Nimriz
Operations and security teams

Team link management and workspace access controls

Branded links are operational infrastructure, not personal tools. Nimriz gives shared workspaces the role-appropriate access, two-factor authentication enforcement, and audit history teams need to keep link operations safe and accountable as the team grows.

  • Three built-in workspace roles cover most team structures without custom role engineering
  • Account-level TOTP and workspace-enforceable 2FA on supported plans
  • Immutable audit trail across links, team changes, domains, and security events
Start for freeAll use cases
Workspace roles

Three built-in workspace roles give every teammate the right level of access. Owner-level authority lives at the organization level.

Built-in
AdminRole
Invite teammates, change roles, manage domains, enable or disable workspace 2FA enforcement, access audit log
MemberRole
Create and update links, view analytics, manage day-to-day link work
ViewerRole
Read-only access to links and analytics for stakeholders or reviewers
Workspace security controls
TOTP two-factor authentication per user account
Admin-managed workspace 2FA enforcement (on supported plans)
Immutable audit trail covering links, team changes, domains, and security events

As a team's link operation grows beyond a single person, the informal arrangements that worked early on start creating risk. Shared login credentials mean no way to know who changed a destination URL or revoked an API key. A single admin account means no separation between stakeholders who need to view reports and teammates who should be able to create or edit links. And without a persistent record of who did what, incident follow-up and access reviews rely on memory rather than evidence.

Nimriz workspaces are designed for team use from the start. Every person on the team gets their own account, and workspace membership is role-scoped from the first invite. The three built-in workspace roles - Admin, Member, and Viewer - cover the majority of team structures without requiring any custom role configuration. Admins handle team management, domain control, and security policy. Members do the day-to-day link work. Viewers get read access for stakeholders and reviewers who need visibility without the ability to make changes.

Account security is handled through TOTP-based two-factor authentication. Any user can enroll an authenticator app and generate recovery codes from their profile settings. On supported plans, workspace Admins can go further and require every member to have 2FA active before accessing the workspace. Enforcement takes effect immediately upon confirmation, and the workspace's member compliance view lets an Admin see who is already enrolled before they turn it on.

The audit log ties everything together. Every meaningful mutation - link edits, team changes, domain operations, API key lifecycle events, and security factor changes - is written to an immutable record that Workspace Admins can search, filter, and export. When a link destination changes unexpectedly or a team member needs to be investigated after leaving, the audit log provides the answer with actor identity, timestamp, and before/after context.

Who it is for

Operations or marketing ops lead

Needs a shared workspace where the full team can create and manage links under a single operation, with roles that keep link-creation rights and read-only visibility clearly separated.

Security or IT reviewer

Needs TOTP two-factor authentication on every account and the option to enforce it at the workspace level, plus an immutable audit log to review access events and security changes.

Agency or multi-team admin

Runs separate workspaces for different clients or brands, assigns Admins for each workspace, and needs audit history to answer accountability questions across link operations.

What you get

Three built-in workspace roles

Every workspace member holds one of three roles: Admin, Member, or Viewer. Admins can invite teammates, change roles, manage domains, and control workspace security settings. Members create and update links while Viewers have read-only access for stakeholders who need visibility without edit rights. Custom roles are not part of the current workspace model.

Email invites and workspace switching

Workspace Admins invite teammates by email: the invitation email includes the workspace name, inviter identity, the assigned role, and a secure acceptance link that expires after 7 days. Team members can belong to multiple workspaces and switch between them using the workspace switcher in the dashboard. Each workspace keeps its links, domains, settings, and team access fully separate.

Two-factor authentication

Any user can enable TOTP-based two-factor authentication from their profile settings by scanning a QR code with an authenticator app and saving a set of single-use recovery codes. On supported plans, workspace Admins can enforce 2FA for the entire workspace: enforcement takes effect immediately, and any non-compliant member is routed through the TOTP enrollment flow before gaining workspace access.

Immutable audit history

Every security-relevant action is written to an append-only audit log: link creates, destination changes, invite lifecycle events, role changes, domain operations, API key rotations, and TOTP enrollment or reset events. Each entry records the actor, timestamp, entity type, entity ID, workspace context, and before/after metadata where applicable. Workspace Admins can filter by time range, action, actor, or entity type and export to CSV.

