Argo CD User Management Guide

1. Edit the argocd-cm ConfigMap in the argocd namespace: kubectl -n argocd edit configmap argocd-cm
2. Add an entry under data for the new user with desired capabilities: accounts.: apiKey,login (capabilities: 'apiKey' to generate JWT tokens, 'login' for UI/CLI access).
3. Optionally set accounts..enabled: "false" to create the account in a disabled state.
4. Apply the ConfigMap change. Argo CD reconciles automatically.
5. Set the user's initial password via CLI (requires admin credentials): argocd account update-password --account --current-password --new-password
6. Assign RBAC policies in argocd-rbac-cm ConfigMap under policy.csv, e.g.: p, , applications, get, /, allow
7. Verify the user was created: argocd account list

Required fields: username (max 32 characters), capabilities (apiKey and/or login), password (must be set explicitly before user can authenticate)

Watch out for:

• New users have no access until a password is explicitly configured via CLI or by directly writing a bcrypt hash to argocd-secret.
• Users without explicit RBAC rules fall back to the policy.default role in argocd-rbac-cm.
• If using both local users and SSO, assign policies directly to local users rather than using role bindings to avoid name collision with SSO group scopes.
• The official documentation primarily describes user management via the argocd CLI; managing users without CLI access requires direct Kubernetes Secret and ConfigMap manipulation.
• A user must be defined in only one section (extraConfig or localUsers in the Argo CD CR); if defined in both, extraConfig takes precedence (Red Hat OpenShift GitOps Operator behavior).

• Can delete users: Yes
• Delete/deactivate behavior: Both deactivation and deletion are supported. Deactivation: set accounts..enabled: "false" in argocd-cm; the account remains in configuration, secrets and tokens are preserved, but the user cannot authenticate. Deletion: remove the user's entry from argocd-cm; the user disappears from account list, but the bcrypt password hash and token entries remain in argocd-secret and must be manually removed.

1. Edit argocd-cm ConfigMap: kubectl -n argocd edit configmap argocd-cm
2. Add or set: accounts..enabled: "false"
3. Apply the change. The user account remains in configuration but cannot authenticate via UI or API tokens.
4. To re-enable: set accounts..enabled: "true"

Watch out for:

• Removing a user from argocd-cm does not automatically delete the user's password hash or token entries from argocd-secret; these must be manually cleaned up.
• Disabling a user preserves secrets and token renewal timers continue to run if configured.
• For SSO users, access is revoked by removing the user or group from the IdP or by updating RBAC group bindings in argocd-rbac-cm; there is no Argo CD-side user record to delete.
• RBAC policy entries referencing the deleted user in argocd-rbac-cm are not automatically removed and should be cleaned up manually.

• Where to check usage: argocd account list (CLI) or Settings > Accounts in the Argo CD web UI to list all local accounts and their enabled/disabled status.
• How to identify unused seats: No built-in last-login tracking or audit log for local users. Local users do not provide login history. For SSO users, login activity must be tracked in the IdP. Unused local accounts can be identified by checking if a password has ever been set in argocd-secret.
• Billing notes: Open source Argo CD has no licensing or seat costs. Akuity Platform billing is app-based, not user-based. No SCIM provisioning available in any tier.

Because there is no SCIM, every app in your GitOps stack that relies on Argo CD access requires manual provisioning and deprovisioning through ConfigMap edits or CLI commands - neither of which integrates with standard IdP lifecycle workflows.

Offboarding a local user requires three separate actions: removing the entry from argocd-cm, deleting the password hash from argocd-secret, and cleaning up orphaned RBAC policy entries in argocd-rbac-cm.

SSO users are not tracked in Argo CD at all; their access depends entirely on IdP group membership evaluated only at login time - stale permissions can persist until the next authentication event.

Practitioners consistently flag the absence of SCIM as a gap for teams running Argo CD at scale. Common friction points include:

• Group membership from SSO is evaluated only at login, not continuously, so revoked group memberships remain active until the user re-authenticates.
• Dex and OIDC group-claim configuration is error-prone; some providers (e.g., Okta) require non-default settings to surface group claims at all.
• A known bug in Argo CD v3.x breaks RBAC group matching for SAML/OIDC groups via AWS IAM Identity Center, making group-based RBAC non-functional in affected configurations.
• The argocd admin settings rbac can CLI command misreports permissions in some v2.10.x builds, making RBAC debugging unreliable.

Common complaints:

• No SCIM support means user provisioning and deprovisioning cannot be automated via standard IdP lifecycle management; RBAC must be managed manually via ConfigMaps.
• Group membership from SSO is evaluated only at login time, not continuously; stale group memberships can persist until the user re-authenticates.
• Complex SSO and Dex configuration required for group-based RBAC; misconfiguration is a common source of permission errors.
• Removing a local user from argocd-cm leaves orphaned password hashes and token entries in argocd-secret that must be manually cleaned up.
• The argocd admin settings rbac can CLI command does not correctly report permissions in some versions (e.g., v2.10.x), making RBAC debugging unreliable.
• RBAC group matching broken in Argo CD v3.x for SAML/OIDC groups via AWS IAM Identity Center; Casbin enforcer does not iterate through groups array, making group-based RBAC non-functional in affected configurations.
• Fine-grained RBAC inheritance behavior changed between v2.x and v3.x (server.rbac.disableApplicationFineGrainedRBACInheritance parameter reported as ignored in v3.1.0), causing unexpected permission denied errors after upgrade.
• No built-in login history or last-login tracking for local users, making it difficult to identify inactive accounts.
• Official documentation primarily covers user management via the argocd CLI; declarative/automated approaches without CLI access are underdocumented.
• RBAC policy syntax (Casbin CSV) is verbose and error-prone, especially for glob pattern matching with sub-resources.

Argo CD is a strong fit for teams already managing infrastructure as code who are comfortable with Kubernetes-native tooling. The manual overhead is manageable at small scale but compounds quickly as team size grows.

Teams that need auditable, automated user lifecycle management across every app in their environment will find the ConfigMap-based model a persistent operational burden. SSO with group-based RBAC is the recommended path for enterprise use, but it requires careful Dex configuration and does not eliminate the need for manual RBAC policy maintenance in argocd-rbac-cm.

Bottom line

Argo CD's open-source model means zero licensing cost and full control, but user management is entirely manual - no SCIM, no last-login tracking, and no API-based provisioning.

Every app deployment environment that uses Argo CD for access control requires direct Kubernetes resource edits to add, modify, or remove users.

Teams with mature GitOps practices and small, stable user populations will absorb this overhead; teams with frequent onboarding/offboarding cycles or strict deprovisioning SLAs should plan for significant manual process investment or evaluate whether a managed layer like Akuity meets their operational requirements.