Summary and recommendation
Fivetran user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Fivetran user management is built on a three-tier role-based access control (RBAC) model covering account, destination, and connector scopes. Built-in roles include Account Administrator, Account Reviewer, Connector Creator, Destination Administrator, Destination Analyst, and Connector Administrator. Custom roles are available on Enterprise and Business Critical plans only.
Users are managed from Dashboard → Account Settings → Users. Invitations are email-based; an invited user is not active until they accept. If SSO is enforced, the user must authenticate through the configured IdP - password login is blocked.
Quick facts
| Admin console path | Dashboard → Account Settings → Users |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise / Business Critical |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Account Administrator | Full access to all account settings, connectors, destinations, billing, and user management. Can create and manage all roles. | Cannot be restricted from any account-level action. | All plans | No per-seat cost; Fivetran is usage-based (MAR), not seat-based | There must always be at least one Account Administrator; the last admin cannot be demoted or removed. |
| Account Reviewer | Read-only access to all connectors, destinations, and account settings. Cannot modify anything. | Cannot create, edit, pause, or delete connectors or destinations. Cannot manage users. | All plans | No per-seat cost | Useful for auditors or stakeholders who need visibility without write access. |
| Connector Creator | Can create new connectors and manage connectors they own. Cannot access connectors created by others unless explicitly granted. | Cannot manage destinations, billing, or other users' connectors. | All plans | No per-seat cost | Scope is limited to connectors the user personally creates unless additional connector-level permissions are granted. |
| Destination Administrator | Full control over a specific destination and all connectors within it, including schema management. | Cannot manage account-level settings, billing, or other destinations unless explicitly assigned. | All plans | No per-seat cost | Role is scoped per destination; a user may be Destination Administrator on one destination and have no access to another. |
| Destination Analyst | Read-only access to a specific destination's connectors and sync history. | Cannot modify connectors, schemas, or destination settings. | All plans | No per-seat cost | Scoped per destination; must be assigned separately for each destination the user needs to view. |
| Connector Administrator | Full control over a specific connector: edit credentials, trigger syncs, manage schema, view logs. | Cannot manage destination settings or other connectors unless separately assigned. | All plans | No per-seat cost | Scoped per connector; granular but requires explicit assignment for each connector. |
| Custom Role | Admin-defined combination of account-level, destination-level, and connector-level permissions. | Cannot exceed the permissions of the Account Administrator who created the role. | Enterprise or Business Critical | No per-seat cost | Custom roles are only available on Enterprise and Business Critical plans. Standard and Free plans are limited to built-in roles. |
Permission model
- Model type: role-based
- Description: Fivetran uses a hierarchical role-based access control (RBAC) model with three scopes: account-level, destination-level, and connector-level. Built-in roles exist at each scope. Users can hold multiple roles simultaneously across different scopes. Custom roles allow fine-grained permission combinations on Enterprise/Business Critical plans.
- Custom roles: Yes
- Custom roles plan: Enterprise or Business Critical
- Granularity: Three-tier hierarchy: account scope (global), destination scope (per destination), connector scope (per connector). Permissions include view, create, edit, delete, and manage-users actions at each scope level.
How to add users
- Log in to the Fivetran dashboard as an Account Administrator.
- Navigate to Account Settings → Users (https://fivetran.com/account/users).
- Click 'Invite User'.
- Enter the user's email address.
- Select the account-level role to assign (e.g., Account Administrator, Account Reviewer, Connector Creator, or a custom role on eligible plans).
- Optionally assign destination-level or connector-level roles by expanding the relevant sections.
- Click 'Send Invitation'.
- The invited user receives an email and must accept the invitation to activate their account.
Required fields: Email address, At least one role assignment
Watch out for:
- Invited users must accept the email invitation before they can log in; there is no way to force-activate an account.
- If SSO is enforced on the account, the invited user must authenticate via the configured IdP; password-based login will be blocked.
- Role assignments take effect immediately upon invitation acceptance, not at invitation send time.
