Summary and recommendation
Cube user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Cube Cloud user management is handled entirely through the web console at https://app.cube.dev. There is no SCIM provisioning, no bulk import, and no programmatic user API - every app in your stack that relies on automated lifecycle management will require a manual workaround here.
Roles are predefined (Owner, Admin, Developer, Viewer) and assigned per organization member; custom roles are not supported.
Quick facts
| Admin console path | Cube Cloud dashboard → Organization Settings → Members |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise (usage-based CCU) |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Owner | Full administrative control: manage members, billing, deployments, integrations, and all workspace settings. | All plans | Counted as a billable member seat; usage billed via CCU | Only one Owner per organization; ownership transfer requires contacting Cube support. | |
| Admin | Manage members, deployments, and workspace settings. Cannot manage billing. | Cannot access or modify billing settings; cannot transfer ownership. | All plans | Counted as a billable member seat; usage billed via CCU | |
| Developer | Access to deployments, data model editing, and API playground. Cannot manage members or billing. | Cannot invite or remove members; cannot access billing or organization settings. | All plans | Counted as a billable member seat; usage billed via CCU | |
| Viewer | Read-only access to dashboards and deployment status. Cannot modify data models or settings. | Cannot edit data models, manage members, or access billing. | All plans | Counted as a billable member seat; usage billed via CCU | Viewer role availability and exact permissions may vary by plan; verify in official docs as role naming can shift between product updates. |
Permission model
- Model type: role-based
- Description: Cube Cloud uses predefined roles (Owner, Admin, Developer, Viewer) assigned per organization member. Row-level security and data access control for end-users querying the API is handled separately via Cube's security context and RBAC features in the data model, available on Enterprise.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Organization-level role assignment for Cube Cloud console access; API-level row/cube-level security context for downstream query access control (Enterprise).
How to add users
- Sign in to Cube Cloud at https://app.cube.dev.
- Navigate to Organization Settings → Members.
- Click 'Invite Member'.
- Enter the invitee's email address.
- Select the appropriate role (Admin, Developer, or Viewer).
- Click 'Send Invite'. The invitee receives an email invitation to join the organization.
Required fields: Email address, Role selection
Watch out for:
- Invitees must accept the email invitation before they appear as active members.
- SSO-enforced organizations (Premium/Enterprise) may require the invitee to authenticate via the configured IdP before gaining access.
- No bulk CSV import is documented for member invitations.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | No | Not documented |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Members can be removed from the organization via Organization Settings → Members. Removal revokes access immediately. There is no documented 'deactivate' (suspend without removal) state; removal is the only documented offboarding action.
- Sign in to Cube Cloud at https://app.cube.dev.
- Navigate to Organization Settings → Members.
- Locate the member to remove.
- Click the options menu (⋯) next to the member.
- Select 'Remove Member' and confirm the action.
| Data impact | Behavior |
|---|---|
| Owned records | Deployments and data models created by the removed member remain in the organization and are not deleted. |
| Shared content | Shared resources (deployments, saved queries) remain accessible to remaining members. |
| Integrations | API tokens or credentials associated with the removed user's personal access should be rotated manually after removal. |
| License freed | Removing a member reduces the active member count; CCU billing is usage-based and not strictly per-seat, but member count may affect plan limits. |
Watch out for:
- The Owner role cannot be removed without first transferring ownership.
- Personal API tokens issued to the removed member are not automatically revoked; administrators should audit and rotate tokens manually.
- SCIM-based automated deprovisioning is not available; removal must be performed manually in the console.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Free | Up to 2 development instances, not for production use. No CCU charges. | $0 |
| Starter | Production cluster, npm packages, 150 GB pre-aggregations storage. | $0.15 per CCU |
| Premium | 99.95% uptime SLA, VPC deployment, Azure support, SSO via Okta. | $0.30 per CCU |
| Enterprise | 99.99% uptime SLA, VPC peering, SAML 2.0 / LDAP SSO, RBAC (data-level), dedicated CSM. | Custom CCU pricing |
| Enterprise Premier | 99.995% uptime SLA, multi-cluster, Elastic/Kafka streaming support. | Custom CCU pricing |
- Where to check usage: Cube Cloud dashboard → Organization Settings → Billing (CCU consumption and member count visible here)
- How to identify unused seats: No documented automated tool for identifying inactive members. Administrators must manually review the Members list and cross-reference last-login activity if available.
- Billing notes: Cube Cloud bills on CCU (Cube Consumption Units), a usage-based metric rather than a strict per-seat model. Member count does not directly map to a per-seat charge, but plan tier limits and CCU consumption are affected by active deployments and query volume. Commit payment plans are available on Premium and above. A ~17% price increase was reported following platform changes.
The cost of manual management
Because Cube Cloud has no SCIM or user management API, every onboarding and offboarding action requires a console login and manual steps. Removing a member does not automatically revoke their personal API tokens, so each offboarding event also requires a separate token audit.
There is no suspend or deactivate state - removal is the only documented offboarding action, making partial access restriction impossible without a full removal.
What IT admins are saying
The most consistent friction point reported is the absence of SCIM provisioning, which forces all user additions and removals through the UI regardless of organization size.
Practitioners also flag that domain-based auto-provisioning is not documented, and that no bulk CSV invite path exists for onboarding multiple members at once.
The CCU-based pricing model adds a secondary concern: team scaling and query volume growth affect costs simultaneously, making spend forecasting harder than with a flat per-seat model.
Common complaints:
- SCIM provisioning is not available, requiring all user additions and removals to be performed manually in the Cube Cloud console.
- No bulk CSV import for inviting multiple members at once.
- No documented 'suspend' or 'deactivate' state for members - removal is the only offboarding option.
- Personal API tokens are not automatically revoked when a member is removed, creating a potential security gap.
- Domain-based auto-provisioning (allow-listing an email domain) is not documented.
- CCU-based pricing makes it difficult to predict costs when scaling team size and query volume simultaneously.
The decision
Cube Cloud is a reasonable fit for smaller analytics teams comfortable with manual provisioning and a usage-based cost model. For organizations with compliance requirements around automated deprovisioning or IdP-driven lifecycle management, the absence of SCIM is a hard gap - not a configuration issue.
SAML 2.0 and LDAP SSO are available on Enterprise (custom CCU pricing), but SSO delegates authentication only; user accounts must still be created manually in the console before SSO login works.
Bottom line
Cube Cloud's user management is functional but entirely manual: invite by email, remove via console, audit tokens separately. Every app that expects automated provisioning or deprovisioning will need a process workaround until SCIM support is documented.
Teams evaluating Cube for larger or compliance-sensitive environments should treat the absence of SCIM and the lack of a suspend state as first-order operational constraints, not minor gaps.
Automate Cube workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
