Organizations and workspaces
Org and workspace hierarchy, roles, domain grants, materialized access, and governance.
Hierarchy overview
Nimriz uses a two-level structure above individual users:
Organization
└── Workspace (one or more)
└── Team members
The Organization is the commercial and governance parent. It owns:
- Subscriptions and billing.
- Custom domains (which are then granted to specific workspaces).
- Workspace-count limits and packaging.
- Org-level members and cross-workspace policies.
- Global analytics privacy enforcement.
A Workspace is your day-to-day operational environment. It owns:
- Links, routing rules, QR codes, spaces, and tags.
- Workspace API keys and conversion signing secrets.
- Webhooks and workspace-level feature settings.
- Workspace team members and their roles.
- Workspace-level Two-Factor Authentication (2FA) policy.
Most users interact with a single workspace. Larger teams and agencies may have multiple workspaces under one organization-for example, one workspace per brand or client.
Organization roles
Every person who belongs to an organization is assigned one of these org-level roles:
| Role | What they can do |
|---|---|
| Org Owner | Full control. Manages billing, creates and archives workspaces, assigns workspace admins, manages org members and admins, can transfer org ownership. |
| Org Admin | Administers all child workspaces (access is materialized automatically), manages org members, creates and archives workspaces, performs cross-workspace operational actions. Cannot transfer org ownership or manage billing exclusively. |
| Org Billing Admin | Manages subscriptions, payments, and billing settings. Has limited visibility into workspace summary data needed for billing but no general workspace mutation authority. |
| Org Member | Baseline organization membership. Visible in org member lists. Has no automatic cross-workspace admin authority. Access to workspaces comes through explicit workspace membership. |
Materialized org access
Org Owners and Org Admins automatically receive workspace Admin access on every child workspace in the organization. This is called materialized access-it is a real workspace membership row, not a virtual override. You will see Org Owners and Org Admins listed in your workspace's team page.
This means:
- An Org Admin can see and manage every workspace without needing a separate invitation to each one.
- Actions taken through materialized access are attributed to that org role in audit logs.
- The last-admin safeguard still applies-even an Org Owner cannot remove the last remaining workspace admin without adding another admin first.
Workspace roles
Within a workspace, every member has one of three roles:
| Role | Capabilities |
|---|---|
| Admin | View data, create/update links, manage domains, invite teammates, change member roles (up to Admin), remove members, manage workspace billing surfaces, enable/disable workspace 2FA enforcement. |
| Member | View dashboard data, create and update links. |
| Viewer | View dashboard and workspace data only. Cannot create or modify links. |
There is no workspace Owner role. Owner-level authority is handled by the Org Owner role at the organization level.
Every workspace must have at least one Admin at all times. The last remaining Admin cannot be demoted or removed without adding another Admin first.
Domain ownership and grants
Domains are owned by the organization, not by individual workspaces. Org Owners and Org Admins control which workspaces can use each domain.
The workflow:
- Add and verify a custom domain at the organization level (Settings → Domains).
- Grant that domain to one or more workspaces.
- Members of those workspaces can now select the domain when creating links.
If a domain does not appear in a workspace's domain selector, the organization administrator has not yet granted it to that workspace. Contact your Org Owner or Org Admin to request the grant.
Nimriz built-in domains (such as nim.lu, riz.to, rix.to) are also managed through this grant system and are automatically available to workspaces on eligible plans.
Analytics privacy policy
Organization Admins can set a strict analytics privacy policy that applies to every workspace and every link under the organization.
When the organization's analytics privacy policy is set to Strict required:
- Individual workspaces cannot choose a less strict privacy setting.
- Per-link privacy overrides cannot loosen below strict.
- Unique click metrics are unavailable across the entire organization.
When the policy is set to Workspace managed (the default):
- Each workspace manages its own default privacy setting.
- Individual links can also be set to strict privacy independently.
Managing org members and workspaces
Adding a new person to your organization:
- If they need access to a specific workspace, invite them directly to that workspace from the workspace's team settings. Accepting a workspace invite automatically creates org membership as well.
- If they need org-level authority (e.g., an Org Admin or Billing Admin) without belonging to a specific workspace, they can be invited at the org level through organization settings.
Creating a new workspace:
- Org Owners and Org Admins can create new workspaces from the organization settings.
- New workspaces start with the creator as the initial Admin.
- Domains must be explicitly granted to the new workspace before team members can create links on them.
Archiving a workspace:
- Only Org Owners and Org Admins can archive (delete) a workspace.
- Archiving a workspace removes all its links from the redirect network and locks dashboard access.
Session and context model
When you are logged in to the Nimriz dashboard, you always have both an active organization and an active workspace in your session.
- Actions you take (creating links, viewing analytics, changing settings) always apply to the active workspace.
- The dashboard clearly shows your active organization and workspace in the navigation.
- If your access level comes from materialized org admin rights rather than direct workspace membership, the dashboard indicates this.
To switch between workspaces, use the workspace switcher in the main dashboard navigation. See Workspace switching.
Troubleshooting
I cannot see a domain in the link creation selector
The domain has not been granted to your workspace. Contact your Org Owner or Org Admin to add the grant.
I can log in but cannot access any workspace content
You may have been given an org-level invite but have not yet been added to a specific workspace. Contact your Org Admin to be added to the relevant workspace, or accept a workspace invite if one was sent to your email.
An Org Admin is not showing in my workspace member list
Wait a moment and refresh. Materialized access is applied automatically when org roles change, but can take a brief moment to sync.