Workspaces and Roles
Understand how Nuxari workspaces work and what each role can do.
Last updated: June 2026
Who this is for
Workspace owners and admins managing their team in Nuxari.
Before you start
You need an owner or admin role to invite users and change role assignments.
Role families
Nuxari uses two distinct families of roles:
- Client Tenant Roles— the eight roles you assign to users inside your organization. These control what each person can see and do in your Nuxari workspace. "Client" refers to your organization as the customer, not a role level.
- Nuxari Internal Roles— roles used by Nuxari's own staff for operations and support. These are not assignable by customers and do not appear in your tenant UI.
For detailed descriptions of every role, see the Roles and Permissions overview.
How workspaces work
In Nuxari, your organization maps directly to your workspace. All of your connectors, governance data, findings, evidence, and audit events live within your workspace. No data is shared between organizations, your workspace is fully isolated from every other customer on the platform.
Managing users
To manage your team, go to Settings > Team. From there you can invite new members, change role assignments, and remove users who should no longer have access to the workspace.
Role permissions
Highest tenant authority. Full access to all workspace settings, billing, and user management. MFA required. Last Client Owner cannot be removed.
- Manage all settings
- Invite and remove users
- Assign any role including Client Owner
- View all data
- Manage billing and subscription
Day-to-day administration. Manages users, connectors, templates, workflows, and teams. Cannot bypass security policy or assign Client Owner.
- Add and manage connectors
- Create and manage workflows
- Invite users and assign roles (except Client Owner)
- View all governance data
Manages MFA policy, PIM and JIT access, security monitoring, and credential governance. MFA required.
- Configure MFA enforcement
- Manage PIM eligibility
- Monitor security events
- Manage credential governance
Read-only access to audit logs, evidence, reports, and compliance readiness. Cannot modify anything.
- View all findings
- View all evidence
- View audit log
- Export reports
Runs governance templates, manages workflows and remediation plans, and handles access requests. Follows approval policy. Cannot assign roles.
- Run templates and control packs
- Create and manage workflows
- Manage remediation plans
- Submit access requests
Reviews and authorizes requests assigned to them. Cannot approve own requests. All approvals are audited.
- Approve or reject assigned requests
- View findings and evidence for assigned items
- Add notes to approval decisions
Can submit access requests and track their own tickets. Cannot see tenant-wide data.
- Submit access requests
- View status of their own requests
- View their own audit events
Can view permitted dashboards and selected reports only. Cannot submit requests, approve actions, or export data.
- View dashboard
- View permitted reports
Role assignment principles
- Assign the least privileged role needed for each person to do their job.
- Keep the number of owners to a minimum, typically one or two.
- Approvers should be senior enough to make informed authorization decisions on remediation actions.
- Review role assignments periodically, especially when team members change responsibilities.