ChatGPT (OpenAI) User Management Guide

• Model type: role-based
• Description: ChatGPT workspaces use a fixed three-tier role model: Owner, Admin, and Member. There are no custom roles or granular permission sets. Workspace-level policies (e.g., whether members can publish GPTs externally, whether memory is enabled) are set by Owners/Admins and apply uniformly to all Members. Enterprise adds controls for domain verification, SCIM group-based provisioning, and GPT visibility policies.
• Custom roles: No
• Custom roles plan: Not documented
• Granularity: Coarse. Role permissions are fixed and not individually configurable. Workspace-wide policy toggles (e.g., external GPT sharing, memory) provide limited additional control.

1. Log in to chatgpt.com as Owner or Admin.
2. Click the workspace name in the top-left corner and navigate to Settings.
3. Select 'Members' or 'Admin console' depending on plan.
4. Click 'Invite members' or 'Add members'.
5. Enter the email address(es) of the user(s) to invite.
6. Assign a role (Member or Admin) before sending the invitation.
7. Click 'Send invite'. The invitee receives an email to accept and join the workspace.
8. On Enterprise with SCIM enabled: users can be provisioned automatically via the connected IdP without manual invitation.

Required fields: Email address of invitee, Role assignment (Member or Admin)

Watch out for:

• Invitations consume a seat immediately upon acceptance; on Business plan, billing adjusts at the next billing cycle.
• On Business plan, minimum 2 seats must be maintained.
• Users must have or create an OpenAI account to accept the invitation.
• On Enterprise, if SCIM is active, manual invitations and SCIM provisioning can conflict; OpenAI recommends using one method consistently.
• Domain verification on Enterprise allows auto-joining for users with verified corporate email domains, which may add seats unexpectedly if not monitored.

• Can delete users: Verify in tenant
• Delete/deactivate behavior: This app exposes delete operations in its API documentation, but the admin-console path may present removal as deactivation, archiving, or deletion depending on tenant configuration. Confirm whether the UI action is reversible before treating removal as recoverable.

1. Log in to chatgpt.com as Owner or Admin.
2. Navigate to Settings → Members (Business) or Admin console → Members (Enterprise).
3. Locate the member to remove using search or the member list.
4. Click the options menu (three dots or similar) next to the member's name.
5. Select 'Remove member' or 'Revoke access'.
6. Confirm the removal. The user loses workspace access immediately.
7. On Enterprise with SCIM: deprovision the user in the connected IdP (Okta, Entra ID, etc.); the SCIM sync removes workspace access automatically.

Watch out for:

• Removing a user does not delete their OpenAI personal account or any personal conversation history outside the workspace.
• On Business plan, if the removed user was the sole Owner, the workspace may become unmanageable; ensure another Owner is assigned before removal.
• SCIM deprovisioning on Enterprise may have a sync delay (reported up to 40 minutes for Azure AD/Entra ID) before access is fully revoked.
• Removed users retain access until the session expires if they are actively logged in at the time of removal; session invalidation timing is not explicitly documented.
• Custom GPTs built by removed members are not automatically reassigned; admins should audit and reassign or delete them manually.

• Where to check usage: chatgpt.com → Settings → Admin console → Usage (Enterprise) or Settings → Members (Business) to view active seat count.
• How to identify unused seats: On Enterprise, the admin console provides usage analytics showing last-active dates per member, enabling identification of inactive seats. On Business, per-user activity data is limited; admins can view member list but detailed per-user usage metrics are not prominently surfaced.
• Billing notes: Business plan bills per seat on a monthly or annual cycle; seats added mid-cycle are prorated. Enterprise is billed annually under a custom contract. Nonprofit discounts available: 20% off Business, 25% off Enterprise (requires verification). Removing a member frees the seat at the next billing cycle on Business; Enterprise seat reductions are subject to contract minimums.

On the Business plan, every app onboarding and offboarding action is fully manual - no directory sync exists at this tier despite SSO being included. Admins must invite users one by one by email, assign roles individually, and monitor seat usage without per-user activity metrics.

Identifying unused seats on Business requires manually reviewing the member list, since detailed last-active data is not surfaced at that plan level.

Removing a user revokes workspace access immediately, but the underlying OpenAI account is untouched. Custom GPTs built by removed members are not automatically reassigned, requiring a separate manual audit. On Business, seat counts only adjust at the next billing cycle after removal.

The most consistent friction reported by admins centers on the Business plan's lack of SCIM despite being a paid, multi-seat tier. Bulk provisioning is unavailable without Enterprise - there is no CSV import, and every individual invitation must be handled manually at the Business level.

Azure AD (Entra ID) SCIM sync on Enterprise has reported delays of up to 40 minutes before deprovisioning fully takes effect, which creates an access-gap risk during offboarding.

The three fixed roles are also a recurring complaint for organizations that need more than coarse Owner/Admin/Member distinctions.

Common complaints:

• Business plan lacks SCIM provisioning despite being a premium paid tier, requiring manual user management at scale.
• Enterprise pricing is not publicly listed; requires contacting sales, making budget planning difficult.
• Azure AD (Entra ID) SCIM sync reported to have up to 40-minute delays before deprovisioning takes effect.
• No granular role permissions or custom roles; the three fixed roles (Owner, Admin, Member) are insufficient for organizations needing fine-grained access control.
• No CSV bulk import for users; bulk provisioning requires SCIM (Enterprise only) or manual individual invitations.
• Admins on Business plan cannot view individual member conversation activity, making it difficult to identify unused seats.
• Workspace and personal OpenAI API account share some settings, causing confusion when configuring SSO.
• Removed users' custom GPTs remain in the workspace with no automatic reassignment or cleanup workflow.
• Minimum 2-seat requirement on Business plan is a friction point for very small teams.
• No self-service downgrade path from Enterprise; requires contacting OpenAI account team.

Business plan is appropriate for teams that can tolerate manual provisioning and do not require directory sync - but every app addition and removal remains a hands-on task with no bulk tooling. SSO is included at this tier, but SCIM is not, and that boundary is firm and not configurable.

Enterprise is required for any organization that needs SCIM, audit logs, domain verification, or expanded admin controls. Enterprise pricing is custom and requires a sales engagement; no self-serve upgrade path exists. Nonprofit discounts are available: 20% off Business, 25% off Enterprise, subject to verification.

Bottom line

ChatGPT workspace administration is straightforward for small teams on the Business plan but becomes operationally costly at scale without Enterprise. Every app addition and removal is a manual action on Business, with no bulk tooling and limited usage visibility per member.

Enterprise unlocks SCIM and meaningful audit controls, but the jump requires a custom contract and a hard SSO prerequisite before directory sync can be activated.

Organizations managing more than a handful of seats on the Business plan should weigh the ongoing manual overhead against the Enterprise contract commitment before assuming the current setup is sustainable.