires. Only then will you be able to submit another access request.
- 3.A full audit trail of just-in-time access decisions is available in the private
bzero-jit-logchannel that is created when BastionZero is installed to your Slack workspace. This channel automatically adds all BastionZero administrators in your organization. It is at the admins' discretion whether or not to include additional members.