- Users invited to a destination or connector scope only (no account-level role) will have a very limited dashboard view and may find navigation confusing.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise or Business Critical (SCIM provisioning requires SSO to be configured first) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Fivetran supports permanent user deletion, and it also supports removing a user's account role without necessarily treating every offboarding action as a hard delete. There is no traditional suspended-seat state in the dashboard; access is removed by deleting the user or removing their account membership/roles.
- Log in to the Fivetran dashboard as an Account Administrator.
- Navigate to Account Settings → Users (https://fivetran.com/account/users).
- Locate the user in the user list.
- Click the options menu (three dots) next to the user's name.
- Select 'Delete User' (or 'Remove User' depending on dashboard version).
- Confirm the deletion in the confirmation dialog.
| Data impact | Behavior |
|---|---|
| Owned records | Connectors and destinations created by the deleted user remain intact and continue to sync; ownership is not transferred but the resources are not deleted. |
| Shared content | Any transformations or dbt models associated with the user's account remain in place and continue to run. |
| Integrations | Active connector syncs are unaffected by user deletion; connectors continue operating under account-level credentials. |
| License freed | Because Fivetran pricing is usage-based (MAR), not seat-based, deleting a user does not directly reduce costs. Cost is driven by data volume synced, not number of users. |
Watch out for:
- Do not remove the last Account Administrator before assigning another one.
- Deleting a user is permanent; if you need a softer offboarding pattern, remove account access or use SCIM deactivation where available.
- If SCIM is active, drive lifecycle changes from the IdP to avoid re-provisioning conflicts.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| User seat (all roles) | All user roles (Administrator, Reviewer, Connector Creator, Destination roles, custom roles) are included without per-seat charges. Fivetran does not charge per user. | No per-seat cost. Pricing is based on Monthly Active Rows (MAR) per connection. |
- Where to check usage: Account Settings → Billing (https://fivetran.com/account/billing) shows MAR consumption by connector. User count is visible at Account Settings → Users.
- How to identify unused seats: Fivetran does not provide a native 'last login' timestamp in the Users UI as of early 2025. Admins can use the Fivetran Audit Log (available via API or Log Service connector) to identify users with no recent activity. Alternatively, review invitation-pending users who have never accepted their invite.
- Billing notes: As of March 2025, MAR is calculated per-connection rather than account-wide, which can significantly increase costs for accounts with many connectors. User count has no direct impact on billing. Enterprise and Business Critical plans have a minimum annual commitment (approximately $12,000/year for Business Critical). Free plan includes 500,000 MAR/month and 5,000 model runs.
The cost of manual management
Fivetran does not bill per user seat, so the manual cost is operational rather than licensing-based.
The real overhead is access review work: custom roles and SCIM sit on higher tiers, there is no bulk user import flow in the UI, and admins often need API or audit-log support to answer basic questions about stale access.
What IT admins are saying
Community data is currently sparse for this app.
The decision
Manual management is viable for small, stable teams where user turnover is low and the built-in role set covers access needs. The invitation flow is straightforward, and the three-tier RBAC model gives reasonable granularity for every app, destination, and connector in the account.
For teams with frequent onboarding/offboarding, a Standard plan creates a ceiling: no custom roles, no SCIM, and no bulk import. The operational cost of manual access reviews rises quickly without last-login data surfaced in the UI.
Enterprise or Business Critical plans unlock SCIM and custom roles, which meaningfully reduce manual overhead. Teams already running Okta or Microsoft Entra ID should evaluate SCIM provisioning before committing to a manual workflow at scale.
Bottom line
Fivetran's manual user management works cleanly for small teams with predictable access patterns, but it shows friction at scale.
The lack of a native last-login timestamp makes access reviews dependent on API queries, custom roles are gated behind the two highest plan tiers, and there is no bulk import path for users.
Teams managing every app and data pipeline through a single Fivetran account should weigh the operational cost of manual provisioning against the Enterprise plan requirement before choosing a long-term approach.
Automate Fivetran workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