How it works

Shared workspaces with clear access boundaries

Invite teammates into a workspace, assign a built-in role, and let workspace-level controls handle the rest. Enforce 2FA when the team is ready, and review the audit log when something needs follow-up.

1
Plan

Invite teammates by email with a specific role; the invitation email includes workspace name, inviter identity, the assigned role, and a secure 7-day acceptance link.

2
Publish

Assign Admin, Member, or Viewer based on each person's responsibilities. Admins manage team access and workspace security; Members create links; Viewers review without editing.

3
Measure

Enable TOTP on every account and optionally enforce it at the workspace level. Non-compliant members are blocked from workspace content until they complete enrollment.

  • Each workspace keeps its links, domains, API keys, and team membership fully scoped. Team members who belong to multiple workspaces switch between them using the workspace switcher.
  • Review the audit log from Settings to see who changed what, when, and from which actor context. Filter by time range, action type, actor, or entity type. Export to CSV for external review.
Teams and securityTrust and privacyFAQ
Example
Teammate joins
Invited as Member, scoped to the production workspace. Invite accepted with matching email; active workspace switches on acceptance.
Workspace 2FA policy
Admin enables workspace 2FA enforcement after reviewing member compliance. Non-compliant members are blocked and routed to TOTP enrollment before gaining access.
Audit event
A destination change on go.brand.com/launch is recorded in the audit log with actor, timestamp, and before/after destination host.
Multiple workspaces
A second workspace keeps an experimental brand isolated from the production link operation. Each workspace has its own team, domains, and settings.

Setup

  1. 1
    Create or choose a workspace
    Every Nimriz account starts with a workspace. To add more workspaces for separate brands, clients, or teams, an Org Owner or Org Admin creates them from organization settings. Each workspace has its own links, domains, API keys, and team membership. Organizations and workspaces
  2. 2
    Invite teammates and assign a built-in role
    Go to Settings → Team and click Invite member. Enter the teammate's email and select Admin, Member, or Viewer. Invitations expire after 7 days; pending invites can be resent or revoked at any time. Team invites and roles
  3. 3
    Enable two-factor authentication and optionally enforce it
    Each team member sets up TOTP from Settings → Profile → Two-factor authentication. On supported plans, Workspace Admins can enforce 2FA for the whole workspace from Settings → Team. Review member compliance before enabling enforcement - non-compliant members lose workspace access immediately and must complete TOTP enrollment to regain it. Two-factor authentication guide
  4. 4
    Review the audit log
    Workspace Admins access the audit log at Settings → Audit. Filter by time range, action, actor, or entity type to investigate specific events. Every entry is immutable and includes the actor, timestamp, entity, workspace context, and action-specific metadata. Export to CSV for external review or archiving. Audit logs guide

What good looks like

Before: shared accounts and no governance

  • Shared login credentials with no individual accountability
  • No separation between link editors and read-only stakeholders
  • No record of who changed a link destination or revoked an API key
  • No way to enforce account security across the whole team

After: per-person accounts with built-in roles and an audit trail

  • Every teammate has their own account with a role-scoped workspace membership
  • Admins, Members, and Viewers each get the access their responsibilities require
  • Workspace 2FA enforcement keeps all accounts protected (on supported plans)
  • An immutable audit log records who did what with actor identity and timestamps

Teams gain accountability and security controls without rebuilding their link operation workflow.

Frequently asked questions

What workspace roles does Nimriz have?

Nimriz workspaces have three built-in roles: Admin, Member, and Viewer.

  • Admin - can view workspace data, create and update links, manage domains granted to the workspace, invite teammates, change member roles (up to Admin), remove members, enable or disable workspace 2FA enforcement, and manage workspace billing surfaces.
  • Member - can view dashboard data and create and update links.
  • Viewer - can view dashboard and workspace data only. Cannot create or modify links.

There is no workspace Owner role. Owner-level authority is handled by the Org Owner role at the organization level. Every workspace must always have at least one Admin - Nimriz blocks any action that would remove or demote the last Admin. Custom roles are not part of the current workspace model.

How do workspace invites work, and can someone belong to multiple workspaces?

Only Workspace Admins can send invitations. To invite someone, go to Settings → Team, click Invite member, enter their email address, and select a role. Nimriz sends an invitation email containing the workspace name, the inviter's identity, the invited email, the assigned role, and a secure acceptance link. Invitations expire after 7 days and can be resent or revoked before acceptance.

