A machine we connect to.


A group of targets that can be accessed simultaneously. Environments are uniquely named and each user requests explicit access to each environment via a policy attached to their account.


A terminal to a target. You can have multiple connections (i.e., terminals) to a single target in a given space.


A triplestore statement (subject, verb, object) where the subject is the user/group, the verb is the type of access allowed, and the object is the target/environment.

Session recording

A video recording of a user or group shell session from the web app or zli.


BastionZero's command line interface tool, also known as the zero-trust command line interface

BastionZero web app

BastionZero's web UI for connecting to targets, monitoring logs and session recordings, authoring policies, managing users, creating environments. This can be found at


Installed on targets to enable MrZAP and target autodiscovery. These agents are built from the BastionZero open-source agent. Two unique agents are built from the single open-source project, a docker container hosted on dockerhub and used for k8s targets and a systemD executable used for servers, VMs, and containers.

Add a new target

When we input the configuration information for a target, for instance its IP address, SSH key, alias, etc.

Added target

A target for which we have already stored the configuration information, for instance its IP address, SSH key, alias etc.

Connect to a target

Open a terminal to a target.

Find a target

When the end user wants to search through the saved targets in order to find a known target.

Reconnect to a target

When a target that is already in a space has gone offline, and we want to see if the target is back online so that we can shell into that target.

Lost connection

When a server goes offline while the terminal is open.

Autodiscovered targets

Targets with the bz-agent installed.

Provisioning ID

User/organization’s GUID in BastionZero system.

Provisioning secret

Mechanism of linking autodiscovery target to account ID.

Manual targets

Ones that are configured by hand/API.

Command history

A collection of a user's previous commands.

Connection event

An event log of some state change to the connection (see events below), includes metadata about the connection (space, target, user, time).

Connection history

A collection of a user's previous connections (i.e., what targets they attached to).

User event history

Actions taken by user (i.e., policy changes, targets added/removed, user invites).

Connection event: opened

A connection has been initiated by the backend but no frontend connection has been made yet.

Connection event: inactive

A connection has been opened by a user and left in a space with no other users reading/writing to it.

Connection event: active

A connection is being viewed by a user.

Connection event: disconnect

The backend connection has been dropped for some reason. The backend will attempt to reconnect.

Connection event: connect

The backend has connected to the target or has reconnected within the same terminal.

Connection event: closed

Final state. The connection has been terminated from the backend.

Connection table

Table of all connections made and the current state they are in (it is a function of connection events).

Allow (allowed)

When a policy check passes (i.e., Alice was allowed access to ENV via POLICY)

Deny (denied)

When a policy check fails (i.e., Alice was denied access to ENV). Policy checks by default deny until a successful policy is found.

Last updated

Copyright © 2024