Summary and recommendation
Airbyte user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Airbyte uses a two-tier role-based access model scoped at the organization level and the workspace level. Organization roles cascade across every app and workspace in your Airbyte account; workspace roles can only elevate a user's access, never restrict it below their org-level role.
Granular RBAC - including Workspace Editor, Runner, and Reader roles - is gated behind Cloud Teams or Self-Managed Enterprise. On Cloud Standard, every invited user lands as a Workspace Admin with no role differentiation available.
Quick facts
| Admin console path | Settings > Access Management (workspace-level) or Settings > Members (organization-level) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise or Cloud Team/Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Instance Admin (Self-Managed Enterprise only) | All permissions across all workspaces and all organizations in the Enterprise account. | Cannot be reassigned via UI; requires contacting Airbyte support to update assignment. | Self-Managed Enterprise | Automatically assigned to the first user who logs into a Self-Managed Enterprise instance. Cannot be changed through normal UI flows. | |
| Organization Admin | Full control over the organization and all workspaces within it. Can manage billing, members, and all workspace settings. Automatically holds Workspace Admin in every workspace. | Cannot be removed from a workspace by a Workspace Admin; requires Airbyte Support. Cannot be demoted once assigned. | Cloud Teams or Self-Managed Enterprise (organization features require Teams plan on Cloud) | Organization admins cannot be removed from a workspace by workspace-level admins. Must contact Airbyte Support. | |
| Organization Member | Base organization-level access. Can be assigned higher roles at the workspace level. | Cannot manage organization settings or billing. | Cloud Teams or Self-Managed Enterprise | Organization-wide permissions and each set of workspace permissions each count as separate permission objects. | |
| Organization Reader | Read-only access at the organization level. Can be elevated to Workspace Reader, Editor, or Admin within individual workspaces. | Cannot make changes at the organization level. | Cloud Teams or Self-Managed Enterprise | ||
| Workspace Admin | Can add or remove users, create/modify/delete sources, destinations, and connections within the workspace. | Cannot remove other Workspace Admins. Cannot demote another admin. Cannot remove Organization Admins from the workspace. | All paid plans (Cloud Standard users only have admin roles; full RBAC requires Cloud Teams or Self-Managed Enterprise) | New users invited to a workspace are added as Workspace Admin by default on older Cloud flows. On Cloud Standard, all users only have admin roles - granular RBAC requires Teams or Enterprise. | |
| Workspace Editor | Can create, modify, and delete sources and destinations; manage connections within the workspace. | Cannot manage workspace members or settings. | Cloud Teams or Self-Managed Enterprise | ||
| Workspace Runner | Can start or stop syncs and run backfills for individual connections in assigned workspaces. Read-only outside of those explicit tasks. | Cannot create or modify sources, destinations, or connections. Cannot manage members. | Self-Managed Enterprise (noted as Self-Managed Enterprise only at launch in v1.2) | Runner role was introduced in Airbyte v1.2 and was initially Self-Managed Enterprise only. | |
| Workspace Reader | Read-only access to all resources within the workspace. Can open and view connections, sources, and destinations. | Cannot create, modify, or delete any resources. Cannot manage members. | Cloud Teams or Self-Managed Enterprise | Read-only users were introduced in February 2024 and require Cloud Teams add-on or Self-Managed Enterprise. |
Permission model
- Model type: role-based
- Description: Two-tier RBAC scoped at organization level and workspace level. Organization roles apply across all workspaces; workspace roles override organization roles upward but not downward. A user cannot be assigned a workspace role more restricted than their organization role. Roles are fixed system roles; no custom role creation is supported.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Organization-level and workspace-level scoping. Roles: Instance Admin, Organization Admin, Organization Member, Organization Reader, Workspace Admin, Workspace Editor, Workspace Runner, Workspace Reader. No field-level or connection-level permission granularity within roles.
How to add users
- Navigate to the Airbyte Cloud dashboard and click Settings.
- Click Access Management (workspace) or Organization settings > Members (organization).
- Click '+ New user' or 'New member'.
- Enter the invitee's email address.
- Assign an RBAC role (if on Teams/Enterprise; otherwise defaults to Workspace Admin).
- Click 'Add new member' or 'Send invitation'.
- Invitee receives an email to join the workspace or organization.
Required fields: Email address of the invitee
Watch out for:
- On Cloud Standard, invited users are added as Workspace Admin by default with no role selection.
- The invited user only gains access to the specific workspace they were invited to, not other workspaces in the organization.
- On Teams/Enterprise plans, the user must already exist in the organization before being added to a workspace via the workspace Members flow.
- Role mapping automation via the Airbyte API is not available in the Terraform Provider.
- RBAC role selection during invite is only available on Cloud Teams and Self-Managed Enterprise.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (Cloud Teams/Enterprise or Self-Managed Enterprise); SCIM listed as 'User groups & SCIM' feature on Enterprise tier |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Airbyte uses 'Remove user from workspace' rather than account deletion or deactivation. Removing a user revokes their access to that workspace. The user's Airbyte account itself is not deleted. For SSO users, removal from the organization became available in Airbyte v1.2.
- Switch to the workspace you want to remove the user from.
- Click Workspace settings > Members.
- Find the person, click the role next to their name, and select 'Remove user from workspace'.
