Summary and recommendation
Heap user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Heap's admin console lives at Account > Settings > Users & Permissions. Roles are fixed at four tiers - Owner, Admin, Member, and Viewer - assigned at the account level with no per-dashboard or per-project scoping available in the standard UI.
SCIM provisioning is available on Enterprise, but only through Okta; teams on other identity providers must manage every app access manually.
Quick facts
| Admin console path | Account > Settings > Users & Permissions |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Owner | Full access to all features including billing, account settings, user management, and all analytics data. Can delete the account. | All plans | Counts as a named user seat | Only one Owner per account; ownership must be explicitly transferred to another admin before the current owner can be removed. | |
| Admin | Can invite and remove users, manage roles, configure integrations, and access all analytics features. Cannot manage billing or transfer ownership. | Cannot access billing settings or transfer account ownership. | All plans | Counts as a named user seat | |
| Member | Can view and interact with dashboards, charts, and reports. Can create and edit their own analyses. Cannot manage users or account settings. | Cannot invite users, manage roles, or access account/billing settings. | All plans | Counts as a named user seat | |
| Viewer | Read-only access to shared dashboards and reports. Cannot create or edit analyses. | Cannot create, edit, or delete any content. Cannot manage users or settings. | Pro or Enterprise (availability of Viewer role may vary by plan; verify with Heap) | May count as a reduced-cost or separate seat type depending on contract; verify with Heap sales | Viewer seat availability and cost structure depends on negotiated contract terms on Pro/Enterprise plans. |
Permission model
- Model type: role-based
- Description: Heap uses a fixed set of predefined roles (Owner, Admin, Member, Viewer). Permissions are assigned at the account level by role. There is no granular per-project or per-dashboard permission scoping in the standard UI.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Account-level role assignment only; no per-resource or per-project permission scoping available through the standard admin UI.
How to add users
- Log in as Owner or Admin.
- Navigate to Account > Settings > Users & Permissions (or go to heapanalytics.com/app/manage/users).
- Click 'Invite Users' or 'Add User'.
- Enter the invitee's email address.
- Select the desired role (Admin, Member, or Viewer).
- Click 'Send Invite'. The invitee receives an email to accept and set up their account.
Required fields: Email address, Role selection
Watch out for:
- Invitations expire if not accepted within a set period; a new invite must be sent if the link expires.
- Users must accept the email invitation before they appear as active in the Users list.
- On Free plan, the number of seats may be limited; check plan limits before inviting.
- SCIM provisioning (Enterprise + Okta) bypasses manual invite flow entirely.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Heap allows admins to remove (delete) users from the account via the Users & Permissions settings page. Removed users lose access immediately. Historical event data attributed to that user's actions in Heap is retained (analytics data is not deleted). There is no separate 'deactivate/suspend' state in the standard UI; removal is the primary offboarding action. With SCIM on Enterprise, deprovisioning in the IdP removes access automatically.
- Log in as Owner or Admin.
- Navigate to Account > Settings > Users & Permissions.
- Locate the user in the list.
- Click the options menu (ellipsis or 'Remove') next to the user.
- Confirm removal. The user's access is revoked immediately.
| Data impact | Behavior |
|---|---|
| Owned records | Dashboards, charts, and saved analyses created by the removed user remain in the account and are accessible to other users. Content is not deleted upon user removal. |
| Shared content | Shared dashboards and reports created by the removed user continue to be accessible to other team members. |
| Integrations | Any API keys or integration configurations associated with the removed user should be reviewed and rotated manually, as Heap does not automatically revoke these upon user removal. |
| License freed | Removing a user frees up the seat, which may affect seat count billing on the next billing cycle depending on contract terms. |
Watch out for:
- Account Owner cannot be removed without first transferring ownership to another user.
- Heap does not have a 'suspend' or 'deactivate' state; removal is permanent and immediate.
- On Enterprise with SCIM, deprovisioning should be done in the IdP (Okta) to ensure consistent offboarding; manual removal in Heap UI may conflict with SCIM sync.
- API keys tied to removed users are not automatically invalidated; manual key rotation is required.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named User Seat (Owner/Admin/Member) | Full interactive access to Heap analytics, dashboards, and account management features per role. | Included in plan; seat limits and per-seat pricing depend on plan tier and contract. Free plan has limited seats. |
| Viewer Seat | Read-only access to shared dashboards and reports. | May be available at reduced cost on Pro/Enterprise; exact pricing requires contract negotiation with Heap sales. |
- Where to check usage: Account > Settings > Users & Permissions - lists all active users and their roles. Billing seat count visible under Account > Settings > Billing (for plan owners).
- How to identify unused seats: No built-in 'last login' or 'inactive user' report is documented in the standard Heap admin UI. Admins must manually review the user list or use IdP activity logs (if SSO is configured) to identify inactive users.
- Billing notes: Heap uses session-based pricing for analytics data volume, not purely per-seat pricing. However, named user seats may be capped by plan tier. Free plan: up to 10,000 sessions/month, limited seats. Growth/Pro/Enterprise: contact Heap sales for seat limits and pricing. Seat changes mid-contract may require contacting Heap support or account management.
The cost of manual management
Heap provides no built-in last-login report or inactive-user filter, so license audits require manually reviewing the user list or cross-referencing IdP activity logs. There is no bulk CSV import for users, meaning large teams without SCIM must send individual email invitations one at a time.
Removing a user does not automatically revoke API keys tied to that account, so offboarding requires a separate manual key-rotation step to close the access gap.
What IT admins are saying
Admins consistently flag the absence of any inactivity or last-login visibility as the sharpest operational pain point - there is no supported way to surface dormant seats from within Heap itself.
Viewer seat availability and pricing are opaque; teams report needing direct sales negotiation to understand what Viewer access costs on Pro or Enterprise.
SCIM being limited to Okta is a recurring complaint from organizations running Entra ID, Google Workspace, or OneLogin, all of which are left without automated provisioning.
Common complaints:
- Users report that Heap lacks a built-in way to see last login dates or identify inactive users, making license audits manual and time-consuming.
- Some users note that the Viewer role availability and pricing is unclear and requires direct negotiation with Heap sales.
- Admins report that there is no bulk user import via CSV, requiring individual email invitations for large teams not using SCIM.
- Community feedback indicates that SCIM provisioning is limited to Okta on Enterprise, leaving teams using other IdPs (Entra ID, Google Workspace, OneLogin) without automated provisioning.
- Users note that removing a user does not automatically revoke API keys, creating a potential security gap during offboarding.
The decision
Manual management is viable for small teams on Growth or Pro where seat counts are low and turnover is infrequent. For any organization that needs consistent, auditable onboarding and offboarding across every app in its stack, the Okta-only SCIM constraint on Enterprise is a meaningful limitation worth evaluating before committing to a plan tier.
Teams not on Okta should factor in the ongoing manual overhead of invitation-based provisioning and the absence of inactive-user reporting when assessing total administrative cost.
Bottom line
Heap's user management is straightforward for small teams but shows real friction at scale: no inactive-user visibility, no bulk import, Okta-only SCIM, and a removal flow that leaves API keys live.
Organizations that need clean, automated lifecycle management across every app should weigh the Enterprise + Okta requirement carefully against their existing IdP setup before assuming provisioning will be hands-off.
Automate Heap workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
