Identity Account Management

Nexus provides a flexible and secure Identity Account Management model that allows administrators to control which actions users and services can perform within the platform. Access is governed through a structured combination of permissions, roles, and accounts.

For additional details on these concepts, please refer to the Knowledge base - Identity Account section.

Core Concepts

• Permissions: Permissions are low-level, granular authorizations that control access to specific portal features and Nexus APIs. Examples include the ability to create, view, update, or delete various entities within the system.
• Roles: Roles group multiple permissions into logical sets. Assigning a role to an account grants all permissions associated with that role. A common example is the Administrator role, which typically provides broad access to portal functionality and is usually assigned to trusted user accounts responsible for managing the environment.
• Accounts: An account can be assigned one or multiple roles depending on the access it requires. All accounts can view their own profile details, including assigned roles and permissions. However, only accounts with explicit account management permissions can create, modify, or manage other accounts. Nexus supports two account types:
  • User Account: Provide access to the Nexus Portal and are intended for human users.
  • Service Account: Provide access to the Nexus APIs and are intended for system-to-system integrations.

Initial User Setup

As part of your environment provisioning, we create an initial user account using an email address you provide during setup. This initial user is granted sufficient permissions to:

• Create additional Identity Accounts
• Assign and manage roles and permissions
• Apply the Four-Eyes Principle to accounts

This enables you to fully manage access within your organization from the outset.

NOTE

The roles and accounts you create should accurately reflect your organizational structure and responsibilities. Assigning roles carefully, especially high-risk roles, is essential to maintaining a secure operational environment.

Registering your Initial User

Once your environment is set up, the initial user will receive an email containing a Confirm Registration link.

1. Click the registration link to open the Nexus login page.

2. Set and confirm your password, ensuring it complies with the Nexus password policy.

3. Log in using your username (as provided in the registration email) and your newly created password.

4. Complete the two-factor authentication (2FA) setup by following the on-screen instructions.

After logging in, select the Identity tab to access the Nexus Identity Portal.

Navigate to Accounts in the side menu. At this stage, only your initial user account will exist. By default, the following roles are assigned to this account:

• Identity Accounts - Creator (high risk)
• Identity Accounts - Validator (high risk)
• Administrator

These roles enable the initial user to create and manage additional Identity Accounts and some access to most portal functionality.

Creating additional Identity accounts

To create new user or service accounts:

1. Navigate to the Identity tab to open the Nexus Identity Portal.

2. Select Accounts from the side menu.

3. Choose either Create User Account or Create Service Account, depending on your needs.

For example, to create a user account for a developer:

• Select Create User Account

• Enter the developer's email address and username

• Select Register

The developer will receive a registration email and must complete the same registration steps as the initial user.

At this point, the new account has no permissions. To grant access:

1. Navigate to Roles in the side menu.

2. Review the available default roles or create a custom role.

3. Assign the appropriate role(s) to the account.

For example, if the developer does not require portal access but needs to manage API authentication, assign the Service Accounts (high risk) role. This role allows a user account to manage Service Accounts for API access.

Applying a four-eyes principle to Identity accounts

To enhance security, Nexus supports applying a four-eyes principle (dual control) to Identity Account management.

NOTE

The four-eyes principle (or dual control) is a risk management and governance mechanism requiring that any critical decision or action be verified and approved by at least two authorized individuals.

By default, the initial user is assigned both of the following roles:

• Identity Accounts - Creator (high risk)
• Identity Accounts - Validator (high risk)

When both roles are assigned to the same account, actions are applied immediately and no dual control is enforced.

Enabling Dual Control

To apply the four-eyes principle:

1. Create or identify a second user account.

2. Assign the Identity Accounts - Validator (high risk) role to this second account via the Roles section.

3. Remove the Identity Accounts - Validator (high risk) role from the initial user account.

After this change, any account management action by the initial user, such as creating an account or assigning a role, will require validation by a separate user account with validator permissions.

Validating Pending Actions

For example, assume the initial user enabled dual control as explained in the previous section, and now assigns the Administrator role to another account. This action will not apply immediately, and will require an additional validation step as explained below:

1. The role assignment will appear with a ToBeAdded status, instead of a Validated status.

2. A user with the Identity Accounts - Validator (high risk) role must log in to the Nexus Identity Portal.

3. The user needs to navigate to to the relevant role and either select Validate addition or Cancel pending role addition for this role addition.

Only after validation will the change take effect.