Summary and recommendation
ActiveCampaign user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
ActiveCampaign uses a group-based permission model: every user belongs to exactly one group, and all feature-area access (Contacts, Campaigns, Automations, Deals, Reports, Templates) is configured at the group level, not per individual. The default Admin group has immutable full access and cannot be edited or deleted.
Custom groups are available on Plus, Pro, and Enterprise plans, with granular sub-permissions (view, create, edit, delete, send, export) and numeric activity limits per group. There is no native SCIM on any plan; all provisioning and deprovisioning is manual through Settings > Users and Groups or the REST API.
Quick facts
| Admin console path | Settings (gear icon) > Users and Groups |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Primary Administrator | Full account access. Only user who can manage global templates, initiate account cancellation, and grant purchase permissions to others. Cannot be deleted. | Cannot be demoted or removed from the account. | All plans (1 per account) | Included in base plan seat count | Global templates are only visible to the Primary Administrator or users in the Admin group. |
| Admin Group Member | Can add/delete users, manage all user group permissions, view and edit automations created by any user group, manage global templates, set up SSO. | Cannot edit or delete the default Admin group itself. | All plans | Counts against plan seat limit; additional seats purchasable | The Admin group cannot be deleted or have its permissions edited. Any user in the Admin group inherits full admin-level access. |
| Custom Group Member (e.g., Marketing, Sales) | Permissions are fully configurable at the group level: access to specific lists, contacts, campaigns, automations, deals, reporting, and templates. Activity limits (emails sent, contacts added, campaigns sent) can also be set per group. | Cannot access features or lists not explicitly granted to their group. Cannot view automations from other groups unless explicitly shared by an Admin. | Plus, Pro, or Enterprise (user groups/custom permissions not available on Starter plan) | Counts against plan seat limit; additional seats purchasable | Users in one group cannot view or edit automations created by users in another group unless an Admin explicitly grants cross-group access per automation. |
Permission model
- Model type: custom-roles
- Description: Permissions are set at the group level, not the individual user level. Admins create named user groups, assign contact lists and feature-level permissions (Contacts, Campaigns, Automations, Deals, Reports, Templates, etc.) per group, and optionally set activity limits. Each user is assigned to exactly one group. The default Admin group has immutable full access. Custom groups are fully configurable.
- Custom roles: Yes
- Custom roles plan: Plus, Pro, Enterprise
- Granularity: Feature-area level (Contacts, Lists, Campaigns, Automations, Deals, Reports, Templates, Forms) with sub-permissions (view, create, edit, delete, send, export) and numeric activity limits (emails/week, contacts added, campaigns sent, lists created).
How to add users
- Log in as an Admin.
- Click Settings (gear icon), then click 'Users and Groups' on the left menu.
- Click the 'Add a new user' button.
- Complete the modal fields: first name, last name, email address, password.
- Select the permission group to assign the user to.
- Optionally toggle 'Purchase Permissions' on to allow billing access.
- Optionally toggle 'Multi-Factor Authentication' on to enforce MFA for this user.
- Click the button to create the user. The user is created and the seat is assigned.
Required fields: First name, Last name, Email address, Password, Group assignment
Watch out for:
- All included seats must be assigned before purchasing additional seats via the Settings > Users and Groups path. Via Billing & Upgrade, additional seats can be purchased without pre-assigning all existing seats.
- The number of included users depends on the plan tier (Starter: 1, Plus: ~3, Pro: ~5, Enterprise: 5+ with custom pricing).
- New users added via SSO JIT provisioning are automatically placed in the 'SSO Users' group; group assignment cannot be pre-configured per user via IdP attributes.
- There is no CSV bulk import for users. Users must be added one at a time through the UI or via the REST API.
- SSO is only available on the Enterprise plan.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (SAML 2.0 SSO with JIT provisioning only; no native SCIM on any plan) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: ActiveCampaign uses a hard-delete model for users. There is no 'deactivate' or 'suspend' state. Deleting a user immediately revokes their account access. The action is permanent and cannot be undone. The seat is freed and can be reassigned to another person or left empty, but the seat count on the subscription is not automatically reduced.
- Log in as an Admin.
- Click Settings (gear icon) > Users and Groups.
- Locate the user to delete.
- Either: click the checkbox next to their name and click 'Delete', OR click the down caret next to the 'Edit' button and click 'Delete'.
- A confirmation modal will appear.
- Click the 'Delete User' button to confirm. The user is immediately removed.
| Data impact | Behavior |
|---|---|
| Owned records | Lists, Accounts, Deals, and Tasks owned by the deleted user must be manually reassigned to another user before or after deletion. They are not automatically reassigned. |
| Shared content | Automations and campaigns created by the deleted user remain in the account and are accessible to Admin group members. |
| Integrations | If integrations were configured using the deleted user's API credentials, those integrations will break immediately. There is no account-default API key; each user has their own. Affected integrations must be reconfigured with another user's API credentials. |
| License freed | Deleting a user does not reduce the number of purchased seats on the subscription. The vacated seat can be reassigned or left empty. To reduce the seat count and billing, seats must be explicitly removed via Billing & Upgrade. |
Watch out for:
- Deletion is permanent and cannot be undone.
- No automated deprovisioning exists; offboarding is entirely manual.
- API-credential-based integrations break on user deletion with no automatic failover.
