Summary and recommendation
Chef user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Chef splits user management across two separate systems: Chef Automate (web UI at Settings > Users) and Chef Infra Server (knife CLI). There is no SCIM support at any tier, and the two systems maintain independent user stores with no synchronization.
Automated provisioning requires either SAML/LDAP just-in-time login or direct API scripting against the Automate IAM v2 API.
Quick facts
| Admin console path | Settings > Users (Chef Automate); knife user commands or Chef Manage web UI (Chef Infra Server) |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Admin (Chef Automate) | Full access to all Chef Automate resources, settings, user management, and IAM policies. Can create/delete users, teams, and policies. | Any Chef Automate license | Counts as a named user seat | The initial admin user is created during Automate setup via 'chef-automate iam admin-access restore'. Losing all admin access requires CLI recovery. | |
| Viewer (Chef Automate) | Read-only access to all Chef Automate resources (compliance reports, infrastructure nodes, dashboards). Cannot modify any resources. | Cannot create, update, or delete any resources or policies. | Any Chef Automate license | Counts as a named user seat | Viewer is a built-in IAM role; it cannot be scoped to a subset of resources without creating a custom policy. |
| Editor (Chef Automate) | Can create, update, and delete most Chef Automate resources (nodes, profiles, pipelines). Cannot manage users or IAM policies. | Cannot manage users, teams, or IAM policies. | Any Chef Automate license | Counts as a named user seat | |
| org-admin (Chef Infra Server) | Full control over a specific organization on Chef Infra Server: manage nodes, cookbooks, roles, environments, data bags, and org membership. | Cannot manage other organizations or server-level settings unless also a server superuser. | Chef Infra Server (commercial license) | org-admin is scoped per organization. A user must be explicitly added as org-admin to each org they need to administer. | |
| Server Superuser (Chef Infra Server) | Server-wide administrative access including all organizations, user management, and server configuration. | Chef Infra Server (commercial license) | Superuser status is set via 'chef-server-ctl grant-server-admin-permissions |
Permission model
- Model type: hybrid
- Description: Chef Automate uses IAM v2, which combines predefined roles (Admin, Editor, Viewer) with custom policies. Policies are composed of statements that grant or deny actions on resources to subjects (users, teams, or tokens). Chef Infra Server uses a separate group-based ACL model per organization with fixed groups (admins, clients, users, billing-admins) and per-object ACLs.
- Custom roles: Yes
- Custom roles plan: Available in Chef Automate with any commercial license; custom policies are created via the UI or API.
- Granularity: Chef Automate IAM v2 supports resource-level and action-level policy statements (e.g., restrict access to specific compliance profiles or infrastructure nodes). Chef Infra Server ACLs are per-object (cookbook, node, role, etc.) with read/create/update/delete/grant permissions.
How to add users
- Chef Automate: Navigate to Settings > Users in the Automate web UI.
- Click 'Create User'.
- Enter the required fields: display name, username, and password (for local users).
- Optionally assign the user to one or more Teams.
- Save the user. The user is immediately active.
- Chef Infra Server (knife): Run 'knife user create
--email --password --file ' to create a server user. - Chef Infra Server: Add user to an org with 'knife org user add
'. - Chef Infra Server: Optionally grant org-admin with 'knife org user add
--admin'.
Required fields: Display name (Chef Automate), Username (Chef Automate and Chef Infra Server), Password (Chef Automate local users), Email address (Chef Infra Server)
Watch out for:
- Chef Automate local users are separate from SAML/LDAP-authenticated users. SAML/LDAP users are provisioned on first login; they cannot be pre-created in the UI.
- Chef Automate does not support SCIM provisioning; automated user lifecycle management requires SAML/LDAP or manual API calls.
- Chef Infra Server user creation requires knife CLI or the Chef Manage web UI (deprecated); there is no modern web-based user creation flow for Infra Server.
- Chef Manage (the Infra Server web UI) reached end-of-life and is no longer actively developed; CLI is the recommended path.
- Users created in Chef Automate are not automatically available in Chef Infra Server and vice versa; the two systems have separate user stores.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | SAML and LDAP integration available in Chef Automate with any commercial license. SAML supports Okta and Entra ID. No SCIM; users are provisioned on first SSO login only. |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Chef Automate allows deletion of local users via Settings > Users > select user > Delete. Chef Infra Server allows user deletion via 'knife user delete
'. There is no 'deactivate' or 'suspend' state in either system; removal is a hard delete. SAML/LDAP users who are removed from the IdP will lose access on next login attempt but their Automate user record may persist until manually deleted.
- Chef Automate: Navigate to Settings > Users.
- Select the user to remove.
- Click 'Delete User' and confirm.
