Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Roles and Permissions

Client Security Admin

The Client Security Admin is responsible for the security configuration of the Nuxari tenant: MFA enforcement, PIM and JIT access, security monitoring, and credential governance.

Last updated: June 2026

Who this is for

Security engineers, security leads, or compliance-focused administrators who own the security configuration of the Nuxari tenant.

Purpose

The Client Security Admin role is designed for the person responsible for the platform's security posture. While a Client Admin manages users and connectors, the Client Security Admin controls the security policies that govern how the platform operates: who is required to use MFA, which roles are PIM-enabled, how credentials are tracked, and how security findings are monitored.

What Client Security Admins can do

  • Configure and enforce MFA policy across the tenant, including which roles require MFA.
  • Configure PIM eligibility and just-in-time access rules for privileged roles.
  • Monitor security events, alert configurations, and access anomalies.
  • Manage credential and certificate governance: track expiry, assign remediation, and review hygiene findings.
  • View security-related audit events and evidence.
  • Review and manage domain allowlist settings.
  • Configure agent token policies and connector credential rotation schedules.

What Client Security Admins cannot do

  • Assign the Client Owner or Client Admin role (those require Client Owner authority).
  • Manage billing or subscription settings.
  • Override approval workflows or bypass governance policies — security admins are subject to the same approval requirements as other users for governed actions.
  • Directly modify remediation plan execution — remediation requires appropriate role assignments and approval steps.

MFA requirement

MFA is required to hold the Client Security Admin role. A user must have MFA enrolled before their security administration privileges are active. This aligns with the principle that the person managing the security policy must themselves be held to the highest authentication standards.

If a Client Security Admin loses their MFA device and has no recovery codes, a Client Owner must reset their MFA from Settings > User Management. The security admin cannot bypass this requirement.

PIM eligibility

The Client Security Admin role is PIM-eligible. When PIM is configured, the role is held as eligible and activated just-in-time when security administration is needed. The activation requires a business justification and is time-limited and audited. This ensures security admin privileges are not permanently active, reducing the impact of a compromised session.

Assignment guidance

  • Assign this role to the person or team accountable for the tenant's security configuration, not to every IT administrator.
  • Separate security administration from day-to-day administration where your policy supports it. Use Client Admin for general administration tasks.
  • Review Client Security Admin assignments as part of periodic access reviews.

Related docs

Roles and Permissions Overview

All eight client tenant roles and the two role families

Client Owner

Full tenant authority including MFA and PIM policy override

Client Admin

Day-to-day tenant administration

Troubleshooting: Roles and Permissions

Resolve MFA requirements, PIM activation, and role assignment errors

Was this page helpful?