Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Compliance & Readiness

Compliance roles and permissions

Which roles can access the compliance module, what each role can do, and how access is controlled.

Last updated: June 2026

This page covers compliance module access. For the full roles and permissions reference, see Roles and permissions in Nuxari.

Compliance module access by role

Access to the compliance module is controlled by your assigned role. Not all roles have compliance access by default. The compliance module contains sensitive organizational data — access is scoped to roles with a defined need.

Client Owner
  • Full read and write access to all compliance module features
  • Can approve policies and accept risks
  • Can generate and export audit packages
  • Can assign compliance tasks to other users
  • MFA required for sensitive operations including audit package export
Client Security Admin
  • Full access to security controls, evidence, and compliance readiness
  • Can approve policies and accept evidence
  • Can generate and export audit packages
  • Can manage risk register
  • Cannot approve risks — only Client Owner can accept risks
  • MFA required
Client Admin
  • Can view compliance module, controls, and evidence
  • Can approve policies
  • Cannot export audit packages (Client Owner or Client Security Admin required)
  • Cannot accept risks
Client Compliance Auditor
  • Read-only access to all compliance data: controls, evidence, policies, risks, vendors, access reviews
  • Can view audit packages
  • Cannot collect evidence, approve policies, accept risks, or export packages
  • Intended for internal audit staff or designated compliance reviewers
Governance Operator
  • Can collect and submit evidence for assigned controls
  • Can run access review campaigns when assigned
  • Cannot approve policies, accept risks, or export audit packages
  • Cannot view the full risk register — can only see risks linked to their assigned controls
Approver
  • No compliance module access by default
  • May receive policy approval requests if explicitly included in a policy approval workflow
Requester
  • No access to the compliance module
  • Cannot view controls, evidence, policies, risks, or audit packages
Readonly Viewer
  • No access to the compliance module

Key principles

  • Client Compliance Auditor is read-only. This role is specifically designed for auditors and compliance reviewers who need visibility without the ability to modify anything.
  • Risk acceptance is Client Owner only. Formally accepting a residual risk requires senior business authorization. Only Client Owners can accept risks.
  • Audit package export requires MFA. Given the sensitive nature of audit packages, an active MFA-verified session is required to export.
  • Policy approval requires separation of duties. A policy owner cannot approve their own policy — a different authorized user must approve.

Related docs

Roles and permissions overview

Full role reference for all eight client tenant roles

Audit packages

Export requirements including MFA and PIM

Compliance troubleshooting

Resolve permission issues in the compliance module

Was this page helpful?