Glossary of Terms Banyan Uses

Abstractions and terminology Banyan uses to represent and secure users/devices/applications running in any type of environment



An Organization is a company, or company division, that has an account on the Banyan Command Center.


A User is a human being who has a relationship with your Organization. They may be an employee, customer, contractor, partner etc.


Users belong to one or more Groups within an Organization. There can be a large number of Users in any Organization with different changing properties. Groups, on the hand, are much fewer in number and are more permanent.

Identity Provider

An Identity Provider (abbreviated IDP) creates, maintains, and manages identity information for Users in your Organization. It deliver authentication capabilities to relying applications such as the Banyan Command Center. Popular IDP providers include Okta, Google Identity and Azure Active Directory.


A Device is an electronic appliance, such as personal computer, mobile phone and tablet computer, capable of connecting to a network and processing data. A Device is used by Users to make requests for protected resources. Devices do not need to be in your Organization’s private network.

Device Manager

An Enterprise Device Manager (abbreviated EDM, and sometimes referred to as MDM or UEM) enables IT administrators to control, secure and enforce policies on smartphones, tablets, laptops and desktop computers. Popular EDM products include Workspace ONE UEM, JAMF, and Citrix.


A Workload refers to either a Docker Container or a Linux Process running on your Hosts.



A Cluster is a logical grouping of Banyan Access Tiers that are managed together for a given Organization. A Banyan Cluster includes a Private PKI (Public Key Infrastructure) to distribute cryptographic identities (X.509 Certificates) to clients and services in your organization.

Access Tier

An Access Tier is an Identity-aware Proxy that mediates access into a private network segment within which you run corporate applications and services. A Banyan Access Tier has a public IP address that is reachable from the internet.


A Connector is a Dial-out Connector that runs in a private network segment within which you run corporate applications and services. A Banyan Connector establish a secure tunnel with one or more Banyan Access Tiers.

Banyan Abstractions - Services


In Banyan, a Service is an abstraction that refers to corporate resources that you need to provide secure connectivity to. Once a Service is registered in the Banyan Command Center access controls can be enforced using the Banyan Access Tier.

Policies are attached to Services.

SaaS Application

A SaaS Application is a special type of Service that is NOT hosted in the customer environment. Instead, SaaS Applications are hosted by the SaaS vendor in the vendor’s datacenters. SaaS Application traffic does not flow though an Access Tier; instead, Banyan has a special enforcement called IDP Chaining for SaaS Applications.

Banyan Abstractions - Roles & Policies


In the security context, a Principal is any entity that requests access to an Service. In the Banyan platform we focus on User Principals. Other types of Principals include Workload Principals, Server Principals, etc.


In Banyan, a Role represents a set of access privileges. The specific access privileges of a Role are determined by the Policies that mention the Role.

Roles get assigned to Principals based on attributes we’ve gathered during the authentication phase.


In Banyan, a Policy is set of authorization rules that specify which Principals can access a given Service.

Note that we write Policies using Roles and not individual Principals; Roles simplify policy creation by grouping Principals with similar access privileges.

Last modified: Jun 16, 2021