Summary and recommendation
Contentful user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Contentful uses a two-tier permission model: organization-level roles (Owner, Admin, Member) control who can manage the org itself, while space-level roles (Admin, Editor, Author, Translator, Viewer) control what users can do inside each space.
These two layers are managed in separate locations - Organization Settings for org roles, Space Settings for space roles - which is the most common source of onboarding confusion.
Keeping access accurate across every app in your stack starts with understanding that adding someone to the Contentful org does not grant them access to any space; space roles must be assigned explicitly and separately.
Quick facts
| Admin console path | Organization Settings → Organization members (for org-level); Space Settings → Roles & permissions (for space-level) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Premium/Enterprise (High Availability/Scale) |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Organization Owner | Full control over organization settings, billing, SSO configuration, adding/removing members, managing all spaces, and assigning organization-level roles. | Cannot be removed from the organization without first transferring ownership to another member. | All plans | Counts as a billable user seat | Only one Owner per organization. Ownership transfer must be done before the current owner can be removed. |
| Organization Admin | Can manage organization members, create and delete spaces, manage space memberships, and configure organization settings. Cannot manage billing. | Cannot access billing settings or change subscription plan. | All plans | Counts as a billable user seat | Organization Admin is distinct from Space Admin; an Org Admin does not automatically have admin rights inside every space. |
| Organization Member | Base organization membership. Access to specific spaces is granted separately via space-level roles. | Cannot manage other users, create spaces, or access organization settings. | All plans | Counts as a billable user seat | Being an Organization Member does not grant any space access by default; space roles must be assigned explicitly. |
| Space Admin (space-level) | Full control within a specific space: manage content types, entries, assets, API keys, and space memberships. | Cannot manage organization-level settings, billing, or other spaces. | All plans | Counts as a billable user seat | Space Admin rights are scoped to the individual space; must be granted per space. |
| Space Editor (space-level) | Can create, edit, publish, and archive entries and assets within the assigned space. | Cannot manage content types, API keys, space settings, or other users. | All plans | Counts as a billable user seat | |
| Space Author (space-level) | Can create and edit entries and assets they own. Can submit for review but cannot publish. | Cannot publish, archive, or delete content created by others. | All plans | Counts as a billable user seat | Author role restricts publishing rights; content must be published by an Editor or Admin. |
| Space Translator (space-level) | Can edit localized fields in entries. Cannot create new entries or modify non-localized fields. | Cannot create entries, publish, or manage content types. | All plans | Counts as a billable user seat | |
| Custom Role (space-level) | Fully configurable permissions at the space level, including granular controls over content types, entries, assets, and locales. | Custom roles are space-scoped only; cannot grant organization-level permissions. | Team plan and above (not available on Free or Basic/Lite plans) | Counts as a billable user seat | Custom roles require a paid plan. On Free plan, only the five built-in space roles are available. |
Permission model
- Model type: hybrid
- Description: Contentful uses a two-tier permission model. At the organization level, users are assigned one of three roles (Owner, Admin, Member) controlling org-wide capabilities. At the space level, users are assigned one of five built-in roles (Admin, Editor, Author, Translator, Viewer) or a custom role. Space-level permissions are highly granular and can be scoped by content type, locale, and action (create, read, update, publish, archive, delete). Users must be organization members before they can be added to a space.
- Custom roles: Yes
- Custom roles plan: Team plan and above
- Granularity: Space-level custom roles support per-content-type, per-locale, and per-action (create, read, update, publish, archive, delete) permission rules. Environment-level access can also be restricted.
How to add users
- Log in to Contentful and navigate to your Organization via the top-left organization switcher.
- Go to Organization Settings → Organization members.
- Click 'Invite users'.
- Enter the invitee's email address.
- Select the organization-level role (Owner, Admin, or Member).
- Optionally, select one or more spaces and assign a space-level role for each.
- Click 'Send invitation'. The invitee receives an email and must accept to gain access.
- To add an existing organization member to a space: go to Space Settings → Space members → Add members, select the user, and assign a space role.
Required fields: Email address, Organization role (Owner, Admin, or Member), Space role (required if adding to a space at invitation time)
Watch out for:
- Invitations expire if not accepted; a new invitation must be sent if the link expires.
- Users must have a Contentful account or create one upon accepting the invitation.
- Adding a user to the organization does not automatically grant them access to any space; space roles must be assigned separately.
- On the Free plan, the organization is limited to 5 users total across all spaces.
- On the Lite plan, up to 20 users are included; additional users may incur overage charges depending on plan terms.
- SSO-enforced organizations may require users to authenticate via the configured IdP before they can accept invitations.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (Premium/Scale/High Availability plans with SSO enabled) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Contentful allows removing (deleting) a user from an organization or from a specific space. Removing a user from the organization revokes all access across all spaces in that organization. Removing a user from a space only revokes access to that space while retaining their organization membership. There is no 'deactivate' or 'suspend' state; removal is immediate and permanent for that organization/space. The user's Contentful account itself is not deleted-only their membership in the organization or space is removed.
- To remove a user from the entire organization: go to Organization Settings → Organization members.
- Locate the user in the member list.
- Click the options menu (three dots) next to the user's name.
- Select 'Remove from organization'.
