Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Roles and Permissions

Roles and permissions in Nuxari

Understand the two role families in Nuxari: client tenant roles assigned within your organization and Nuxari internal roles reserved for Nuxari staff.

Last updated: June 2026

Who this is for

Client Owners and Client Admins who manage their organization's Nuxari tenant, and anyone who wants to understand what each role can do.

What "client" means in this context

In Nuxari, Clientrefers to your organization, the customer tenant that uses Nuxari to manage governance, automation, and access. It is not a role name. Roles that begin with "Client" (such as Client Owner or Client Admin) are roles held by users insideyour organization's tenant. These are distinct from Nuxari's own internal staff roles, which customers cannot assign.

The two role families

Nuxari uses two separate families of roles:

  • Client Tenant Roles — roles you assign to users inside your organization. These control what each person can see and do within your Nuxari workspace. There are eight client tenant roles.
  • Nuxari Internal Roles— roles used by Nuxari's own staff for operations and support. Customers cannot assign, view, or modify these roles. They are scoped, audited, and managed entirely by Nuxari.

Client tenant roles

The following eight roles are available for assignment within your organization. Each role follows least-privilege principles — assign the role that matches the person's actual responsibilities.

Client OwnerPrivileged

Highest authority in the tenant. Manages all settings, users, billing, and compliance. MFA required. The last Client Owner cannot be removed.

View full role details
Client AdminPrivileged

Day-to-day administration. Manages users, teams, integrations, templates, and workflows. Cannot bypass security or approval policies.

View full role details
Client Security AdminPrivileged

Manages MFA policy, PIM and JIT access, security monitoring, and credential governance. MFA required.

View full role details
Client Compliance Auditor

Read-only access to audit logs, evidence, reports, and compliance readiness. Cannot modify any data.

View full role details
Governance Operator

Runs governance templates, manages workflows, remediation plans, and access requests. Follows approval policy. Cannot assign roles.

View full role details
Approver

Approves or denies requests assigned to them. Cannot approve their own requests. All approvals are audited.

View full role details
Requester

Submits access requests and tracks their own tickets. Limited Ask Nuxari access. Cannot view tenant-wide data.

View full role details
Readonly Viewer

Views permitted dashboards and selected reports. No mutations, no approvals, no submissions.

View full role details
Assign the least privileged role needed for each person to do their job. Keep the number of Client Owners small, typically one or two. Review role assignments when team members change responsibilities.

MFA and PIM requirements for privileged roles

Three roles have elevated security requirements because they can modify tenant-wide settings, assign roles to other users, or control security policy:

  • Client Owner — MFA required. PIM eligible for just-in-time activation of owner-level actions.
  • Client Admin— PIM eligible for elevation. MFA recommended and may be required by your organization's policy.
  • Client Security Admin — MFA required. PIM eligible to activate security administration actions with a justification.

PIM (Privileged Identity Management) allows users to hold a role as eligible rather than permanently active. To perform privileged actions, the user activates the role with a business justification, and the activation is time-limited and audited. To configure PIM, go to Administration > PIM.

Last Client Owner protection

Nuxari enforces a tenant safety rule: the last Client Owner in an organization cannot be removed or have their role changed. This prevents an organization from becoming permanently locked out of its own tenant. If you need to remove an owner, first assign the Client Owner role to another user, then remove the original owner.

Nuxari internal roles

Nuxari operates its own set of internal roles for its operations and support staff. These roles are not visible or assignable in your tenant. If you do not see an "internal role" option in your role assignment UI, that is expected and correct. Nuxari staff access to your tenant, when required for support purposes, is controlled, scoped to the minimum necessary, and audited.

Learn more about Nuxari internal roles

Related docs

Workspaces and Roles

How workspaces work and the full role assignment overview

User Management

Invite users and assign roles in your tenant

Troubleshooting: Roles and Permissions

Resolve role assignment errors, permission denied issues, and PIM/MFA requirements

Security Model

Trust and security principles including RBAC boundaries

Was this page helpful?