Identity Account

An Identity Account refers to an account that is created and managed within the Nexus Identity environment. These accounts provide controlled, role-based access to Nexus resources and functionality, ensuring that permissions are assigned and maintained according to organizational policies.

For more information on creating and managing identity accounts, refer to the Configure Nexus - Create users section.

Types

There are two types of accounts, each providing access to different areas of the Nexus platform.

• User Account: Intended for human users, providing controlled access to the Nexus Portal.
• Service Account: Designed for system or application use, providing controlled access and authentication to the Nexus API solution.

Permissions

Permissions define the specific actions and resources that accounts can access within Nexus. A predefined set of permissions exists to select from and assign to a role.

Roles

Roles act as collections of permissions that simplify the management of account access. Instead of assigning individual permissions to each account, roles group related permissions together, making access control easier to configure and maintain. They can be assigned to accounts to grant, and where necessary, restrict access to Nexus. Multiple roles can be assigned to a single account, allowing flexible permission management.

Your environment includes a set of default roles that are available out of the box, enabling you to quickly begin assigning access to users. These predefined roles are intended to cover common use cases and provide guidance on standard access patterns. While default roles cannot be modified, administrators may create custom roles or clone existing default roles to build tailored authorization profiles that align with specific organizational needs.

Below we elaborate on some of the default roles and their intended use:

Identity Accounts - Creator (high risk)

The Identity Accounts - Creator role is a high-risk role, and it should be assigned with caution. The role grants the ability to manage both user and service accounts, as well as assign roles to these accounts. Most actions performed under this role require validation from a separate approving role, enforcing a four-eyes principle as an additional security safeguard.

Identity Accounts - Validator (high risk)

This role is responsible for validating and approving the actions initiated by the Identity Accounts - Creator role. By providing this second level of authorization, the role enforces the four-eyes principle, ensuring that sensitive operations cannot be completed without proper review and explicit approval.

API Clients (high risk)

There are two ways to establish access to the Nexus API solution, one of which is through API Clients. This role allows the management of these API Clients. Unlike Service Accounts, the second access option, API Clients provide full, unrestricted access to the Nexus API. API Clients do not support limiting or narrowing permissions, whereas Service Accounts allow access to be controlled more precisely.

Service Accounts (high risk)

The Service Account role enables the management of Service Accounts, one of the two available methods for accessing the Nexus API solution. While similar in purpose to API Clients, Service Accounts differ in that they support restricted access, meaning the Service Account itself can be set up to allow only specific interactions with the Nexus API.

This role also introduces an added security requirement: actions performed through Service Accounts role must be validated and approved by the Identity Accounts - Validator role. This enforces the four-eyes principle, ensuring that sensitive or potentially impactful access cannot be given without an independent review. As a result, using the Service Accounts role provides both controlled access and a strengthened security model through mandatory validation.

Read-only API Access

This role is designed specifically for service accounts that need limited, non-mutating access to the Nexus API solution. A service account assigned this role can perform GET requests only, enabling it to retrieve and view data without any ability to create, update, or delete resources.

It supports scenarios where an integration or automated process requires data consumption only while maintaining a low security risk.

Full API Access (high risk)

This role is intended for service accounts that require complete operational capability within the Nexus API solution. A service account with this role can perform all API operations, including GET, POST, PUT, and other write or administrative actions.

Since it grants unrestricted API access, this role carries elevated security risk and should be assigned only to trusted, well-controlled services with a verified operational need. Robust credential management and monitoring are strongly recommended.

Administrator

The Administrator role is the highest level of authority within Nexus. This role provides full admin rights in the Nexus portal, except for user management.

Operator

An Operator role has one of the lowest access rights. This role is responsible for managing day-to-day operations, report generation, and related tasks. He is responsible for managing your day-to-day transactions, payments, report generation, see totals etc.