Summary and recommendation
Keap user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Keap is a CRM and marketing automation platform acquired by Thryv in 2024. It uses a fixed role-based access model with three core roles: Account Owner, Administrator, and Standard User.
There is no native SCIM or SAML support, so every app provisioning and deprovisioning action is performed manually through the Keap UI at Settings → Users & Permissions.
Quick facts
| Admin console path | Settings → Users & Permissions (gear icon in top-right navigation) |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | All plans |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Account Owner | Full access to all features, billing, account settings, and user management. Can add/remove users and assign roles. | Cannot be removed or demoted without transferring ownership to another user. | All plans (one per account) | Included in base plan seat count | Only one Account Owner per account. Ownership transfer requires contacting Keap support. |
| Administrator | Access to most account settings, user management, contacts, campaigns, reports, and integrations. Can add and manage other users. | Cannot manage billing or transfer account ownership. | All plans | Counts against included seat total; additional seats at $39/user/month | Admins can invite new users and change roles, which may inadvertently grant broad access if not carefully managed. |
| Standard User | Access to contacts, tasks, appointments, email, and pipelines as configured by admin. Cannot access account-level settings. | Cannot manage users, billing, account settings, or integrations. | All plans | Counts against included seat total; additional seats at $39/user/month | Granular permission restrictions within the Standard User role are limited; Keap does not support fully custom roles. |
| Partner/Affiliate | Access limited to the affiliate/partner portal for tracking referrals and commissions. No CRM access. | Cannot access contacts, campaigns, or any CRM data. | All plans (requires Affiliate Center feature to be enabled) | Does not consume a paid user seat | Partner accounts are separate from standard user seats and managed through the Affiliate Center, not the main Users settings. |
Permission model
- Model type: role-based
- Description: Keap uses a fixed role-based access model with a small set of predefined roles (Owner, Administrator, Standard User). There is no support for creating custom roles or granular permission sets. Admins can toggle certain feature-level access (e.g., restrict access to specific pipelines or reports) within the Standard User role, but the overall model is not fully customizable.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Low. Role selection is limited to Owner, Admin, or Standard User. Some feature-level toggles exist for Standard Users (e.g., pipeline visibility, report access), but field-level or object-level permissions are not available.
How to add users
- Log in as Account Owner or Administrator.
- Click the gear/settings icon in the top-right corner of the Keap app.
- Navigate to Settings → Users & Permissions.
- Click 'Add User' or 'Invite User'.
- Enter the new user's first name, last name, and email address.
- Select the appropriate role (Administrator or Standard User).
- Configure any available feature-level permission toggles for the user.
- Click 'Send Invitation'.
- The invited user receives an email invitation and must accept it to activate their account.
Required fields: First name, Last name, Email address, Role selection
Watch out for:
- Adding a user beyond the plan's included seat count automatically triggers a $39/user/month charge on the next billing cycle.
- Invitation emails can land in spam; users should check junk folders.
- Invited users must accept the invitation before they appear as active and consume a seat.
- There is no bulk invite or CSV import for users; each user must be invited individually.
- No domain-based auto-provisioning is available; every user requires a manual invitation.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | No | Not documented |
How to remove or deactivate users
- Can delete users: Verify in tenant
- Delete/deactivate behavior: This app exposes delete operations in its API documentation, but the admin-console path may present removal as deactivation, archiving, or deletion depending on tenant configuration. Confirm whether the UI action is reversible before treating removal as recoverable.
- Log in as Account Owner or Administrator.
- Navigate to Settings → Users & Permissions.
- Locate the user to be deactivated.
- Click on the user's name or the action menu (three dots) next to their name.
- Select 'Deactivate User' or toggle their status to inactive.
- Confirm the deactivation when prompted.
| Data impact | Behavior |
|---|---|
| Owned records | Contacts, tasks, and records previously assigned to the deactivated user remain in the account and retain the deactivated user as the assigned owner. Admins should reassign records before or after deactivation to ensure continuity. |
| Shared content | Campaigns, emails, and automations created by the deactivated user remain active and functional in the account. |
| Integrations | Any API keys or OAuth tokens associated with the deactivated user's session may be invalidated. Integrations relying on that user's credentials should be reviewed and reconnected under an active user. |
| License freed | Deactivating a user frees the seat and removes the $39/user/month add-on charge (if applicable) at the next billing cycle. The seat reduction may not be immediate; billing adjustments typically apply at the next renewal. |
Watch out for:
- Records owned by a deactivated user are not automatically reassigned; orphaned records may become difficult to surface without a manual audit.
