Summary and recommendation
Drata user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Drata's user management lives at Settings → User Management (https://app.drata.com/settings/users) and is restricted to Administrators. The platform uses four fixed roles - Administrator, Owner, Auditor, and Employee/Personnel - with no custom role builder available in the UI. Role granularity is platform-level only; object-level ownership (controls, policies) is assigned separately inside the platform.
Quick facts
| Admin console path | Settings → User Management |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Full access to all Drata features: manage users, configure integrations, edit controls, manage frameworks, view all reports, and configure SSO/SCIM settings. | All plans | Counts as a named seat; pricing is per-company contract, not per-seat list price. | Only Administrators can invite new users or change roles. At least one Administrator must remain active at all times. | |
| Owner | Assigned ownership of specific controls, policies, or evidence tasks. Receives task notifications and can upload evidence and mark controls complete within their assigned scope. | Cannot manage other users, configure integrations, or access billing settings unless also assigned Administrator role. | All plans | Counts as a named seat. | Owner role is scoped to assigned objects; broad platform access requires Administrator role in addition. |
| Auditor | Read-only access to controls, evidence, policies, and reports. Intended for external auditors reviewing compliance posture. | Cannot edit controls, upload evidence, manage users, or modify any settings. | All plans | Auditor seats are typically provided at no additional charge or at a reduced rate; confirm with Drata account team. | Auditor access is time-limited in practice; organizations typically create and deactivate Auditor accounts per audit engagement. |
| Employee / Personnel | Access to the Drata Personnel Portal to complete security training, acknowledge policies, and respond to background check requests. | Cannot access the main Drata compliance platform, controls, or evidence library. | All plans | Personnel are tracked as FTEs for plan tier limits (e.g., Foundation plan caps at 50 FTE); not the same as named platform seats. | FTE count affects plan tier, not just named user seats. Exceeding FTE limits may require plan upgrade. |
Permission model
- Model type: role-based
- Description: Drata uses a fixed set of built-in roles (Administrator, Owner, Auditor, Employee/Personnel). Roles are assigned per user at the platform level. Object-level ownership (controls, policies) is assigned separately within the platform. No custom role builder is available in the UI.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Role-level only; no field-level or resource-level permission overrides outside of object ownership assignment.
How to add users
- Log in to Drata as an Administrator.
- Navigate to Settings → User Management (https://app.drata.com/settings/users).
- Click 'Invite User' or 'Add User' button.
- Enter the user's email address.
- Select the appropriate role (Administrator, Owner, or Auditor).
- Click 'Send Invite'. The user receives an email invitation to set up their account.
- User accepts the invitation and completes account setup (password or SSO login depending on configuration).
Required fields: Email address, Role selection
Watch out for:
- Invitation emails can land in spam; advise new users to check junk folders.
- If SSO is enforced, users must authenticate via the configured IdP; password-based login may be disabled.
- Personnel (employees) are synced via HR integrations (e.g., BambooHR, Rippling, Workday) or added manually in the Personnel section, not through the User Management invite flow.
- Adding platform users (Administrators, Auditors) does not automatically add them as tracked Personnel/FTEs, and vice versa.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Drata does not permanently delete user accounts from the platform UI. Administrators can deactivate users, which revokes login access and removes them from active user counts, but the user record and associated audit history are retained for compliance record-keeping purposes.
- Log in to Drata as an Administrator.
- Navigate to Settings → User Management (https://app.drata.com/settings/users).
- Locate the user to be deactivated.
- Click the options menu (ellipsis or action button) next to the user.
- Select 'Deactivate' or 'Remove User'.
- Confirm the deactivation in the prompt.
| Data impact | Behavior |
|---|---|
| Owned records | Controls, policies, and evidence tasks previously assigned to the deactivated user remain in place but become unassigned or retain the former owner's name in audit logs. Reassignment to an active user is recommended before deactivation. |
| Shared content | Shared reports and evidence uploaded by the deactivated user remain accessible to Administrators. |
| Integrations | Any personal API tokens or integration credentials tied to the deactivated user account should be rotated before deactivation to avoid integration failures. |
| License freed | Deactivating a user frees the named platform seat. FTE count (for plan tier purposes) is governed by HR integration sync, not platform user deactivation. |
Watch out for:
- Reassign control and policy ownership before deactivating a user to avoid orphaned compliance tasks.
- If SCIM provisioning is active (Enterprise plan), user deactivation should be managed in the IdP; manual deactivation in Drata may be overridden by the next SCIM sync.
