Table of Contents

Identity Account Management

Nexus provides a flexible and secure identity account model that allows administrators to control which actions users and services can perform. Access is governed through a combination of permissions, roles, and accounts.

For additional details, see Identity Account in the knowledge base.

Core concepts

  • Permissions: low-level, granular authorizations that control access to specific portal features and Nexus APIs (for example, create, view, update, or delete operations).
  • Roles: logical permission groups. Assigning a role grants all permissions within that role. A common example is the Administrator role, which provides broad portal access.
  • Accounts: entities that can be assigned one or more roles, depending on required access. All accounts can view their own profile details, including assigned roles and permissions. Only accounts with explicit account-management permissions can create, modify, or manage other accounts.

Nexus supports two account types:

  • User Account: portal access for human users.
  • Service Account: API access for system-to-system integrations.

Initial user setup

As part of your environment provisioning, we create an initial user account using an email address you provide during setup. This initial user is granted sufficient permissions to:

  • Create additional Identity Accounts
  • Assign and manage roles and permissions
  • Apply the Four-Eyes Principle to accounts

This enables full access management within your organization from the outset.

NOTE

The roles and accounts you create should accurately reflect your organizational structure and responsibilities. Assigning roles carefully, especially high-risk roles, is essential to maintaining a secure operational environment.

Registering your initial user

Once your environment is set up, the initial user will receive an email containing a Confirm Registration link.

  1. Click the registration link to open the Nexus login page.

  2. Set and confirm your password, ensuring it complies with the Nexus password policy.

  3. Log in using your username (as provided in the registration email) and your newly created password.

  4. Complete the two-factor authentication (2FA) setup by following the on-screen instructions.

After logging in, select the Identity tab to access the Nexus Identity Portal.

Navigate to Accounts in the side menu. At this stage, only your initial user account exists. By default, this account has the following roles:

  • Identity Accounts - Creator (high risk)
  • Identity Accounts - Validator (high risk)
  • Administrator

These roles allow the initial user to create and manage additional identity accounts and access most portal functionality.

Creating additional identity accounts

To create new user or service accounts:

  1. Navigate to the Identity tab to open the Nexus Identity Portal.

  2. Select Accounts in the side menu.

  3. Choose either Create User Account or Create Service Account, depending on your needs.

For example, to create a user account for a developer:

  • Select Create User Account

  • Enter the developer's email address and username

  • Select Register

The developer will receive a registration email and must complete the same registration steps as the initial user.

At this point, the new account has no permissions. To grant access:

  1. Navigate to Roles in the side menu.

  2. Review the available default roles or create a custom role.

  3. Assign the appropriate role(s) to the account.

For example, if the developer does not require portal access but needs to manage API authentication, assign the Service Accounts (high risk) role. This role allows a user account to manage service accounts for API access.

Applying the four-eyes principle to identity accounts

To enhance security, Nexus supports applying the four-eyes principle (dual control) to identity account management.

NOTE

The four-eyes principle (or dual control) is a risk management and governance mechanism requiring that any critical decision or action be verified and approved by at least two authorized individuals.

By default, the initial user is assigned both of the following roles:

  • Identity Accounts - Creator (high risk)
  • Identity Accounts - Validator (high risk)

When both roles are assigned to the same account, actions are applied immediately and no dual control is enforced.

Enabling dual control

To apply the four-eyes principle:

  1. Create or identify a second user account.

  2. Assign the Identity Accounts - Validator (high risk) role to this second account via the Roles section.

  3. Remove the Identity Accounts - Validator (high risk) role from the initial user account.

After this change, any account management action by the initial user, such as creating an account or assigning a role, will require validation by a separate user account with validator permissions.

Validating pending actions

For example, assume the initial user enabled dual control and assigns the Administrator role to another account. This action does not apply immediately and requires an additional validation step:

  1. The role assignment will appear with a ToBeAdded status, instead of a Validated status.

  2. A user with the Identity Accounts - Validator (high risk) role must log in to the Nexus Identity Portal.

  3. The user navigates to the relevant role and selects either Validate addition or Cancel pending role addition.

Only after validation will the change take effect.