- Seat count and billing are not reduced by deletion alone; a separate seat-removal step in Billing & Upgrade is required.
- JIT-provisioned SSO users are not automatically deprovisioned when removed from the IdP; their ActiveCampaign account must be manually deleted.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Included user seats | Seats bundled with the base plan. Starter: 1 seat; Plus: ~3 seats; Pro: ~5 seats; Enterprise: 5 seats (custom pricing, negotiable). | Included in base plan price |
| Additional purchased seats | Extra seats purchased on top of the plan's included allotment. Can be added or removed via Billing & Upgrade or Settings > Users and Groups. | Additional per-seat cost; pricing shown on Billing & Upgrade page. Prorated on billing cycle. |
- Where to check usage: Profile icon > Billing & Upgrade > Usage tab. Displays current plan, contact count, and user seat count.
- How to identify unused seats: Navigate to Settings > Users and Groups to view all assigned users. Compare assigned seats against the seat count shown on the Billing & Upgrade Usage tab. Seats assigned to deleted users are automatically vacated and visible as unassigned.
- Billing notes: Deleting a user does not reduce the purchased seat count or billing. To reduce seat count, go to Profile > Billing & Upgrade, click 'Edit' next to the user seat count, use the minus (-) button to reduce seats, and confirm the change. Seats can also be removed from Settings > Users and Groups when adding a new user. All seats must be assigned before purchasing additional seats via the Users and Groups path (not required via Billing & Upgrade path).
The cost of manual management
Without automated provisioning, every app in your stack that lacks SCIM requires hands-on admin work for every joiner, mover, and leaver. In ActiveCampaign specifically, adding a user requires navigating Settings > Users and Groups, completing a modal one user at a time (no CSV bulk import exists), and manually assigning a group.
Offboarding is a hard-delete with no deactivate or suspend state - and deleting a user does not reduce the purchased seat count or billing; a separate step in Billing & Upgrade is required to reclaim that cost.
JIT-provisioned SSO users are not automatically deprovisioned when removed from the IdP, so departed employees can retain access until an admin manually deletes their account. API-credential-based integrations break immediately on user deletion with no automatic failover.
What IT admins are saying
IT admins consistently flag the same friction points with ActiveCampaign's user management. The absence of native SCIM on any plan means offboarding every marketing team member who leaves is a fully manual process.
SSO (SAML 2.0 with JIT) is gated to the Enterprise plan, which blocks smaller teams from even basic identity automation.
JIT provisioning only creates accounts on first login - there is no pre-provisioning, and new SSO users land in a generic 'SSO Users' group with no way to automate group assignment from IdP attributes.
The disconnect between user deletion and seat billing is a recurring complaint: admins must remember to separately reduce the seat count in Billing & Upgrade or continue paying for vacated seats.
Common complaints:
- No native SCIM on any plan means all user provisioning and deprovisioning is manual.
- SSO (SAML 2.0 with JIT) is restricted to the Enterprise plan, blocking smaller teams from basic identity management.
- JIT provisioning only creates accounts on first login; there is no pre-provisioning or automated deprovisioning when employees leave.
- New SSO users are placed in a generic 'SSO Users' group; group assignment cannot be automated based on IdP group membership.
- Deleting a user does not reduce the seat count or billing; a separate manual step is required to reclaim the seat cost.
- API-credential-based integrations break silently when a user is deleted, with no account-default API key fallback.
- Custom user group permissions (beyond the default Admin group) require Plus plan or higher; Starter plan users have no granular permission controls.
- Automation visibility requires two separate permission grants (group-level 'Manage' permission AND per-automation access grant), causing confusion and support tickets.
- Pricing restructuring (Lite renamed to Starter, seat limits tightened) has increased effective costs for many existing customers.
Community observations (summarized from cited discussions):
- The lack of SCIM means we're stuck with manual offboarding for every marketing team member who leaves. - Aggregated IT admin sentiment reported by Stitchflow (community/third-party analysis, 2026) (https://www.stitchflow.com/scim/activecampaign)
The decision
ActiveCampaign is a reasonable choice for marketing automation, but its identity management posture requires honest assessment before deployment at scale. If your team is on Starter, Plus, or Pro, you have no SSO and no SCIM - every provisioning and deprovisioning action is manual, indefinitely.
Enterprise unlocks SAML SSO with JIT, but JIT is onboarding-only: it does not deprovision users when they leave, and group assignment cannot be driven by IdP attributes. Teams with high marketing staff turnover or strict access-control requirements will carry meaningful ongoing admin overhead.
If your org already manages every app through a centralized directory and expects lifecycle automation, ActiveCampaign's current provisioning model will require a compensating process or tooling layer.
Bottom line
ActiveCampaign offers a capable group-based permission system with granular feature-area controls, but it has no native SCIM on any plan and restricts SSO to Enterprise. Every user must be added and removed manually through the UI or REST API, one at a time.
Offboarding is a permanent hard-delete that does not automatically reduce billing, and JIT provisioning provides no deprovisioning or IdP-driven group assignment.
Teams that need lifecycle automation will need to build or buy a compensating layer; teams comfortable with manual processes and low turnover will find the permission model functional but operationally intensive.
Automate ActiveCampaign workflows without one-off scripts
Stitchflow builds and maintains identity workflows for your exact setup. We cover every app, including the ones without APIs, and run deterministic trigger-to-report workflows with human approvals where they matter.
