Summary and recommendation
Chargebee user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Chargebee's user management lives at Settings > Team & Security > Users and is accessible only to Administrators. The platform ships four built-in roles - Administrator, Manager, Support, and Finance - each scoped to a distinct slice of the product. Custom roles with module-level read vs.
read-write granularity are available on Performance and Enterprise plans only.
Chargebee does not charge per user seat. Billing is volume-based (monthly billing processed through the platform), so adding or removing users has no direct impact on subscription cost.
Quick facts
| Admin console path | Settings > Team & Security > Users |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Full access to all Chargebee features including billing, subscriptions, reports, API keys, and user management. | All plans | No per-seat fee; included in plan | Only Administrators can manage other users and configure SSO/security settings. | |
| Manager | Access to subscriptions, customers, invoices, and reports. Cannot manage users or security settings. | Cannot add/remove users, configure SSO, or access API key management. | All plans | No per-seat fee; included in plan | |
| Support | Read and limited write access to customer and subscription records. Intended for customer-facing support staff. | Cannot access financial reports, configure settings, or manage users. | All plans | No per-seat fee; included in plan | |
| Finance | Access to invoices, revenue reports, and financial data. Limited operational access. | Cannot manage subscriptions operationally or manage users. | All plans | No per-seat fee; included in plan | |
| Custom Role | Admin-defined permission set scoped to specific modules and actions within Chargebee. | Depends on configuration; permissions not granted are denied by default. | Performance or Enterprise plan | No per-seat fee; included in plan | Custom roles are only available on Performance and Enterprise plans. Starter plan users are limited to built-in roles. |
Permission model
- Model type: hybrid
- Description: Chargebee uses a set of predefined built-in roles (Administrator, Manager, Support, Finance) combined with the ability to create custom roles on higher-tier plans. Custom roles allow administrators to select specific module-level permissions (e.g., read-only vs. read-write per feature area).
- Custom roles: Yes
- Custom roles plan: Performance or Enterprise
- Granularity: Module-level (per feature area such as Subscriptions, Customers, Invoices, Reports, Settings); read vs. read-write distinction per module.
How to add users
- Log in as an Administrator.
- Navigate to Settings > Team & Security > Users.
- Click 'Invite User'.
- Enter the invitee's email address.
- Select a role (built-in or custom, depending on plan).
- Click 'Send Invite'.
- Invitee receives an email and must accept the invitation to activate their account.
Required fields: Email address, Role
Watch out for:
- Invitation must be accepted by the invitee before the account is active; pending invites can be resent or cancelled.
- The inviting user must have Administrator role.
- Custom roles are only selectable on Performance or Enterprise plans.
- If SSO is enforced, new users must authenticate via the configured IdP after accepting the invite.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (SCIM provisioning requires Enterprise plan and SSO enabled) |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Chargebee does not permanently delete user accounts. Administrators can deactivate (disable) a user, which revokes their login access. The user record is retained in the system for audit and historical purposes.
- Log in as an Administrator.
- Navigate to Settings > Team & Security > Users.
- Locate the user to be deactivated.
- Click the options menu (three dots or 'Edit') next to the user.
- Select 'Deactivate' or 'Disable User'.
- Confirm the action.
| Data impact | Behavior |
|---|---|
| Owned records | Records (subscriptions, customers, invoices) created or modified by the deactivated user remain intact and are not reassigned automatically. |
| Shared content | No shared content model; data remains accessible to other users with appropriate permissions. |
| Integrations | API keys associated with the user's account (if any) should be reviewed and rotated separately; deactivating a user does not automatically revoke API keys. |
| License freed | Chargebee does not charge per seat, so deactivating a user does not reduce billing costs. |
Watch out for:
- Deactivated users cannot log in but their historical activity and audit logs are preserved.
- API keys are not automatically invalidated when a user is deactivated; administrators must manually revoke them.
- There is no bulk deactivation option in the UI; each user must be deactivated individually.
- If SSO is enabled, revoking access in the IdP does not automatically deactivate the user in Chargebee unless SCIM provisioning is configured.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| User seat | All user accounts (Administrator, Manager, Support, Finance, Custom roles) are included without per-seat charges. | No per-seat cost; user seats are unlimited and included in the subscription plan. |
- Where to check usage: Settings > Team & Security > Users (shows list of all active and pending users)
- How to identify unused seats: Review the Users list for accounts with no recent login activity. Chargebee does not natively surface a 'last login' timestamp in the UI as of available documentation; administrators must manually review or use audit logs.
- Billing notes: Chargebee does not charge per user seat. Billing is based on monthly billing volume processed through the platform (with overage fees on Performance plan above $100K/month). Adding or removing users has no direct impact on subscription cost.
The cost of manual management
Every app in a mature SaaS stack demands its own offboarding checklist, and Chargebee surfaces two friction points that slow teams down. First, there is no bulk deactivation: each user must be disabled individually through the UI.
Second, deactivating a user does not automatically revoke their API keys - those must be hunted down and invalidated separately.
The platform retains no native 'last login' timestamp in the user list, so identifying stale accounts requires a manual audit of activity logs. For teams managing frequent contractor or vendor access, this adds recurring overhead with no shortcut.
What IT admins are saying
The most consistent complaint from practitioners is that SSO is gated to the Enterprise plan, leaving Starter and Performance customers without federated login. A related gap: only one IdP can be configured at a time, which creates friction for organizations mid-migration between identity providers.
When SSO is active, two-factor authentication is disabled with no fallback MFA option - a security posture concern flagged repeatedly in community threads. Users on Performance plan also report that overage fees above $100K/month billing volume can surface unexpectedly if monitoring is not in place.
Common complaints:
- SSO is restricted to Enterprise plan, making it inaccessible to smaller teams on Starter or Performance plans.
- Only a single IdP can be configured at a time for SSO.
- Two-factor authentication (2FA) is disabled or unavailable when SSO is enabled, leaving no fallback MFA option.
- Overage fees on the Performance plan are reported as unclear or unexpected by some users.
- No bulk user import via CSV; users must be invited one at a time through the UI.
- SCIM provisioning for automated user lifecycle management requires Enterprise plan, which is cost-prohibitive for mid-market customers.
- No native 'last login' visibility in the user management UI, making it difficult to identify inactive accounts.
The decision
Chargebee's manual user management is workable for small, stable teams but does not scale cleanly. The one-at-a-time invite and deactivate flow, combined with no CSV import and no last-login visibility, means every app offboarding event requires deliberate manual steps rather than a repeatable process.
Teams that need SSO, automated provisioning, or custom roles should budget for Enterprise. Performance plan unlocks custom roles but not SSO - a meaningful gap if identity governance is a priority.
Bottom line
Chargebee is a billing-first platform, and its user management reflects that priority: functional for small admin teams, but under-equipped for organizations that need automated lifecycle controls.
No per-seat cost removes one variable, but the absence of bulk operations, native last-login data, and SSO below Enterprise means that every app connected to a departed employee's Chargebee access requires a manual, step-by-step remediation.
Teams with high user turnover or strict access review cadences will feel the gap most acutely.
Automate Chargebee workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
