Taxonomy
| Term | Definition |
|---|---|
Target | A machine we connect to. |
Environment | A group of targets that can be accessed simultaneously. Environments are uniquely named and each user requests explicit access to each environment via a policy attached to their account. |
Connection | A terminal to a target. You can have multiple connections (i.e., terminals) to a single target in a given space. |
Policy | A triplestore statement (subject, verb, object) where the subject is the user/group, the verb is the type of access allowed, and the object is the target/environment. |
Session recording | A video recording of a user or group shell session from the web app or |
| BastionZero's command line interface tool, also known as the zero-trust command line interface |
BastionZero web app | BastionZero's web UI for connecting to targets, monitoring logs and session recordings, authoring policies, managing users, creating environments. This can be found at |
Agent | Installed on targets to enable MrZAP and target autodiscovery. These agents are built from the BastionZero open-source agent. Two unique agents are built from the single open-source project, a docker container hosted on dockerhub and used for k8s targets and a systemD executable used for servers, VMs, and containers. |
Add a new target | When we input the configuration information for a target, for instance its IP address, SSH key, alias, etc. |
Added target | A target for which we have already stored the configuration information, for instance its IP address, SSH key, alias etc. |
Connect to a target | Open a terminal to a target. |
Find a target | When the end user wants to search through the saved targets in order to find a known target. |
Reconnect to a target | When a target that is already in a space has gone offline, and we want to see if the target is back online so that we can shell into that target. |
Lost connection | When a server goes offline while the terminal is open. |
Autodiscovered targets | Targets with the bz-agent installed. |
Provisioning ID | User/organization’s GUID in BastionZero system. |
Provisioning secret | Mechanism of linking autodiscovery target to account ID. |
Manual targets | Ones that are configured by hand/API. |
Command history | A collection of a user's previous commands. |
Connection event | An event log of some state change to the connection (see events below), includes metadata about the connection (space, target, user, time). |
Connection history | A collection of a user's previous connections (i.e., what targets they attached to). |
User event history | Actions taken by user (i.e., policy changes, targets added/removed, user invites). |
Connection event: opened | A connection has been initiated by the backend but no frontend connection has been made yet. |
Connection event: inactive | A connection has been opened by a user and left in a space with no other users reading/writing to it. |
Connection event: active | A connection is being viewed by a user. |
Connection event: disconnect | The backend connection has been dropped for some reason. The backend will attempt to reconnect. |
Connection event: connect | The backend has connected to the target or has reconnected within the same terminal. |
Connection event: closed | Final state. The connection has been terminated from the backend. |
Connection table | Table of all connections made and the current state they are in (it is a function of connection events). |
Allow (allowed) | When a policy check passes (i.e., Alice was allowed access to ENV via POLICY) |
Deny (denied) | When a policy check fails (i.e., Alice was denied access to ENV). Policy checks by default deny until a successful policy is found. |
Last updated