Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Roles and Permissions

Client Owner

The Client Owner is the highest authority in a Nuxari tenant. This role can manage all tenant settings, users, billing, integrations, and compliance configuration.

Last updated: June 2026

Who this is for

Administrators or technical leads who own the organization's Nuxari tenant and are responsible for its configuration, security posture, and governance.

Purpose

The Client Owner role is designed for the person or people who are ultimately accountable for the Nuxari tenant. They have the broadest set of permissions in the tenant and can perform any action that a Client Admin, Client Security Admin, or any other client role can perform. They are also the only users who can assign or revoke the Client Owner role itself.

What Client Owners can do

  • Manage all tenant settings, including organization profile, security policy, and domain allowlists.
  • Invite, remove, and manage all users in the tenant.
  • Assign any role to any user, including the Client Owner role itself.
  • Manage billing, plan, and subscription details.
  • Configure and manage all connectors and integrations.
  • View all governance data, audit logs, findings, evidence, and reports across the tenant.
  • Configure MFA enforcement, domain allowlists, and PIM policy.
  • Approve, reject, or delegate any request in the tenant, including requests assigned to others.

MFA requirement

MFA (multi-factor authentication) is required to hold the Client Owner role. If a user assigned as Client Owner does not have MFA enrolled, they will be required to enroll before their owner privileges are active. This requirement cannot be waived or bypassed.

PIM and just-in-time access

The Client Owner role is eligible for PIM (Privileged Identity Management). When configured with PIM, a user holds the Client Owner role as eligible rather than permanently active. To perform owner-level actions, the user activates the role through Administration > PIM, provides a business justification, and the activation is time-limited and fully audited. This reduces the attack surface of permanently active owner sessions.

Use PIM for Client Owner wherever your security policy supports it. Permanently active owner sessions increase risk. Just-in-time activation ensures owner actions are intentional, justified, and traceable.

Last owner protection

Nuxari enforces a rule that prevents an organization from being locked out of its own tenant: the last Client Owner cannot be removed, deactivated, or have their role changed.

If you are the only Client Owner and you want to remove yourself or change your own role, you must first assign the Client Owner role to another user. Only then can you change or remove your own role. This protection is enforced at the API level and cannot be bypassed through the interface.

Assignment guidance

  • Keep the number of Client Owners small, typically one to two people per organization.
  • Only assign this role to users who need tenant-wide authority and who have agreed to your organization's privileged access policy.
  • Use Client Admin for day-to-day administration tasks that do not require owner-level authority.
  • Review Client Owner assignments periodically, especially when key personnel change.

Related docs

Roles and Permissions Overview

All eight client tenant roles and the two role families

Client Admin

Day-to-day admin role without full owner authority

Troubleshooting: Roles and Permissions

Resolve role assignment errors and owner protection issues

User Management

Invite users and assign roles in your tenant

Was this page helpful?