- Deactivated users still appear in historical activity logs and reporting.
- Reactivating a user immediately re-consumes a seat and may trigger additional billing.
- The Account Owner cannot be deactivated without first transferring ownership.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Included User Seat | Full CRM and feature access per role assignment. Pro plan includes 2 seats; Max plan includes 3 seats; Ultimate plan seat count varies by contract. | Included in base plan price ($249/month Pro, $399/month Max, custom for Ultimate) |
| Additional User Seat | Same access as included seats; added on top of plan's base seat allotment. | $39/user/month (billed monthly as an add-on) |
| Partner/Affiliate Account | Access to Affiliate Center portal only; no CRM access. | Does not consume a paid seat; no additional per-user charge |
- Where to check usage: Settings → Users & Permissions - active user count and seat usage are displayed on this page.
- How to identify unused seats: Review the Users & Permissions list for users with no recent login activity. Keap does not provide a built-in 'last login' report in the standard UI; admins must manually review user activity or check with Keap support for usage data.
- Billing notes: Base plan prices are billed annually (Pro: $249/month, Max: $399/month). Monthly billing is available at a higher rate (Pro: $299/month). Additional user seats are billed monthly at $39/user/month regardless of annual vs. monthly plan selection. Seat charges for newly added users begin at the next billing cycle. Removing a user mid-cycle does not typically result in a prorated refund; the seat charge applies through the end of the billing period.
The cost of manual management
Every app user invite must be sent individually - there is no bulk import or CSV-based provisioning path. Adding users beyond the plan's included seat count (2 on Pro, 3 on Max) triggers a $39/user/month add-on charge at the next billing cycle, with no prorated refund when a seat is removed mid-cycle.
Keap does not expose a built-in last-login report in the standard UI, so identifying inactive seats requires manually reviewing the Users & Permissions list or contacting Keap support. Orphaned records from deactivated users are not automatically reassigned, creating a secondary audit burden on every offboarding action.
What IT admins are saying
Recurring friction points reported by Keap admins center on access control gaps and provisioning overhead. The absence of SAML 2.0 support is a long-standing community request that remains unimplemented as of early 2025, and OAuth re-prompts frequently disrupt third-party integrations.
Admins also flag the lack of granular permissions - there is no way to restrict access to specific contact fields or data subsets within the Standard User role.
A mandatory onboarding coaching fee ($499–$2,000+) is a separate surprise cost for new customers that sits outside user seat pricing entirely.
Common complaints:
- No SAML 2.0 support; users requesting native SSO integration have not seen it delivered.
- OAuth re-prompts for access frequently, disrupting integrations.
- No custom roles or granular permissions; users cannot restrict access to specific contact fields or data subsets.
- No bulk user import or CSV-based provisioning; each user must be invited individually.
- No built-in last-login reporting makes it difficult to identify inactive seats for cost management.
- Mandatory onboarding coaching fees ($499–$2,000+) are a surprise cost for new customers separate from user seat pricing.
- Seat billing is not prorated on removal; admins report paying for deactivated users through the end of the billing period.
- Records owned by deactivated users are not auto-reassigned, creating data management overhead.
The decision
Keap's manual provisioning model is manageable for small teams where seat counts stay within plan limits and turnover is low. The fixed role set (Owner, Admin, Standard User) covers basic access separation but will not satisfy teams that need field-level or object-level restrictions.
Organizations with frequent onboarding/offboarding cycles, or those requiring IdP-driven provisioning, will face sustained manual overhead. The absence of SCIM and SAML means every app access change depends on an admin taking direct action in the Keap UI - there is no automated fallback.
Bottom line
Keap's user management works for small, stable teams willing to operate within a fixed three-role model and accept fully manual provisioning.
Every app access event - invite, role change, deactivation - requires direct admin intervention, and the lack of last-login reporting makes license hygiene an ongoing manual task.
Teams with compliance requirements, IdP dependencies, or high user churn will find the current model a persistent operational constraint.
Automate Keap workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
