Summary and recommendation
Expel user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Expel is a managed detection and response (MDR) platform built around Expel Workbench (workbench.expel.io).
All user management - adding, editing, locking, and deleting accounts - is handled entirely through the Workbench UI.
There is no native SCIM provisioning, so every app in your stack that relies on automated lifecycle sync will not find that capability here.
Expel supports two built-in roles: Organization Admin and Organization Analyst.
Admins receive full administrative rights;
Analysts are scoped to alert monitoring and investigative work.
There are no publicly documented custom roles or granular permission tiers beyond these two.
Quick facts
| Admin console path | Administration / Settings > Users (exact labels vary by Expel Workbench deployment) |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | N/A |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Can manage Workbench settings, integrations, and user access. | Cannot grant functionality outside the modules and service scope licensed for the Expel tenant. | Public docs do not fully enumerate all role variants. | ||
| Analyst / Responder | Can review alerts, cases, and investigation workflows available to their role. | May not be able to change tenant-wide settings or administer other users. | Exact permissions can vary by service configuration. |
Permission model
- Model type: role-based
- Description: Expel Workbench appears to use role-based access controls for tenant access, but the full role matrix is not publicly documented in detail.
- Custom roles: Unknown
- Custom roles plan: Not documented
- Granularity: Expect separation between administrative access and analyst workflows, with tenant-specific scopes.
How to add users
- Log in to Expel Workbench as an administrator.
- Open the settings or administration area and navigate to users.
- Choose the option to add or invite a user.
- Enter the user's work email or login identifier and assign the appropriate role.
- Save the user and complete any SSO or password onboarding required by the environment.
Required fields: Email address or username, Role
Watch out for:
- Exact invitation flow and navigation labels may vary by Expel deployment and customer configuration.
- If SSO is enabled, upstream IdP assignment may still be required.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Unknown | Not documented |
| Domain whitelisting | Unknown | Automatic domain-based user add |
| IdP provisioning | Unknown | Not documented |
How to remove or deactivate users
- Can delete users: Unknown
- Delete/deactivate behavior: Public docs do not clearly state whether Expel users are disabled, deleted, or both. Treat the exact lifecycle behavior as tenant-specific unless verified in the product.
- Open the users area in Expel Workbench as an administrator.
- Locate the user account to offboard.
- Disable, revoke, or remove the account using the controls available in that tenant.
- Review service integrations and any API credentials associated with the user.
| Data impact | Behavior |
|---|---|
| Owned records | Alerts, cases, and investigation records remain tenant data; public docs do not describe user-owned content in detail. |
| Shared content | Shared cases, notes, and dashboards remain with the tenant unless separately deleted. |
| Integrations | Review API tokens, case-routing integrations, and service-account ownership during admin offboarding. |
| License freed | Seat reuse behavior is contract-dependent and not publicly documented in detail. |
Watch out for:
- Offboarding should include token and integration review, not just interactive login removal.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named tenant user | Administrative or analyst access to Expel Workbench. |
- Where to check usage: Administration / Settings > Users
- How to identify unused seats: Review the tenant user list and any last-login data visible in Workbench. No public unused-seat report was verified.
- Billing notes: Expel pricing is service- and contract-based. Public per-seat costs and self-serve license details are not documented.
The cost of manual management
Because Expel has no SCIM or automated provisioning, every joiner, mover, and leaver event requires a manual action in Workbench by an org admin. For SSO-enabled organizations, each new user also requires a separate step: the Workbench app must be assigned to that user in the SSO provider - a two-system touch per user change.
Offboarding carries a hard edge: deleting a user is immediate and permanent, with no deactivation buffer. Admins must be deliberate about timing, since there is no soft-lock-then-delete workflow - only a Lock/Unlock toggle or an outright delete.
Pricing is enterprise/custom with no publicly documented per-seat structure, so license cost tracking cannot be automated from available data.
The decision
Expel Workbench is the right fit for security operations teams that need a managed MDR layer and are comfortable with UI-driven user administration.
It is not suited for organizations that require automated provisioning or deprovisioning across every app via directory sync - the absence of SCIM means offboarding gaps are a real operational risk at scale.
SSO integration (Okta, Azure AD, OneLogin) is supported and reduces per-login friction, but it does not replace the need for manual user creation inside Workbench itself. Teams with high employee turnover or frequent role changes should factor in the admin overhead of maintaining Workbench access in parallel with their IdP.
Bottom line
Expel Workbench delivers strong MDR capabilities but ships with a fully manual user lifecycle model: no SCIM, no automated provisioning, and a permanent-delete-only offboarding path.
Org admins must manage every access change directly in the Workbench UI, and SSO users require a coordinated two-step setup across both Workbench and the SSO provider.
For teams prioritizing access hygiene at scale, this gap warrants a documented manual runbook and a clear offboarding checklist to prevent stale access from persisting after employee departures.
Automate Expel workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
