Summary and recommendation
Hugging Face user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Hugging Face organizations use a two-tier role model - Owner and Member - with no custom roles available at any plan tier.
Repository-level visibility (public, private, gated) layered on top of org roles provides the only additional access granularity.
Because there is no middle-tier delegation, every app or workflow that needs scoped admin access must work within this binary.
SSO and SCIM provisioning are gated behind the Enterprise Hub plan, which requires contacting sales for pricing above the documented $50+/user/mo floor.
Quick facts
| Admin console path | Organization page → Settings (gear icon) → Members |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise Plus |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Organization Owner | Full administrative control: invite/remove members, change member roles, manage billing, configure SSO/SCIM, create/delete repositories and spaces, manage organization settings and visibility. | Any paid organization plan (Team or Enterprise Hub); organizations exist on Free tier but with limited features. | $20/user/mo on Team; $50+/user/mo on Enterprise Hub | At least one owner must remain in the organization at all times; you cannot remove the last owner. | |
| Organization Member | Access to organization repositories and spaces according to repo-level visibility settings; can create repos within the org if permitted; can collaborate on models, datasets, and spaces. | Cannot manage billing, invite other members, change member roles, or configure SSO/SCIM settings. | Any plan (Free, Team, or Enterprise Hub). | $20/user/mo on Team; $50+/user/mo on Enterprise Hub; free on Free-tier orgs. | Members must have an existing Hugging Face account before they can be invited; invitations are sent to the account's registered email. |
| Repository Contributor (external collaborator) | Access limited to specific repositories where they have been granted read or write access; not a full org member. | Cannot access org-wide settings, other repositories, or billing. | Repo-level access is distinct from org membership; removing org membership does not automatically revoke repo-level access granted outside the org context. |
Permission model
- Model type: role-based
- Description: Hugging Face organizations use a two-tier role model: Owner and Member. Repository-level visibility (public, private, gated) provides additional access control. There are no custom roles; permissions are determined by the org role plus per-repository settings.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Org-level roles (Owner/Member) combined with per-repository visibility and gating controls. No field-level or resource-level custom permission sets.
How to add users
- Navigate to your organization page on huggingface.co.
- Click the Settings (gear) icon to open organization settings.
- Select the 'Members' tab.
- Click 'Invite new members'.
- Enter the Hugging Face username or email address of the person to invite.
- Select the role (Owner or Member).
- Click 'Send invitation'. The invitee receives an email and must accept before gaining access.
Required fields: Hugging Face username or registered email address of the invitee
Watch out for:
- Invitees must already have a Hugging Face account; there is no way to pre-provision an account via the UI invitation flow.
- Pending invitations count against the seat total on paid plans.
- On Enterprise Hub with SCIM enabled, users can be provisioned automatically via the IdP; manual invitations and SCIM provisioning can coexist but may cause duplication if not managed carefully.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise Hub (requires SSO to be configured first) |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Hugging Face does not offer a 'deactivate' state for org members. Admins can remove a member from the organization, which revokes their org membership immediately. The user's individual Hugging Face account continues to exist; only the org association is severed. Account-level deletion is handled by the user themselves via account settings, not by org admins.
- Navigate to your organization page on huggingface.co.
- Click the Settings (gear) icon.
- Select the 'Members' tab.
- Locate the member to remove.
- Click the remove/kick icon or option next to their name.
- Confirm the removal. The user loses org access immediately.
| Data impact | Behavior |
|---|---|
| Owned records | Repositories, models, datasets, and spaces created under the organization namespace remain in the organization after the member is removed; they are not deleted or transferred automatically. |
| Shared content | Content the removed user contributed to org repositories remains intact; commit history is preserved. |
| Integrations | Any API tokens the removed user generated under their personal account continue to function for their personal resources but lose access to private org resources upon removal. |
| License freed | The seat is freed immediately upon removal on Team and Enterprise Hub plans, reducing the billable seat count at the next billing cycle. |
Watch out for:
- Removing a member does not revoke personal API tokens; the user retains access to any public org resources via their personal account.
- On Enterprise Hub with SCIM, deprovisioning the user in the IdP will automatically remove them from the org; manual removal and IdP deprovisioning should be coordinated to avoid inconsistency.
- You cannot remove the last owner of an organization; assign another owner first.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Team seat | Organization membership with private repos, team collaboration features, and standard Hub compute access. | $20/user/mo |
| Enterprise Hub seat | All Team features plus SSO (SAML), SCIM provisioning, audit logs, advanced security controls, SLA, and dedicated support. | $50+/user/mo (exact pricing requires contacting sales) |
- Where to check usage: Organization Settings → Members tab shows current member count; Organization Settings → Billing shows seat usage and invoices.
- How to identify unused seats: No built-in 'last active' or usage analytics per member are documented in official Hub docs. Admins must manually review the Members list and cross-reference activity. Enterprise Hub audit logs may provide login/activity data to identify inactive users.
- Billing notes: Seats are billed per user per month. Removing a member frees the seat; the reduction typically takes effect at the next billing cycle. Free-tier organizations have no seat cost but lack private repo and enterprise features. Pro plan ($9/mo) is an individual account upgrade, not an org seat.
The cost of manual management
Without SCIM, every app in your stack that touches Hugging Face org membership requires a manual invite-and-accept cycle through the Members tab. Invitees must already hold a Hugging Face account before an invite can be sent, adding a pre-provisioning step that falls outside the normal onboarding flow.
Removing a member severs org access immediately, but does not revoke personal API tokens or previously approved gated-repository access - both require separate manual action that is easy to miss at offboarding.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Choose the Team plan ($20/user/mo) if your org needs private repositories and basic collaboration but can tolerate manual provisioning and no SSO. Move to Enterprise Hub ($50+/user/mo, sales-quoted) if SCIM-based lifecycle automation, SAML SSO, and audit logs are operational requirements - keeping every app in your environment consistently provisioned depends on that SCIM foundation.
If neither plan is active, the free tier supports public org collaboration only, with no private repo or access-control enforcement.
Bottom line
Hugging Face org administration is straightforward for small teams but shows friction at scale: the Owner/Member binary limits delegation, manual offboarding leaves token and gated-repo access open unless explicitly cleaned up, and activity-based seat auditing is only practical on Enterprise Hub.
Teams that need automated provisioning across every app in their environment should plan for the Enterprise Hub prerequisite chain - SSO first, then SCIM - before committing to the plan upgrade.
Automate Hugging Face workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
