Summary and recommendation
CircleCI user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
CircleCI user management is handled entirely through the Organization Settings > People console at app.circleci.com/settings/organization. There is no native SCIM endpoint, so every app in your stack that depends on automated provisioning must be handled manually or through SSO just-in-time (JIT) provisioning.
Role coverage spans four types: Org Admin, Org Member (Contributor), Project Admin, and Viewer - with Project Admin and group-based assignment gated to the Scale plan.
Quick facts
| Admin console path | Organization Settings > People |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Scale |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Org Admin | Full administrative control over the organization: manage members, roles, projects, contexts, usage, billing, and integrations. Can create and delete projects, manage VCS connections, and configure org-level settings. | Cannot act outside the scope of the VCS-linked organization without appropriate VCS permissions. | All plans | Counts as an active user seat; billed based on plan | Org Admin role in CircleCI is separate from VCS (GitHub/Bitbucket/GitLab) admin roles. A user must be added to CircleCI separately even if they are a VCS org admin. |
| Org Member (Contributor) | Can trigger pipelines, view build results, manage their own API tokens, and access projects they have been granted access to. Can follow projects. | Cannot manage org-level settings, billing, or other members' roles. Cannot access restricted contexts unless granted. | All plans | Counts as an active user seat on paid plans | On the Free plan, organizations are limited to 5 active users. Exceeding this requires upgrading to a paid plan. |
| Project Admin | Can manage settings for a specific project, including environment variables, SSH keys, webhooks, and project-level access. Available on Scale plan and above. | Cannot manage org-level settings or billing. Scope is limited to assigned projects. | Scale plan | Counts as an active user seat | Project-level roles are only available on Scale plan. On Free and Performance plans, project access is controlled at the org level only. |
| Viewer | Read-only access to pipelines, build results, and project configurations. Cannot trigger builds or modify settings. | Cannot trigger pipelines, modify settings, or manage any resources. | Scale plan | Counts as an active user seat | Viewer role availability may depend on plan tier; verify current plan entitlements in org settings. |
Permission model
- Model type: role-based
- Description: CircleCI uses a role-based access control (RBAC) model with org-level and project-level roles. Roles are assigned per organization and, on Scale plan, per project. Context-level restrictions allow limiting which roles can use shared environment variable contexts. Groups can be used on Scale plan to assign roles to sets of users.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Organization-level roles apply globally within the org. Project-level roles (Scale plan only) allow scoping permissions to individual projects. Context restrictions allow further limiting access to shared secrets by role.
How to add users
- Navigate to app.circleci.com and open your organization.
- Go to Organization Settings > People.
- Click 'Invite Members'.
- Enter the email address(es) of the users to invite.
- Select the role to assign (Org Admin or Member).
- Click 'Send Invite'. The invited user receives an email and must accept the invitation.
- Once accepted, the user appears in the People list and can be assigned project-level roles (Scale plan only).
Required fields: Email address of the invitee, Role selection (Org Admin or Member)
Watch out for:
- Users must have a CircleCI account (or create one) to accept the invitation. CircleCI accounts are linked to a VCS provider (GitHub, Bitbucket, or GitLab).
- Free plan is limited to 5 active users. Inviting a 6th user requires upgrading to Performance or Scale.
- Invitations expire if not accepted; admins must resend if needed.
- Users added via VCS org membership may automatically appear in CircleCI if the VCS integration is configured, but explicit role assignment still requires action in CircleCI settings.
- SCIM-based auto-provisioning is not natively supported; user provisioning via IdP requires manual setup or third-party tooling.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | No | Not documented |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: CircleCI does not offer a hard-delete of user accounts from within the org admin console. Admins can remove (revoke) a user's membership from the organization, which prevents further access. The user's CircleCI account itself persists. Removal is effectively a deactivation/revocation of org membership.
- Navigate to app.circleci.com and open your organization.
- Go to Organization Settings > People.
- Locate the user to remove.
- Click the options menu (three dots or similar) next to the user.
- Select 'Remove from Organization' or equivalent option.
- Confirm the removal. The user immediately loses access to the organization and its projects.
| Data impact | Behavior |
|---|---|
| Owned records | Pipelines, build history, and artifacts created by the user remain in the organization and are accessible to other members. The user's historical data is not deleted. |
| Shared content | Contexts, environment variables, and project settings configured by the user remain intact and accessible to remaining org members. |
| Integrations | API tokens created by the removed user are invalidated upon removal. Any automated processes relying on that user's personal API tokens will break. |
| License freed | Removing a user from the organization frees their active user seat, which may reduce billing on the next cycle depending on plan terms. |
Watch out for:
- Personal API tokens belonging to the removed user are invalidated immediately; pipelines or scripts using those tokens will fail.