- Deactivated users cannot log in but their historical activity and evidence submissions remain in audit logs, which is intentional for SOC 2 and ISO 27001 audit trails.
- There is no bulk deactivation option in the UI; each user must be deactivated individually.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Platform User Seat (Administrator/Owner/Auditor) | Access to the Drata compliance platform with role-appropriate permissions. | Included in contract; not individually itemized on public pricing. Auditor seats may be provided at no additional charge per engagement. |
| FTE / Personnel Seat | Tracked employee count for compliance purposes (training completion, policy acknowledgment, background checks). Determines plan tier eligibility. | Foundation plan covers up to 50 FTE (~$7,000–7,500/year). Higher FTE counts require Advanced or Enterprise tiers. |
- Where to check usage: Settings → User Management shows active platform users. Personnel count is visible under the Personnel section of the Drata dashboard.
- How to identify unused seats: Review last login dates in Settings → User Management. Users who have never logged in or have not logged in for an extended period after invitation may indicate unused seats. No automated idle-user report is available in the standard UI.
- Billing notes: Drata pricing is contract-based and not publicly listed per seat. FTE count is the primary driver of plan tier. Platform user (admin/auditor) seat counts are typically negotiated at contract time. Exceeding contracted FTE limits or adding frameworks beyond plan scope may trigger upsell conversations. Audit firm access (Auditor role) is typically handled outside standard seat billing.
The cost of manual management
SCIM provisioning is gated to the Enterprise tier, so teams on Foundation ($7,000–7,500/year) or Advanced ($15,000/year) plans must manage every app user invite, role change, and deactivation by hand. There is no bulk deactivation option; each user must be processed individually.
Auditor accounts have no automated expiry, so creating and tearing down access per audit engagement is a recurring manual task.
Personnel (employees) are tracked separately from platform users and are typically synced via HR integrations such as BambooHR, Rippling, or Workday - not through the standard invite flow. Confusion between 'platform users' and 'tracked Personnel/FTEs' is a documented source of duplicate or mismatched records.
FTE count, not named-user seats, drives plan tier eligibility, so headcount growth can trigger an upsell conversation independent of how many Administrators or Auditors are active.
What IT admins are saying
Practitioners consistently flag the absence of bulk user operations as a friction point - role changes and deactivations must be done one record at a time.
Invitation emails are reported to land in spam with enough frequency that re-invitation is a known support pattern; advising new users to check junk folders is a practical mitigation.
The split between platform users and Personnel records is a recurring source of confusion: adding an Administrator does not automatically create a tracked Personnel entry, and vice versa.
Teams that rely on HR integrations for Personnel sync report that mismatches between IdP-sourced records and manually added platform users require periodic reconciliation.
Common complaints:
- Custom pricing can be high for larger orgs.
- No bulk deactivation or bulk role-change option; user management must be done one at a time for platform users.
- SCIM provisioning is restricted to Enterprise tier, requiring manual user management on lower plans.
- Personnel sync via HR integrations can create confusion between 'platform users' and 'tracked employees', leading to duplicate or mismatched records.
- Auditor role access setup and teardown is a manual process with no automated expiry or time-limited access feature.
- Users report that invitation emails are sometimes not received, requiring re-invitation.
- No granular permission customization; organizations needing read-only access for internal stakeholders must use the Auditor role, which was designed for external auditors.
The decision
Manual user management in Drata is workable for small, stable teams on Foundation or Advanced plans where headcount and role changes are infrequent. The fixed role set covers the core compliance use cases - Administrator, Owner, Auditor, Employee - without requiring configuration overhead.
For organizations with regular onboarding and offboarding volume, the absence of bulk operations and SCIM below Enterprise tier creates compounding overhead. Teams should weigh the per-engagement cost of manual Auditor provisioning and the FTE-count sensitivity of plan tiers before committing to a lower plan.
If automated lifecycle management across every app is a requirement, the Enterprise tier with IdP-based sync is the only supported path within Drata.
Bottom line
Drata's manual user management is straightforward for low-change environments but does not scale gracefully: no bulk actions, no custom roles, no automated Auditor expiry, and SCIM locked to Enterprise. The platform/Personnel record split requires deliberate process design to avoid compliance gaps.
Teams expecting frequent role changes or headcount growth should factor the Enterprise upgrade cost into their evaluation, since the Foundation and Advanced tiers leave the full provisioning burden on administrators.
Automate Drata workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
