Summary and recommendation
Ashby user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Ashby is an ATS with a hybrid permission model: predefined tiers (Limited Access, Elevated Access sub-roles, Organization Admin) layered with per-department and per-job scoping. Every app in your stack that touches recruiting workflows will interact with one of these tiers.
As of April 2025, admins can create and modify custom access roles directly in the admin panel without contacting support.
Quick facts
| Admin console path | Admin > Organization Setup > Employees (users list) | Admin > Organization Setup > Permissions Automation | Admin > Organization Setup > Access Roles |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Growth/Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Limited Access | Can submit interview feedback for interviews they participated in; can submit referrals or applications for internal jobs. | Cannot view candidate profiles, view jobs or candidates generally, or sync/send emails through Ashby. | All plans (default role assigned to new users) | Included in base plan; no elevated seat cost | This is the default role assigned to all newly provisioned users. Must be explicitly upgraded to gain broader access. |
| Elevated Access (includes sub-roles: Analyst, Hiring Team Member, Hiring Manager, Admin, Admin - Private) | Can view candidate profiles for departments/jobs they have been granted access to. Admin sub-role grants access to all data except private fields. Admin - Private sub-role additionally grants access to private fields (e.g., salary on offers). Organization Admin has full access including confidential jobs. | Varies by sub-role. Standard Admin cannot view private fields. Non-admin elevated roles are scoped to assigned departments or jobs. | All plans | $800/year per elevated seat (per pricing seed data; not confirmed on official pricing page) | Elevated Access is an umbrella tier; the specific sub-role (Analyst, Hiring Manager, Admin, Admin - Private, Organization Admin) determines actual permission granularity. Agency users are a separate elevated-access type limited to candidates sourced by their agency. |
| Organization Admin | Full access to all data, settings, and configuration including confidential jobs and projects. Can manage access roles, configure permissions automation, manage API keys, and administer all users. | No documented restrictions within the platform. | All plans | Counted as elevated seat | Organization Admins can optionally be granted access to all confidential jobs/projects created by any user, including those who have since left the company. This must be explicitly enabled per admin in admin settings. |
| Agency User / External Recruiter | Can view and add candidate profiles linked to their agency only. Can schedule candidates and view candidates considered for roles they are associated with. | Cannot view candidates or jobs outside their agency's scope. | All plans | Agency users must be set up via Admin > Organization Setup > Organizational Settings > Agencies. They are a distinct user type from internal employees. | |
| Ashby Analytics - Admin License | Can explore report templates, save and edit reports and dashboards, and access all features in Ashby Analytics. | Ashby Analytics product (separate from All-in-One) | Analytics licenses are separate from All-in-One access roles. A user needs both an All-in-One access role and an Analytics license assigned. | ||
| Ashby Analytics - View Only License | Can view reports and dashboards; cannot build or edit reports. | Cannot create, save, or edit reports or dashboards. | Ashby Analytics product (separate from All-in-One) | Analytics licenses are separate from All-in-One access roles. |
Permission model
- Model type: hybrid
- Description: Ashby uses a hybrid model combining predefined access role tiers (Limited Access, Elevated Access sub-roles, Organization Admin) with granular scoping by department, job, or location. Permissions can be set globally or scoped to specific departments, jobs, and organizational data. As of April 2025, admins can self-serve create and modify custom access roles directly in the admin panel without contacting support. Permissions automation can map hiring team roles (e.g., Interviewer, Hiring Manager) to access roles, automatically granting and revoking job-level access as users are added to or removed from hiring teams.
- Custom roles: Yes
- Custom roles plan: All plans (self-serve custom role management added April 2025; previously required contacting support)
- Granularity: Global role assignment plus per-department and per-job access role overrides. Private field visibility is a separate permission layer (Admin vs. Admin - Private). Permissions automation available on all plans.