- If the user was the sole Org Admin, removing them leaves the organization without an admin. Ensure at least one other Org Admin exists before removal.
- Users connected via VCS (e.g., GitHub org membership) may regain access if they re-follow a project or if VCS-based auto-join is enabled. Revoking VCS org membership separately is recommended.
- There is no bulk-remove option in the UI; users must be removed individually.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Active User Seat | Any user who triggers a pipeline or is an active member of the organization within the billing period counts as an active user. Free plan includes up to 5 active users. | Free plan: included up to 5 users. Performance plan: included in base price (user count not explicitly capped beyond credits). Scale plan: custom pricing, contact sales. |
| Build Credits | Credits are consumed per compute minute based on resource class. Not directly tied to user seats but to pipeline execution. | Free: 30,000 credits/month. Performance: 30,000 credits/month included, additional credits purchasable. Scale: custom credit allotments. |
- Where to check usage: Organization Settings > Plan > Plan Usage (at app.circleci.com/settings/organization/[org-name]/plan/overview)
- How to identify unused seats: Navigate to Organization Settings > People to view the list of org members. Cross-reference with Plan Usage to identify members who have not triggered any pipelines in the billing period. CircleCI does not provide a built-in 'last active' timestamp per user in the People view; usage data is aggregated at the org level.
- Billing notes: CircleCI billing is primarily credit-based (compute consumption) rather than strictly per-seat on Performance and Scale plans. However, the Free plan enforces a 5-user hard cap. On paid plans, the number of active users is not the primary billing lever; credits consumed are. Scale plan pricing is negotiated and may include seat-based components. Server (self-hosted) licensing is per-seat and negotiated annually.
The cost of manual management
Every app without automated lifecycle management creates compounding offboarding risk, and CircleCI is a high-exposure example. Removing a user revokes org membership but does not invalidate their personal API tokens - any pipelines or scripts using those tokens break silently and must be tracked down manually.
There is no bulk-remove option; each user must be removed individually through the UI. The People view also lacks a per-user last-active timestamp, so identifying inactive accounts for license cleanup requires cross-referencing Plan Usage data manually.
What IT admins are saying
The most consistent friction reported by CircleCI admins centers on the gap between VCS and CircleCI access.
Removing a user from a GitHub org does not remove them from CircleCI; the two systems are independent, and re-following a project can restore access if VCS-based auto-join is enabled.
The Free plan's hard cap of 5 active users catches small teams off guard when a sixth collaborator is added. Lack of a built-in last-active date per user is a recurring complaint for teams trying to right-size their active user count on paid plans.
Common complaints:
- No native SCIM support for automated user provisioning/deprovisioning; requires manual user management or custom scripting.
- GitHub SSO and CircleCI access are not automatically synchronized; removing a user from the GitHub org does not remove them from CircleCI.
- Personal API tokens are invalidated when a user is removed, breaking automated pipelines without warning.
- No bulk user removal or bulk role assignment in the admin UI.
- Free plan 5-user limit is a common friction point for small teams that exceed it unexpectedly.
- No built-in 'last active' date per user in the People view, making it difficult to identify inactive users for license cleanup.
- Pricing scales quickly once the free credit tier is exhausted, especially with parallel builds.
- Project-level roles and groups are only available on the Scale plan, limiting access control granularity for Performance plan customers.
The decision
Manual management is viable for small, stable teams on the Performance plan where org-level roles are sufficient and headcount changes are infrequent. It becomes operationally expensive once team size grows, project-level role scoping is needed (Scale plan only), or offboarding SLAs tighten.
Teams with an existing IdP (Okta, Entra ID, OneLogin) should evaluate SSO-based JIT provisioning on the Scale plan as the lowest-friction path to consistent lifecycle management without building custom tooling.
Bottom line
CircleCI's manual user management is straightforward for small orgs but carries real operational risk at scale: no SCIM, no bulk actions, no per-user activity timestamps, and a VCS-access gap that can leave departed employees with residual access.
Project-level roles and group assignment - the features that make access governance tractable - are Scale-plan-only. Teams that need reliable, auditable provisioning and deprovisioning should treat SSO JIT provisioning as a prerequisite, not an enhancement, and build token-revocation steps explicitly into their offboarding runbooks.
Automate CircleCI workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