- Confirm the removal in the dialog. The user immediately loses access to all spaces in the organization.
- To remove a user from a single space only: go to Space Settings → Space members.
- Locate the user, click the options menu, and select 'Remove from space'.
- Confirm the removal.
| Data impact | Behavior |
|---|---|
| Owned records | Content entries and assets created by the removed user remain in the space and are not deleted. The content retains the original author metadata but remains accessible to other users. |
| Shared content | All published and draft content created by the removed user persists and is unaffected by the removal. |
| Integrations | API keys and access tokens are not automatically revoked when a user is removed. Any personal access tokens the user created must be revoked separately if needed. |
| License freed | Removing a user from the organization frees their seat, which may reduce billable user count depending on plan terms. Seat reduction may not take effect until the next billing cycle. |
Watch out for:
- The Organization Owner cannot be removed without first transferring ownership to another member.
- Personal access tokens created by the removed user are not automatically invalidated; administrators should audit and revoke tokens manually.
- If SSO/SCIM is configured, deprovisioning via the IdP will remove the user from Contentful automatically; manual removal in the Contentful UI may also be required depending on SCIM configuration.
- Removing a user from a space does not remove them from the organization; they retain org membership and can be re-added to spaces.
- There is no audit log of content changes attributed to removed users visible in the standard UI on lower-tier plans.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| User seat (Free plan) | Up to 5 users across the organization, 2 locales, 1M API calls/month, 1 space. | $0/month |
| User seat (Lite plan) | Up to 20 users, 1 Starter Space, 5 locales, 10M API calls/month. | $300/month (flat rate; additional users may incur overage) |
| User seat (Team plan) | Unlimited users, custom roles, multiple spaces, SSO add-on available. | Custom pricing; contact Contentful sales |
| User seat (Enterprise/Premium/Scale/HA plans) | Unlimited users, SCIM provisioning, SSO included, advanced roles, SLA, dedicated support. | Custom enterprise pricing; starting approximately $60,000/year for Premium |
- Where to check usage: Organization Settings → Subscription → Usage (shows current user count and plan limits)
- How to identify unused seats: Contentful does not provide a native 'last login' or 'inactive user' report in the admin UI. Administrators must cross-reference organization member lists manually or use the Contentful Management API (GET /organizations/{orgId}/users) to enumerate users and audit activity via API access logs if available on their plan.
- Billing notes: User seats are counted at the organization level. On the Free plan, the hard cap is 5 users. On the Lite plan, the included user count is 20; exceeding this may trigger overage charges. Enterprise plans typically negotiate a user count as part of the contract; overages are subject to contract terms. Seat reductions from removing users may not reflect in billing until the next billing cycle. Space add-ons (Medium, Large, XL, etc.) are priced separately from user seats.
The cost of manual management
Contentful provides no native last-login or inactive-user report in the admin UI. Identifying unused seats requires manually cross-referencing the Organization members list or querying the Management API - there is no one-click audit view. Personal access tokens created by removed users are not automatically revoked, so every offboarding requires a separate token audit step.
Invitation links expire silently; if a user does not accept in time, admins must re-send without any in-app alert.
What IT admins are saying
Recurring friction reported by Contentful admins centers on three areas. First, SCIM and SSO are gated behind Enterprise (High Availability or Scale) plans, making automated lifecycle management unavailable to smaller teams entirely.
Second, the split between org-level and space-level membership management causes role gaps - a user added to the org is not automatically added to any space, and vice versa.
Third, there is no audit log of content changes attributed to removed users in the standard UI on lower-tier plans, which creates gaps in accountability after offboarding.
Common complaints:
- Complex plan requirements for features like custom roles and SSO, which are gated behind Team or Enterprise tiers.
- No native 'last login' or inactive user reporting in the admin UI, making it difficult to identify unused seats without using the Management API.
- Personal access tokens created by removed users are not automatically revoked, creating a potential security gap.
- Invitation links expire without clear notification to admins, requiring re-invitation of users who did not accept in time.
- Organization-level and space-level permissions are managed in separate locations, which can cause confusion when onboarding users.
- SCIM provisioning requires both SSO and an Enterprise plan, making automated user lifecycle management inaccessible to smaller teams.
- No bulk CSV import for users; large-scale user onboarding requires either manual invitation or SCIM/API integration.
- Admin management complexity for SCIM authorization, particularly around token generation and IdP configuration.
The decision
Manual administration in Contentful is workable for small, stable teams on Free or Lite plans where user counts are low and turnover is infrequent. For organizations managing more than 20 users, multiple spaces, or frequent role changes, the absence of inactive-user reporting and the two-location management model create meaningful ongoing overhead.
The goal of keeping every app in your environment consistently provisioned and deprovisioned becomes harder to sustain without either SCIM automation or a disciplined manual process - and SCIM requires an Enterprise contract with SSO already configured.
Bottom line
Contentful's permission model is thorough but deliberately split across two administrative surfaces, and the platform provides no native tooling to surface inactive users or automatically clean up access tokens on removal.
For teams on Enterprise plans with SSO in place, SCIM provisioning handles the lifecycle automation gap well. For everyone else, offboarding and seat auditing are fully manual processes that require consistent discipline to execute without leaving residual access behind.
Automate Contentful workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
