A group of targets that can be accessed simultaneously. Environments are uniquely named and each user requests explicit access to each environment via a policy attached to their account.
A terminal to a target. You can have multiple connections (i.e., terminals) to a single target in a given space.
A triplestore statement (subject, verb, object) where the subject is the user/group, the verb is the type of access allowed, and the object is the target/environment.
A video recording of a user or group shell session from the web app or
BastionZero's command line interface tool, also known as the zero-trust command line interface
BastionZero's web UI for connecting to targets, monitoring logs and session recordings, authoring policies, managing users, creating environments. This can be found at
Installed on targets to enable MrZAP and target autodiscovery. These agents are built from the BastionZero open-source agent. Two unique agents are built from the single open-source project, a docker container hosted on dockerhub and used for k8s targets and a systemD executable used for servers, VMs, and containers.
When we input the configuration information for a target, for instance its IP address, SSH key, alias, etc.
A target for which we have already stored the configuration information, for instance its IP address, SSH key, alias etc.
Open a terminal to a target.
When the end user wants to search through the saved targets in order to find a known target.
When a target that is already in a space has gone offline, and we want to see if the target is back online so that we can shell into that target.
When a server goes offline while the terminal is open.
Targets with the bz-agent installed.
User/organization’s GUID in BastionZero system.
Mechanism of linking autodiscovery target to account ID.
Ones that are configured by hand/API.
A collection of a user's previous commands.
An event log of some state change to the connection (see events below), includes metadata about the connection (space, target, user, time).
A collection of a user's previous connections (i.e., what targets they attached to).
Actions taken by user (i.e., policy changes, targets added/removed, user invites).
A connection has been initiated by the backend but no frontend connection has been made yet.
Connection event: inactive
A connection has been opened by a user and left in a space with no other users reading/writing to it.
A connection is being viewed by a user.
Connection event: disconnect
The backend connection has been dropped for some reason. The backend will attempt to reconnect.
Connection event: connect
The backend has connected to the target or has reconnected within the same terminal.
Final state. The connection has been terminated from the backend.
Table of all connections made and the current state they are in (it is a function of connection events).
When a policy check passes (i.e., Alice was allowed access to ENV via POLICY)
When a policy check fails (i.e., Alice was denied access to ENV). Policy checks by default deny until a successful policy is found.