How to add users
- Navigate to Admin > Organization Setup > https://app.ashbyhq.com/admin/users
- Click 'New' and enter the user's name, then click 'Create'
- Add the user's email address to the email address field on the newly created profile
- The user will appear as 'New Unprovisioned Employee'
- Click 'Actions' on their profile, then click 'Activate' to enable account access
- Assign the appropriate access role/permissions via the permissions tab on the user profile
Required fields: Full name, Email address
Watch out for:
- If the email address entered is flagged as already in use, the user likely exists as a deactivated or terminated profile; check the deactivated/terminated user list before creating a new profile.
- New users default to 'Limited Access' role and must be explicitly assigned a higher access role after activation.
- Ashby does not support password authentication; users must authenticate via Google Workspace, Office 365, magic link (email), or SSO (SAML/OIDC).
- If Google Workspace or Microsoft 365 directory sync is enabled, new directory users are provisioned automatically; manual provisioning is for users outside the directory sync or external users.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | SCIM available on Legacy Plus, Plus, and Enterprise plans (not Foundations). SSO available on all plans including Foundations. SCIM is set up via WorkOS; setup requires contacting support@ashbyhq.com. Permissions cannot be mapped via SCIM at this time (per official docs). Google Workspace and Microsoft 365 directory sync (auto-provisioning) is available separately from full SCIM and can be configured to automatically provision new directory users. |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Ashby does not offer a hard delete for user profiles. Two non-destructive options exist: Deactivate (recommended for users still at the company who should lose Ashby access) and Terminate (recommended for users who have left the company; removes all access roles and revokes Ashby access). Both states are reversible via reactivation. Terminated/deactivated profiles remain in the system and are filterable on the Employees page.
- Navigate to Admin > Organization Setup > Employees (https://app.ashbyhq.com/admin/users)
- Locate the user profile (active users are shown by default)
- Click on the user's profile
- Click 'Actions' on their profile
- Select 'Deactivate' (if user is still at company but should lose access) or 'Terminate' (if user has left the company)
- To reactivate: adjust the Employees page filter to show deactivated/terminated users, locate the profile, click 'Actions', then 'Activate'
| Data impact | Behavior |
|---|---|
| Owned records | Candidate records, notes, and historical data created by the user remain in the system and are not deleted. Confidential jobs created by a departed user may become inaccessible unless an Organization Admin has been granted access to all confidential jobs. |
| Shared content | Notes on candidate profiles cannot be edited by other users (only deleted or replied to). Historical activity is preserved. |
| Integrations | Deactivating a user removes them from interviewer pools. Deactivation does not automatically remove the user from already-scheduled interviews; those must be manually rescheduled with a new interviewer. If using directory sync (Google Workspace/Microsoft 365 or SCIM), offboarded users in the directory automatically lose Ashby access. |
| License freed | Deactivating or terminating a user frees their elevated seat. Permissions automation can automatically downgrade users to Limited Access when they are removed from all active hiring teams, which also controls seat usage without full deactivation. |
Watch out for:
- Deactivating a user does NOT remove them from already-scheduled interviews; manual rescheduling is required.
- Terminating a user removes all their access roles in addition to revoking login access.
- Confidential jobs created by a user who has since left the company may become inaccessible to others unless the Organization Admin has the 'access all confidential jobs' setting enabled.
- Deactivated/terminated profiles are hidden by default on the Employees page; the active-user filter must be toggled to find them for reactivation.
- SCIM offboarding (directory deprovision) automatically revokes Ashby access but SCIM is only available on Legacy Plus, Plus, and Enterprise plans.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Base / Limited Access seat | User profile exists in Ashby; can submit interview feedback and referrals only. Included in base plan subscription. | Included in base plan; no per-seat add-on cost documented for limited access users |
| Elevated Access seat | Full recruiter/admin/hiring manager access scoped to assigned departments or jobs. Required for viewing candidate profiles, sourcing, scheduling, and reporting. | $800/year per seat (per third-party pricing research; not confirmed on official Ashby pricing page) |
| Ashby Analytics - Admin License | Full report building, editing, and dashboard management in Ashby Analytics module. | Part of Ashby Analytics product pricing (custom quote; separate from All-in-One) |
| Ashby Analytics - View Only License | Read-only access to reports and dashboards in Ashby Analytics. | Part of Ashby Analytics product pricing (custom quote; separate from All-in-One) |
- Where to check usage: Admin > Organization Setup > Employees (https://app.ashbyhq.com/admin/users) - filter by active users to see current provisioned users. Permissions Automation dashboard shows users with elevated vs. limited access roles.
