The BastionZero webapp is at  

We use the following terminology. 

  • Targets are VMs, servers or containers. 

  • Environments are sets of targets. 

  • You write policies against targets or environments. 

  • Policies decide what users/groups can access what targets/environments.

  • Spaces are virtual desktops that are used within the BastionZero webapp to access targets.

  • Admin users can create targets, environments and policies.  Admin users can also view logs.

  • Regular users can only access targets and view logs of their own command history. This is done either via the BastionZero webapp on the spaces screen, or via the BastionZero Command Line Interface, also known as the zli.

Autodiscovering targets: To discover your targets click the "Create" button (top right) and then Target -> Autodiscovery to grab scripts you can use to install the BastionZero agent on your targets. You should specify the environment you want the target to land in, the naming scheme, and the OS for the target, and then hit the copy button to get the script. To be discovered, your target will need the ability to connect out to the public Internet (not a public IP, just the ability to connect).

Writing policies: Click "Create" and then Policy. You can write policies against sets of users OR against groups pulled from your Azure IdP. You can also write policy via the API at

Accessing targets: You can access targets through the "Spaces" view of the webapp or via CLI. Download the CLI from the webapp under the gear in the top right.  You can upload and download files via the CLI, or if you look on the top right of an individual terminal window in the webapp, there is a little button with two arrows - that is the SCP interface.

Logs: To access logs of who ran what command on what target, admin users can check the webapp under "Logs".   Or you can grab in JSON format from  Non-admin users can also access logs of their own commands (but not those of others in the organization).