Yes, a person can belong to multiple workspaces. After accepting an invite, they use the workspace switcher in the dashboard navigation to move between workspaces. Each workspace keeps its links, domains, team membership, and settings completely separate. Switching into a workspace that enforces 2FA requires TOTP compliance first.

How does two-factor authentication work in Nimriz?

Nimriz uses TOTP-based two-factor authentication. Any user can enroll from Settings → Profile → Two-factor authenticationby scanning a QR code with a compatible authenticator app (such as Google Authenticator, Authy, or 1Password). After verifying a code, Nimriz issues a set of single-use recovery codes for emergency access.

Once enrolled, every login requires a valid 6-digit code from the authenticator app (or an unused recovery code) after primary authentication. Recovery codes are each valid once. Generating a new set immediately invalidates all previous unused codes. If both the authenticator app and all recovery codes are lost, account recovery requires a support-assisted factor reset.

Can 2FA be enforced for an entire workspace?

Yes, on supported plans. Workspace Admins can enable 2FA enforcement from Settings → Team → Two-Factor Authentication. Before enabling, Admins can review the member compliance view to see which members already have TOTP enrolled.

Enforcement takes effect immediately upon confirmation - there is no automatic grace period. Once enforcement is active, any member who has not set up TOTP is blocked from accessing workspace content and routed to the enrollment flow. API requests from non-compliant members are also rejected. Workspace switching into the enforced workspace is denied until the member is compliant. Disabling enforcement does not remove anyone's existing TOTP setup.

What does the audit log record?

The audit log is an immutable record of security-relevant actions. Every entry records the actor (user, API key, or system), timestamp, action, entity type, entity ID, workspace context, and action-specific metadata such as before/after values.

Covered actions include: link creates, destination changes, slug changes, expiration and password updates, routing rule changes; invite lifecycle events (sent, resent, revoked, accepted); member role changes and member removal; domain operations; API key and webhook lifecycle events; and security events including TOTP enrollment, TOTP disable, recovery code regeneration, workspace 2FA enforcement changes, and support-admin TOTP resets.

Routine read operations (viewing links or analytics) and no-op saves are intentionally not logged. Workspace Admins access the log at Settings → Audit and can filter by time range, action, actor, or entity type, then export to CSV.

What is the difference between an organization and a workspace?

An organization is the commercial and governance parent. It owns subscriptions and billing, custom domains (which are granted to specific workspaces), workspace-count limits, and org-level members. Org Owners and Org Admins have authority across all child workspaces.

A workspace is the day-to-day operational environment. It owns links, routing rules, QR codes, spaces, tags, workspace API keys, webhooks, and team membership. Most users interact with a single workspace. Larger teams may run multiple workspaces under one organization - for example, one workspace per brand or client.

Workspace roles (Admin, Member, Viewer) govern day-to-day collaboration inside a workspace. Org roles (Org Owner, Org Admin, Org Billing Admin, Org Member) govern the organization layer. Org Owners and Org Admins automatically receive Admin access across all child workspaces through materialized access.

Are there features that require a specific plan?

Workspace invites, built-in workspace roles (Admin, Member, Viewer), TOTP two-factor authentication at the user level, and the audit log are available as part of standard workspace collaboration. Workspace-level 2FA enforcement (requiring all members to have TOTP active) is available on supported plans. Multiple workspaces under one organization and delegated org administration are also plan-dependent. See the pricing page for current plan details.

Does Nimriz support SSO or directory sync?

TOTP-based two-factor authentication is available now for all dashboard users. SSO (single sign-on) and directory sync are not part of the standard workspace feature set described on this page. For enterprise identity requirements, contact the Nimriz team.

Related use cases

Multi-brand operations
Pair workspace governance with domain-level brand isolation across separate workspaces.
Client reporting and attribution
Use role-scoped workspaces and Viewer access to give clients read-only visibility into link performance.
API and workflow automation
Layer workspace API keys onto role-based access for programmatic link operations.

Deeper reading

Teams and security feature overviewTeam invites and roles - full guideTwo-factor authentication - setup and enforcementAudit logs - action catalog and filteringGlossary: link governanceBlog: teams, roles, and link governance

Ready to get started?

Create your account and start with the Starter workflow. Compare plans when you need higher limits or supported-plan capabilities.

Start for freeView pricing