- How to identify unused seats: Use the Employees page active-user filter to audit all active profiles. Permissions Automation (Admin > Organization Setup > Permissions Automation) can automatically downgrade users to Limited Access when they are no longer on any active hiring team, reducing elevated seat consumption without manual review.
- Billing notes: Ashby pricing is seat/scale and usage-based. Foundations plan starts $400/month for small teams (up to ~100 employees). Plus and Enterprise plans require custom quotes. Elevated seats are an add-on cost ($800/year per seat per third-party sources). AI credits, advanced sourcing (email lookups), and Ashby Analytics are priced separately. Month-to-month contracts are available. SCIM provisioning is not available on the Foundations plan.
The cost of manual management
New users default to Limited Access and must be manually upgraded after activation - every app provisioning step requires a second action in Ashby to assign the correct role. Deactivating a user does not remove them from already-scheduled interviews, so manual rescheduling is a consistent offboarding overhead.
Confidential jobs created by departed employees can become inaccessible unless Organization Admin confidential-job access is pre-configured before the employee leaves.
What IT admins are saying
The most consistent friction point reported is that SCIM provisioning is unavailable on the Foundations plan, forcing smaller teams onto manual lifecycle management. Elevated seat costs (~$800/year per seat, per third-party sources) draw complaints from fast-growing orgs that need many hiring managers with elevated access.
Prior to April 2025, any custom role change required a support ticket rather than self-service - a workflow that affected every team managing role drift at scale.
Common complaints:
- SCIM provisioning is not available on the Foundations plan, requiring Plus or higher for automated IdP-based user lifecycle management.
- Permissions cannot be mapped or pushed via SCIM; role assignment must still be done manually in Ashby after SCIM provisioning creates the user account.
- Elevated seat pricing (~$800/year per seat) significantly increases costs for rapidly growing companies, particularly those needing many hiring managers with elevated access.
- Prior to April 2025, creating or modifying custom access roles required contacting Ashby support rather than self-serving in the admin panel.
- Deactivating a user does not automatically remove them from already-scheduled interviews, requiring manual rescheduling.
- Confidential jobs created by departed employees can become inaccessible unless Organization Admin confidential-job access is pre-configured.
- Steep learning curve for admin configuration; the settings area contains many tabs and options that are not immediately intuitive for new admins.
- Pricing is not fully transparent for Plus and Enterprise tiers; custom quotes required.
- Email lookup and bulk action limits apply at lower subscription tiers, impacting sourcing-heavy teams.
- Ashby Analytics is a separate product with separate licensing, adding cost complexity for teams wanting full reporting capabilities.
The decision
If your team is on the Foundations plan, automated IdP-based provisioning is not available and every user lifecycle event is a manual admin task. Growth or Enterprise plans unlock SCIM, but role assignment post-provisioning remains manual regardless of plan.
Permissions Automation (available on all plans) can automatically downgrade users to Limited Access when they leave a hiring team, which reduces elevated seat consumption without per-user review.
Bottom line
Ashby's permission model is granular and well-structured, but it front-loads manual work: every provisioned user lands as Limited Access and requires an explicit role upgrade, SCIM is gated behind Growth/Enterprise plans, and role mapping through SCIM is not supported at any tier.
Teams that invest in configuring Permissions Automation and pre-enabling Organization Admin confidential-job access will absorb the least ongoing overhead - those that don't will find recurring gaps at both onboarding and offboarding.
Automate Ashby workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
Every app coverage, including apps without APIs
60+ app integrations plus browser automation for apps without APIs
IT graph reconciliation across apps and your IdP
Less than a week to launch, maintained as APIs and admin consoles change
SOC 2 Type II. ~2 hours of your team's time