- Confirm removal in the dialog.
| Data impact | Behavior |
|---|---|
| Owned records | No documented transfer of owned connections or resources; connections remain in the workspace after user removal. |
| Shared content | Workspace connections, sources, and destinations are shared workspace resources and persist after user removal. |
| Integrations | Active sync connections continue to run after a user is removed; connections are workspace-scoped, not user-scoped. |
| License freed | Airbyte pricing is capacity/usage-based (Data Workers or data volume), not per-seat. Removing a user does not directly free a paid seat or reduce billing. |
Watch out for:
- Workspace Admins cannot remove other Workspace Admins from a workspace.
- Organization Admins cannot be removed from a workspace by Workspace Admins; must contact Airbyte Support.
- Once a user is assigned an admin role, they cannot be demoted - the role assignment is irreversible through the UI.
- Removing a user from a workspace does not remove them from the organization; they retain organization-level access.
- For SSO-provisioned users, removal from the IdP does not automatically remove them from Airbyte unless SCIM deprovisioning is configured (Enterprise only).
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Standard (Cloud) | Fully managed cloud, volume-based pricing. No RBAC beyond admin roles. Single workspace per account effectively. | Starting at $10/month + usage credits ($2.50/credit). API sources: $15/million rows. Database sources: $10/GB. |
| Plus (Cloud) | Same features as Standard with annual billing and Accelerated Support (prioritized ticket queue). No additional RBAC features over Standard. | Annual billing, contact sales for quote. Capacity-based (Data Workers). |
| Pro (Cloud) | Capacity-based pricing via Data Workers. Enhanced platform features including RBAC, row filtering, hashing and encryption, multiple data regions. | Custom, contact sales. Priced by number of Data Workers. |
| Enterprise (Self-Managed or Cloud) | All Pro features plus SSO, SCIM provisioning, user groups, multiple workspaces, audit logs, enterprise encryption, AWS/Azure PrivateLink, OpenTelemetry metrics, premium support. | Custom, contact sales. |
| Open Source (Self-Managed Community) | No user management or RBAC. Single username/password authentication added as default. No multi-user support. | Free (MIT license). No paid seats. |
- Where to check usage: Organization Settings page (diagnostics and deployment statistics available for Self-Managed Enterprise). Billing visible in workspace settings for Cloud plans.
- How to identify unused seats: No documented built-in UI report for identifying inactive users. Admins can list users via the Airbyte API (GET /users endpoint with organization_id). No native last-login or activity report in the UI.
- Billing notes: Airbyte pricing is not seat-based; it is capacity-based (Data Workers for Plus/Pro) or volume-based (Standard). Removing users does not reduce the bill. Credits are workspace-specific and cannot be transferred between workspaces. Organizations on Teams/Enterprise can request centralized billing across workspaces by contacting Airbyte.
The cost of manual management
Airbyte pricing is capacity-based, not seat-based, so removing users does not reduce your bill. The real cost of manual access management is operational: admin role assignments are irreversible through the UI, meaning a mistaken promotion requires contacting Airbyte Support to resolve.
There is no native last-login or inactive-user report in the UI; identifying stale accounts requires querying the API directly. For SSO-provisioned users, removal from the IdP does not automatically revoke Airbyte access unless SCIM deprovisioning is configured - an Enterprise-only feature.
What IT admins are saying
Practitioners consistently flag three friction points. First, SSO and SCIM provisioning are locked to Enterprise, leaving Teams and Standard customers with fully manual lifecycle management.
Second, the admin demotion problem is a recurring complaint: once a user is assigned an admin role, the only path to reversal is a support ticket.
Third, the open-source Community edition has no RBAC or multi-user management at all - teams that self-host on the free tier must upgrade to Self-Managed Enterprise to get any role differentiation.
An Airbyte team member confirmed on GitHub: "RBAC will not be available to OSS, but is included in our Self-Managed Enterprise version already."
Common complaints:
- Enterprise pricing required for SSO and SCIM provisioning.
- OIDC-only SSO (no SAML support documented); Okta and Microsoft Entra ID are the only documented IdPs.
- Admin role assignment is irreversible through the UI - once a user is made admin, they cannot be demoted without contacting Airbyte Support.
- Open Source (Community) edition has no RBAC or multi-user management; users must upgrade to Self-Managed Enterprise for role-based access.
- Full RBAC (beyond admin-only roles) requires Cloud Teams or Self-Managed Enterprise; Cloud Standard users are all admins with no role differentiation.
- RBAC role mapping automation is only available via the Airbyte API, not the Terraform Provider.
- Organization Admins cannot be removed from workspaces by Workspace Admins; requires contacting Airbyte Support.
- No native UI for auditing inactive users or last-login activity.
- Airbyte credits are workspace-specific and non-transferable, complicating multi-workspace billing management.
The decision
Manual management is workable for small teams on Cloud Standard where everyone legitimately needs admin access, but it does not scale cleanly across every app and workspace in a growing environment.
Workspace membership is siloed - users invited to one workspace do not gain access to others - offboarding requires per-workspace removal with no bulk operation, and org-level admin removal is entirely outside self-service.
Teams running multiple workspaces or operating under compliance requirements should evaluate whether the Enterprise tier's SCIM and SSO capabilities justify the cost before committing to a manual process.
Bottom line
Airbyte's manual user management is straightforward for small, single-workspace deployments but accumulates meaningful operational debt as team size and workspace count grow. The absence of a last-login report, the irreversibility of admin assignments, and the per-workspace offboarding requirement each add friction that compounds over time.
Organizations with compliance obligations or frequent onboarding and offboarding cycles will find the manual path undersupported without an Enterprise plan that unlocks SCIM and SSO.
Automate Airbyte workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
