Troubleshooting Roles and Permissions

Who this is for

Client Owners, Client Admins, and users encountering role assignment errors or permission denied messages in Nuxari.

Cannot assign a role (permission denied)

Symptom:You attempt to assign a role to a user and receive a "permission denied" or "not authorized" error.

1. 1

   Confirm you have Client Admin or Client Owner role

   Only Client Admins and Client Owners can assign roles. If your role is Governance Operator, Approver, Requester, Readonly Viewer, or Client Compliance Auditor, you cannot assign roles. Contact your Client Owner or Client Admin.

2. 2

   Check which role you are trying to assign

   Client Admins can assign all roles except Client Owner. Only a Client Owner can assign the Client Owner role to another user. If you need to assign Client Owner, you must have that role yourself or ask a current Client Owner.

3. 3

   Check if MFA or PIM is required for the role being assigned

   Assigning the Client Owner, Client Admin, or Client Security Admin role may require MFA to be active on your session. Ensure your MFA session is current. If PIM is required, activate your eligible role from Administration > PIM before attempting the assignment.

4. 4

   Try again after confirming your own role and MFA state

   Go to Administration > Users, confirm your own role assignment is active, and confirm your MFA session is valid before retrying. If the error persists, contact your Client Owner.

Cannot assign the Client Owner role

Symptom: You are trying to assign the Client Owner role to another user and the action is blocked or the option is unavailable.

1. 1

   Confirm you are a Client Owner yourself

   The Client Owner role can only be assigned by another Client Owner. Client Admins cannot assign this role. If you are not a Client Owner, you must ask a current Client Owner to make this assignment.

2. 2

   Confirm your MFA is active

   Assigning the Client Owner role requires an active MFA session. If your session has aged or you have not completed MFA recently, log out and log back in with MFA before attempting the assignment.

3. 3

   Confirm the target user has MFA enrolled

   The user receiving the Client Owner role must have MFA enrolled before the role is fully active. If they have not enrolled MFA, direct them to Settings > Security > MFA enrollment first.

4. 4

   Activate your PIM role if required

   If your Client Owner role is PIM-eligible rather than permanently active, you must activate it from Administration > PIM before you can perform owner-level actions including role assignment.

Cannot remove the last Client Owner

Symptom: You are trying to remove a Client Owner or change their role, and the action is blocked with a message indicating this is the last owner.

1. 1

   Assign the Client Owner role to another user first

   Before removing the current last owner, assign the Client Owner role to at least one other user. Go to Administration > Users, select the user who should become an owner, and assign them the Client Owner role.

2. 2

   Confirm the new owner is active

   After assigning the Client Owner role to a second user, confirm they can log in successfully and their role is active in Administration > Users. Only after confirming this should you proceed with removing the original owner.

3. 3

   Remove or change the original owner

   Once at least one other active Client Owner exists, you can safely remove or change the role of the original owner. Return to Administration > Users and change the original user's role.

Cannot see Nuxari internal roles in the role assignment UI

Symptom:You are looking for a "Nuxari Super Admin", "Nuxari Support Admin", or other internal role in the role assignment interface and it does not appear.

This is expected and correct behavior. Nuxari internal roles are reserved for Nuxari's own staff and are not available to customers. They do not appear in the customer-facing role assignment interface by design.

Approver can only see assigned approvals

Symptom: A user with the Approver role says they cannot see all pending approvals in the system, only some.

This is by design. Approvers only see requests that are explicitly assigned to them. They do not have access to the full approval queue across all users and all request types. If an Approver needs to see additional requests, a Client Admin must assign those requests to them, or a different role (such as Client Admin) is needed for broader queue visibility.

Requester can only see their own tickets

Symptom:A user with the Requester role says they cannot see another user's request or ticket.

This is by design. Requesters have access only to their own tickets and requests. They cannot see the requests of other users. If a user needs to see other users' requests, they need a role with broader visibility such as Governance Operator, Client Admin, or Client Owner. Contact your Client Admin if you need your role elevated.

Client Compliance Auditor cannot approve or modify data

Symptom: A user with the Client Compliance Auditor role reports they cannot submit requests, approve items, or export data.

This is by design. The Client Compliance Auditor role is read-only. It can view audit logs, evidence, reports, and findings, but cannot create, modify, delete, or approve anything. This preserves the integrity of the audit record. If the user needs to take action, they need a different role: Governance Operator for operational work, or Approver for authorization tasks.

MFA required for privileged role assignment

Symptom: You are trying to assign a privileged role (Client Owner, Client Admin, Client Security Admin) and receive an error about MFA being required.

1. 1

   Ensure your own MFA session is active

   Assigning privileged roles requires that your current session was authenticated with MFA. If you logged in without completing MFA, or your session is old, log out and log back in using MFA.

2. 2

   Ensure the target user has MFA enrolled

   Client Owner and Client Security Admin require the receiving user to have MFA enrolled. Check the user's profile in Administration > Users to confirm MFA status. If not enrolled, direct them to Settings > Security > MFA.

3. 3

   Use a recovery code if your MFA device is unavailable

   If you cannot complete MFA because your device is unavailable, use a recovery code from the MFA challenge screen. After regaining access, re-enroll your MFA device immediately.

4. 4

   Contact your Client Owner if MFA cannot be completed

   If you are permanently locked out of MFA (no device, no recovery codes), a Client Owner must reset your MFA from Administration > Users before you can proceed.

PIM required for certain role actions

Symptom:You have been assigned the Client Owner, Client Admin, or Client Security Admin role but cannot perform certain actions. Or you receive a message saying your role is "eligible" but not active.

1. 1

   Go to Administration > PIM

   In Nuxari, go to Administration > PIM. You will see any roles you are eligible to activate. If your role shows as 'Eligible', it means it is configured for just-in-time activation and is not permanently active.

2. 2

   Activate your eligible role with a justification

   Click 'Activate' next to the role. Enter a business justification for why you need to activate this role now (for example, 'Assigning new team member roles for new project'). The activation is time-limited, typically 1–8 hours depending on your policy.

3. 3

   Complete the action after activation

   Once the role is activated, return to the task you were trying to complete. Your session should now have the elevated permissions needed. After you finish, the activation expires automatically.

4. 4

   Contact your Client Owner if no eligible roles appear

   If you have been told you should have a privileged role but see no eligible roles in the PIM interface, contact your Client Owner. They may need to configure your PIM eligibility in Administration > PIM.

Role display names changed or appear incorrect after migration

Symptom: Role names in the UI look different from what users expect, or users report their role appears to have changed after a platform update.

Nuxari has updated its role model to use clearer display names (for example, "Owner" became "Client Owner"). The underlying permissions are the same. If a user is unsure what their current role maps to, see the Workspaces and Roles page for the updated role table, or the Roles and Permissions overview for detailed descriptions of each role. If a role appears to have changed permissions unexpectedly, contact your Client Owner or Nuxari support.