User Management

User management in Nexalix covers the full lifecycle of team member accounts — from initial creation and onboarding through to password resets, deactivation, and deletion. Only users with the appropriate permissions (typically Organisation Admins) can manage other users.

Creating users

There are two ways to add a user to your organisation: sending an invite or creating with a password directly. In most cases, sending an invite is the recommended approach.

Sending an invite

The invite flow lets you create a user account without having to set or share a password. The new user receives an email with a secure link to set their own password.

1. Go to Admin → Users.
2. Click Create User.
3. Fill in the user’s details: first name, last name, username, email, language, and department.
4. Enable Send Invite.
5. Assign one or more roles (see Roles and Permissions).
6. Click Save.

The user is created in an inactive state and receives an email containing a setup link. The link expires after 48 hours. Once they set their password, their account is automatically activated and their email is marked as verified.

Tip

Sending an invite is the safest onboarding method because the admin never handles the user’s password. The user sets it themselves through a secure, time-limited link.

Creating with a password

If you prefer to set the user’s initial password yourself — for example, during an in-person onboarding session — you can create the account with a password directly.

1. Go to Admin → Users.
2. Click Create User.
3. Fill in the user’s details and set a password (minimum 8 characters).
4. Leave Send Invite disabled.
5. Assign roles and click Save.

The user is created in an active state and can log in immediately with the credentials you provided.

Caution

When creating a user with a direct password, ensure you communicate the credentials securely. Avoid sending passwords over unencrypted channels such as plain email or messaging apps.

User profile fields

Each user account has the following profile fields:

Field	Description
First name	The user’s given name.
Last name	The user’s surname or family name.
Username	A unique identifier used for login. Must be globally unique across all organisations.
Email	Used for notifications and password resets. Must be verified before the user can receive email notifications.
Language	The user’s preferred language (en, es, or pt). Controls the language of email notifications and push notifications sent to this user.
Department	The sub-organisation (department or team) the user belongs to. Used for filtering incidents and controlling template visibility.

Note

The username must be unique across the entire platform, not just within your organisation. If a username is already taken, you will need to choose a different one.

Activating and deactivating users

Deactivation is the primary way to revoke a user’s access without losing their data. Deactivated users cannot log in, but their name still appears in incident histories, audit trails, and assignment records.

Deactivating a user

1. Go to Admin → Users.
2. Find the user and open their profile.
3. Click Deactivate (or toggle the active status).

When a user is deactivated:

• All their active sessions are terminated immediately — they are logged out of the web application and mobile app.
• All their API tokens are revoked.
• Any pending password setup or reset links are invalidated.
• They can no longer log in or receive email notifications.
• Their historical data (incidents created, status changes, cost records) is fully preserved.

Reactivating a user

To restore access, open the user’s profile and click Activate. The user can then log in again with their existing credentials. If they have forgotten their password, you can send them a password reset (see below).

Caution

You cannot deactivate your own account. This safeguard prevents administrators from accidentally locking themselves out.

Deleting users

Deletion permanently removes a user account from the system. However, Nexalix will block deletion if the user has any operational data linked to their account. This protects audit trails and ensures traceability is maintained.

The platform checks for the following linked data before allowing deletion:

Data type	Description
Registered incidents	Incidents the user created.
Assigned incidents	Active incidents currently assigned to the user.
Cost records	Costs the user has recorded against incidents.
Status changes	Entries in the incident history where the user changed an incident’s status.

If any of these exist, the deletion is blocked and the platform displays the specific data that prevents it, along with a suggestion to deactivate the user instead.

Tip

As a general rule, deactivate rather than delete. Deactivation preserves the full audit trail while effectively revoking all access. Only delete users who were created by mistake or who have never performed any actions in the platform.

Password management

Nexalix provides two password reset mechanisms: admin-initiated resets and self-service recovery.

Admin-initiated password reset

Organisation Admins can send a password reset link to any user in their organisation.

1. Go to Admin → Users.
2. Open the user’s profile.
3. Click Send Password Reset.

The user receives an email with a secure link to set a new password. The link expires after 24 hours and can only be used once. After the user sets their new password, all their existing sessions are terminated for security — they will need to log in again.

Note

The user must have an email address on their profile to receive a password reset. If the email field is empty, the reset cannot be sent.

Self-service forgot password

Users can reset their own password from the login screen without admin intervention.

1. On the login page, click Forgot Password.
2. Enter the email address associated with the account.
3. Check the inbox for the reset email and follow the link.
4. Set a new password (minimum 8 characters).

The reset link expires after 1 hour. For security, the platform always confirms that the email was sent regardless of whether the address exists in the system — this prevents anyone from discovering which email addresses have accounts.

After setting a new password through this flow, the user is not automatically logged in. They must log in normally, including completing two-factor authentication if it is enabled on their account.

Two-factor authentication

Nexalix supports time-based one-time passwords (TOTP) for two-factor authentication. This adds an extra layer of security by requiring a code from an authenticator app (such as Google Authenticator or Authy) in addition to the password.

User-level setup

Any user can enable 2FA from their own settings:

1. Go to Settings → Security.
2. Click Enable Two-Factor Authentication.
3. Scan the QR code with an authenticator app.
4. Enter the confirmation code to complete setup.
5. Save the recovery codes in a secure location — these are single-use codes that allow login if the authenticator app is unavailable.

To disable 2FA, return to the same settings page and click Disable Two-Factor Authentication. You will be asked to confirm your current password.

Organisation-level enforcement

Organisation Admins can require all users in the organisation to enable 2FA:

1. Go to Admin → Organisation → Security.
2. Toggle Require 2FA.

When enforcement is enabled, users who have not yet set up 2FA will be prompted to do so on their next login. They will not be able to access any part of the platform until their 2FA configuration is complete.

Note

Users can always enable 2FA voluntarily, even if the organisation does not require it. The enforcement toggle only affects users who have not already set it up.

Email verification

Users must verify their email address before they can receive email notifications (such as incident alerts and assignment notifications). Verification is handled automatically in some flows and manually in others.

Automatic verification

When a user sets their password through an invite link or a password reset link, their email is automatically marked as verified. Receiving and using the secure link serves as proof of email ownership.

Manual verification

If a user adds or changes their email address from their profile settings, a verification email is sent to the new address. The user must click the link in that email to complete verification.

To resend the verification email, the user can go to Settings → Notifications and click Resend Verification Email.

Why verification matters

Only users with a verified email address can receive email notifications. If a user’s email is unverified, they will still appear in the system and can use the platform normally, but no email notifications (incident alerts, assignment notices, etc.) will be delivered to them.

Best practices

• Use the invite flow for onboarding. It is more secure than setting passwords manually, and it verifies the user’s email in a single step.
• Deactivate rather than delete. Deactivation preserves audit trails and data integrity. Only delete accounts that have no operational data.
• Set the correct language for each user. Email notifications and push notifications are sent in the user’s configured language. Setting this correctly ensures they receive communications they can read.
• Assign roles at creation time. Users without roles have no permissions and cannot perform any actions. Always assign at least one role when creating or inviting a user.
• Encourage users to enable 2FA. Even if your organisation does not enforce it, two-factor authentication significantly reduces the risk of account compromise. Consider enabling organisation-wide enforcement for sensitive environments.
• Keep email addresses up to date. Users who change their email address must re-verify it. Remind team members to update their profile if their email changes, so they continue receiving notifications.