Summary and recommendation
BlackLine user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
BlackLine user management lives entirely in the admin console at Administration > User Management.
There is no native SCIM endpoint and no public REST API for user provisioning, so every app interaction-adding, deactivating, or reassigning users-requires a logged-in administrator.
Both System Administrators and Company Administrators can manage users, but Company Administrators are scoped to their assigned entity only, which matters in multi-entity deployments.
Quick facts
| Admin console path | Administration > User Management |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| System Administrator | Full access to all BlackLine modules, user management, configuration, and system settings. | System Administrator access should be tightly controlled; changes made by admins affect all users and configurations globally. | |||
| Company Administrator | Manages users, roles, and settings within a specific company entity; can add/deactivate users and assign roles. | Cannot access or modify settings outside their assigned company entity. | In multi-entity deployments, Company Administrators are scoped to their entity only. | ||
| Standard User | Access to assigned BlackLine modules (e.g., Account Reconciliations, Task Management) based on role assignments. | Cannot manage other users, modify system configuration, or access modules not assigned to their role. | Module access is controlled by role assignment; users without a role assigned to a module cannot see it. | ||
| Read-Only / Reviewer | Can view records, reconciliations, and reports assigned to them; can approve or reject items depending on workflow configuration. | Cannot create or edit reconciliations or tasks. | Reviewer roles are workflow-specific; access is determined by assignment to reconciliation groups or task workflows. |
Permission model
- Model type: role-based
- Description: BlackLine uses a role-based access control model. Roles are predefined by BlackLine and assigned to users by administrators. Each role maps to specific module access and action permissions (e.g., preparer, reviewer, approver). Permissions are further scoped by company entity and module.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Role-level and module-level; administrators assign users to roles and to specific reconciliation groups or task workflows, which determines what records they can access and what actions they can perform.
How to add users
- Log in to BlackLine as a System Administrator or Company Administrator.
- Navigate to Administration > User Management.
- Click 'Add User' or 'New User'.
- Enter required user details: first name, last name, email address, and username.
- Assign the user to the appropriate company entity.
- Assign one or more roles to the user.
- Configure module access as needed.
- Save the user record; the user receives an email invitation to set their password.
Required fields: First name, Last name, Email address, Username, Company entity assignment, Role assignment
Watch out for:
- Usernames must be unique across the BlackLine instance.
- Users must be assigned to at least one role to access any BlackLine module.
- Email domain must be valid; BlackLine sends an activation email to the address provided.
- In SSO-enabled environments, the username must match the identity provider's user identifier exactly.
- Users are not active until they complete the email-based activation step.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Administration > User Management > Import Users (CSV upload option) |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | No | Not documented |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: BlackLine does not support permanent deletion of user accounts. Users can only be deactivated, which prevents login and removes them from active workflows while preserving their historical records and audit trail.
- Log in as a System Administrator or Company Administrator.
- Navigate to Administration > User Management.
- Search for and select the user to be deactivated.
- Click 'Deactivate' or toggle the user's status to inactive.
- Confirm the deactivation action.
| Data impact | Behavior |
|---|---|
| Owned records | Historical records (reconciliations, tasks, journal entries) created or owned by the deactivated user are retained and remain accessible to administrators and other authorized users. |
| Shared content | Shared workflows and group assignments associated with the deactivated user remain intact; the user is removed from active workflow queues. |
| Integrations | Not documented |
| License freed | Deactivating a user frees the associated license seat, making it available for reassignment. |
Watch out for:
- Deactivated users cannot log in but their data and audit history are preserved.
- If a deactivated user is the sole preparer or approver on open reconciliations, those items may become stuck; reassign ownership before deactivating.
- Reactivating a previously deactivated user restores their account and prior role assignments.
- Deactivation does not automatically reassign open tasks or reconciliations owned by that user.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named User License | Access to assigned BlackLine modules based on role; each active user consumes one named user license. | Custom pricing; BlackLine does not publish per-seat pricing publicly. Contract pricing typically ranges from approximately $77K–$340K/year depending on modules and user count. |
- Where to check usage: Administration > User Management (view active user count and license consumption)
- How to identify unused seats: Administrators can review the user list filtered by last login date or activity status to identify users who have not logged in recently. No dedicated 'unused license' report is documented in publicly available help content.
- Billing notes: BlackLine is sold on annual contracts with custom pricing. License counts are negotiated at contract time. Deactivating users frees seats for reassignment within the contracted count but does not automatically reduce contract cost mid-term.
The cost of manual management
BlackLine is sold on annual enterprise contracts with custom pricing; no per-seat rate is published. Deactivating a user frees a named-user seat for reassignment within your contracted count, but it does not reduce your contract cost mid-term.
Because there is no automated reassignment workflow, every app offboarding event also requires a manual audit of open reconciliations and tasks before deactivation-otherwise those items can become stuck with no active owner.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
If your team manages a small, stable user base, the admin console workflow is straightforward: fill required fields (first name, last name, email, username, company entity, role), save, and the user receives an activation email. Role assignment is mandatory-users without a role cannot access any module.
For organizations with frequent onboarding or offboarding cycles, the absence of bulk tooling with reliable validation feedback and the lack of automated task reassignment add meaningful administrative overhead at scale.
Bottom line
BlackLine's user management is functional but fully manual. Every provisioning and deprovisioning action runs through the admin console, with no SCIM or public API to automate the lifecycle.
The role-based model is clear and well-structured, but the combination of no user deletion, no automated task reassignment on deactivation, and SSO username-matching sensitivity means that governance discipline-not tooling-carries most of the operational weight.
Automate BlackLine workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