- Chef Infra Server: Run 'knife user delete
' and confirm. - Chef Infra Server: Remove user from org with 'knife org user remove
' before or after deletion. - For SAML/LDAP users: disable or remove the user in the IdP to revoke access; optionally delete the residual record in Automate.
| Data impact | Behavior |
|---|---|
| Owned records | Nodes, cookbooks, roles, and other objects created by the user on Chef Infra Server remain and are not deleted with the user. Chef Automate compliance reports and scan jobs associated with the user persist. |
| Shared content | Shared resources (cookbooks, policies, compliance profiles) are unaffected by user deletion. |
| Integrations | API tokens (Chef Automate) associated with the deleted user are also deleted. Knife configurations referencing the deleted user's key will stop working. |
| License freed | Deleting a user frees the named user seat for reassignment under the commercial license. |
Watch out for:
- There is no soft-delete or deactivation state; deletion is immediate and irreversible for local users.
- SAML/LDAP users may retain a residual record in Chef Automate after IdP removal; this record must be manually deleted to fully remove the user.
- Deleting a Chef Infra Server user does not automatically remove their org memberships; org membership removal is a separate step.
- API tokens created by a deleted Chef Automate user are deleted, which can break automated pipelines if tokens were shared.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named User (Chef Automate) | Access to Chef Automate web UI and APIs, compliance reporting, infrastructure visibility, and pipeline dashboards. | Custom pricing; contact Progress/Chef sales. Available on AWS Marketplace as PAYG or contract. |
| Node (Chef Infra) | A managed node (server, VM, container, network device) running Chef Infra Client and checking in to Chef Infra Server. Licensing is node-count based, not per human user. | Custom pricing per node; contact Progress/Chef sales. |
- Where to check usage: Chef Automate: Settings > License (shows license expiry and node count usage). Chef Infra Server: 'chef-server-ctl license' CLI command shows node count.
- How to identify unused seats: Chef Automate provides a node activity view showing last check-in time per node. Nodes not checking in can be identified and deleted to reduce node count. For human users, no built-in last-login report exists in the UI; API queries to /api/v0/auth/users can be used to enumerate users.
- Billing notes: Chef Infra licensing is primarily node-based (per managed node), not per human user seat. Chef Automate may have separate named user licensing depending on the contract. Commercial license is required for support and updates; the open-source Chef distributions (Chef Infra Client, InSpec) are available under Apache 2.0 but without commercial support. Progress acquired Chef in 2020; all commercial licensing is through Progress.
The cost of manual management
Every app without SCIM demands a manual offboarding checklist, and Chef compounds this by requiring separate removal steps in both Automate and Infra Server. Deleting a user in Automate does not touch Infra Server org memberships, and SAML/LDAP users may leave residual records in Automate after IdP removal that must be cleaned up manually.
API tokens created by a deleted user are also deleted immediately, which can silently break automated pipelines if tokens were shared across workflows.
What IT admins are saying
Practitioners consistently flag the dual user store problem: a user added to Chef Automate is not available in Chef Infra Server, and vice versa, doubling every provisioning and deprovisioning action.
The deprecation of Chef Manage (the Infra Server web UI) with no modern replacement forces all Infra Server user operations onto the knife CLI.
There is also no built-in last-login report for human users in Automate, making inactive account identification and license reclamation a manual API exercise.
Common complaints:
- No documented SCIM support; automated user provisioning/deprovisioning requires custom API scripting or reliance on SAML just-in-time provisioning.
- Complex SAML configuration with limited official troubleshooting guidance.
- Chef Automate and Chef Infra Server maintain separate user stores with no synchronization, requiring duplicate user management effort.
- Chef Manage (Infra Server web UI) is deprecated with no modern replacement, forcing reliance on knife CLI for Infra Server user management.
- No built-in last-login reporting for human users in Chef Automate, making it difficult to identify inactive accounts for license reclamation.
- SAML/LDAP users are not pre-provisionable; they only appear in Automate after first login, complicating pre-access role assignment.
- Pricing and seat count details are opaque; customers report difficulty understanding node vs. user licensing boundaries.
The decision
Chef is a strong fit for infrastructure automation teams already invested in the Chef ecosystem who can tolerate CLI-heavy user management.
It is a poor fit for IT or identity teams expecting IdP-driven lifecycle automation: SAML/LDAP handles authentication only, SCIM is absent, and every app in your stack that does support SCIM will deliver faster, lower-risk provisioning than Chef's current model.
Teams managing more than a handful of users should plan for scripted API workflows or accept ongoing manual overhead.
Bottom line
Chef's user management is functional but fragmented: two separate user stores, no SCIM, a deprecated web UI for Infra Server, and no soft-delete or deactivation state anywhere in the stack.
Every app that supports SCIM will offer a materially lower operational burden for user lifecycle management. Teams choosing Chef should budget for scripted provisioning workflows and explicit offboarding runbooks that cover both Automate and Infra Server independently.
Automate Chef workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
