Managing users
Go to Settings → Manage Users to see everyone who has access to your Nudge Security tenant.
From this page, you can:
Change a user's role by selecting a new role from the dropdown next to their name
Update the default role that all users without an assigned role will be assigned
Remove access by changing a user's role to Restricted, which keeps their account in the system but removes all visibility into SaaS data
You don't create or delete user accounts from this page — users already exist in Nudge Security and are populated from your organization's email organization. The Manage Users page controls what role they have in Nudge Security, which determines what they can see and do.
Roles
Nudge Security has five roles, ordered from least to most privileged. Each role inherits the capabilities of the roles below it, so an Organization View user can do everything a Personal View user can, plus more.
Restricted
Users with this role can only request access to the Nudge Security portal. They cannot sign in or see any SaaS data until an Administrator grants them a higher role.
Best for: If you don't want users to have access to Nudge Security.
Personal View
Users can see their own SaaS footprint — their accounts, OAuth grants, and AI tool usage — and access the App Directory to browse approved apps and submit access requests. They'll also receive nudges sent to them through rules or playbooks. They cannot see anything about the broader organization's SaaS environment.
This is the minimum role required for App Directory access. If you want your workforce to be able to find and request approved tools through the App Directory, they need Personal View or higher. For details on setting up the App Directory, see Configuring and Using the App Directory.
Best for: All employees and general workforce. This is the recommended default role.
Organization View
Everything in Personal View, plus full read-and-act access across the organization's SaaS environment. Users in this role can view the full app inventory, all user accounts and groups, OAuth grants, attack surface data, spend data, AI agent inventory, AI conversation monitoring data, security posture findings, and all dashboards. They can edit app metadata (approval statuses, technical contacts, compliance scope), create and edit notification rules, run non-offboarding playbooks (like Access Reviews and Abandoned Accounts), and export reports.
They cannot run the Employee Offboarding playbook, revoke OAuth grants, change organization settings, manage connected apps or the browser extension, or manage users and roles.
Best for: Security analysts, GRC stakeholders, and IT operators who need visibility and the ability to act on what they see, but who don't own offboarding or tenant configuration.
Organization View + Offboarding
Everything in Organization View, plus the ability to run the Employee Offboarding playbook and revoke OAuth grants. This role exists because offboarding involves destructive actions (revoking access, resetting passwords, revoking OAuth grants) that you may want to limit to specific people rather than granting to everyone with org-wide visibility.
Best for: IT operators or HR/IT delegates who own the offboarding process but shouldn't be full tenant admins.
Administrator
Full access to everything in Nudge Security. In addition to all the capabilities above, Administrators can configure connected apps, manage browser extension settings, configure AI governance policies, manage organization settings (org structure, spend settings, default user role), manage users and roles (invite users, assign roles, configure Okta SSO for Nudge Security login), generate API keys, customize nudge templates, and mark security posture findings as resolved or dismissed.
Administrators are also the only role that can enable the App Directory and choose which approval statuses (Approved, Acceptable, etc.) appear in it. See Configuring and Using the App Directory for setup details.
Best for: Tenant owners and primary Nudge Security admins. Keep this list short — typically two to three people for separation of duties.
What each role can do
Here's a summary of which capabilities are available at each role level. Roles are cumulative — each role includes everything from the roles to its left.
Capability area | Restricted | Personal View | Organization View | Org View + Offboarding | Administrator |
View/edit own profile | — | Yes (view only) | Yes | Yes | Yes |
View own SaaS accounts, OAuth grants, AI usage | — | Yes | Yes | Yes | Yes |
Access App Directory, submit access requests | — | Yes | Yes | Yes | Yes |
Receive nudges | — | Yes | Yes | Yes | Yes |
View org-wide app inventory, users, OAuth grants | — | — | Yes | Yes | Yes |
Edit app metadata (approval status, technical contact, fields) | — | — | Yes | Yes | Yes |
View dashboards (Overview, Shadow Apps, Spend, Posture, Attack Surface, Progress) | — | — | Yes | Yes | Yes |
View security posture findings | — | — | Yes | Yes | Yes |
View AI agent inventory and AI conversation data | — | — | Yes | Yes | Yes |
View spend data and forecasts | — | — | Yes | Yes | Yes |
Create and edit notification rules | — | — | Yes | Yes | Yes |
Run playbooks (Access Reviews, Abandoned Accounts, etc.) | — | — | Yes | Yes | Yes |
Export reports | — | — | Yes | Yes | Yes |
Run Employee Offboarding playbook | — | — | — | Yes | Yes |
Revoke OAuth grants / remove accounts | — | — | — | Yes | Yes |
Configure connected apps | — | — | — | — | Yes |
Configure browser extension settings | — | — | — | — | Yes |
Configure AI governance policies | — | — | — | — | Yes |
Manage organization settings | — | — | — | — | Yes |
Customize nudge templates and settings | — | — | — | — | Yes |
Manage Spend Settings (currency, mailboxes) | — | — | — | — | Yes |
Mark findings as resolved / dismissed | — | — | — | — | Yes |
Manage users, assign roles, configure SSO | — | — | — | — | Yes |
Generate API keys | — | — | — | — | Yes |
Enable/disable App Directory | — | — | — | — | Yes |
Setting the default role for new users
Administrators can configure which role is automatically assigned to new users who are added to the tenant. Go to Settings → Organization Settings to set the default role.
For most organizations, Personal View is the recommended default. This gives every employee access to their own SaaS footprint and the App Directory without granting them visibility into the broader organization's data. You can then upgrade specific people to Organization View or higher as needed.
Recommendations
Keep Administrator count low. Two to three Administrators is enough for most organizations. Administrators can change settings, manage integrations, and assign roles — capabilities that should be limited for separation of duties and audit purposes.
Use Organization View + Offboarding sparingly. This role exists specifically for people who run the offboarding process. If someone needs org-wide visibility but doesn't handle offboarding, Organization View is sufficient and avoids granting access to destructive offboarding actions.
Set Personal View as your default role. This ensures new employees can see their own SaaS data and use the App Directory without accidentally granting them access to org-wide security data.
Review role assignments periodically. As people change roles or leave teams, their Nudge Security role may no longer be appropriate. Check the Manage Users page quarterly to confirm that role assignments still match responsibilities.