Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Roles and Permissions

Client Admin

The Client Admin handles day-to-day administration in Nuxari: managing users, connectors, integrations, templates, and workflows.

Last updated: June 2026

Who this is for

IT administrators, platform managers, or operations leads responsible for running and maintaining the Nuxari tenant on a daily basis.

Purpose

The Client Admin role is designed for users who run the Nuxari platform day to day without needing the full authority of a Client Owner. Admins can manage most operational aspects of the tenant — users, connectors, templates, and workflows — while being subject to the security and approval policies that owners set.

What Client Admins can do

  • Invite and remove users from the tenant.
  • Assign roles to users, excluding the Client Owner role (only owners can assign owners).
  • Add, configure, and manage connectors and integrations.
  • Install, manage, and remove governance templates and control packs.
  • Create, configure, and run workflows and automation.
  • View all governance data, findings, evidence, audit logs, and reports across the tenant.
  • Manage scheduled jobs and remediation plans.
  • Configure notification settings for users and teams.

What Client Admins cannot do

  • Assign or revoke the Client Owner role — only Client Owners can do this.
  • Bypass MFA enforcement policies set by the Client Owner or Client Security Admin.
  • Bypass approval workflows — even admins must go through the approval process for governed actions.
  • Manage billing or subscription settings (this requires Client Owner).
  • Modify security monitoring or PIM policy configuration (this requires Client Security Admin or Client Owner).
Client Admins are powerful but policy-bound. They cannot override security controls that the Client Owner or Client Security Admin has put in place. This is by design. Admins operate within the security guardrails of the tenant, not above them.

PIM eligibility

The Client Admin role is PIM-eligible. When configured with PIM, the role can be held as eligible rather than permanently active, and activated just-in-time with a justification when administrative work is needed. This reduces persistent privileged access and ensures admin actions are intentional and audited.

Assignment guidance

  • Assign Client Admin to people actively responsible for running and maintaining the platform.
  • Do not assign Client Admin to users who only need to submit requests or run templates — use Governance Operator or Requester instead.
  • Review Client Admin assignments when team responsibilities change.

Related docs

Roles and Permissions Overview

All eight client tenant roles and the two role families

Client Owner

Full tenant authority including billing and owner-role assignment

Client Security Admin

Manages MFA, PIM, and security monitoring

Troubleshooting: Roles and Permissions

Resolve role assignment errors and permission denied issues

Was this page helpful?