Summary and recommendation
Kyriba user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Kyriba is an enterprise treasury and finance platform that uses role-based access control (RBAC) to govern what users can see and do across its modules.
Native SCIM 2.0 provisioning is available, but only on the Enterprise plan.
No SSO prerequisite is required to enable SCIM, which simplifies initial setup for teams that haven't yet federated identity.
Quick facts
| Admin console path | Settings / Administration > Users and Roles (exact labels vary by tenant) |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Admin | Can manage tenant settings, integrations, and user access. | Cannot grant functionality outside the modules licensed for the tenant. | Detailed built-in role names are not fully documented publicly. | ||
| Standard User | Can use the core product features exposed to their role. | May not be able to manage tenant settings or other users. | Exact privileges can vary by tenant configuration. |
Permission model
- Model type: role-based
- Description: Kyriba appears to use role-based access for tenant administration and general product use, but the detailed permission matrix is not publicly documented in full.
- Custom roles: Unknown
- Custom roles plan: Not documented
- Granularity: Expect administrative access to be separated from standard user access, with exact scopes configured per tenant.
How to add users
- Log in as an administrator.
- Open settings or administration and navigate to users.
- Choose the add or invite user action.
- Enter the user's work email and assign the appropriate role.
- Save the user and complete any activation or SSO steps required by the tenant.
Required fields: Work email address, Role
Watch out for:
- Public documentation for user administration is limited, so exact labels may vary by tenant.
- If SSO is enabled, upstream IdP assignment may still be required.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Unknown | Not documented |
| Domain whitelisting | Unknown | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise |
How to remove or deactivate users
- Can delete users: Unknown
- Delete/deactivate behavior: Public docs do not clearly document whether users are disabled, deleted, or both. Treat lifecycle behavior as tenant-specific unless confirmed in-product.
- Open the users area as an administrator.
- Locate the user to offboard.
- Disable, revoke, or remove the account using the controls available in that tenant.
- Review any integrations or service credentials associated with the departing user.
| Data impact | Behavior |
|---|---|
| Owned records | Tenant data remains in the workspace; public docs do not describe user-owned content semantics in detail. |
| Shared content | Shared dashboards, configurations, and records remain available unless separately removed. |
| Integrations | Review service credentials and integration ownership separately during admin offboarding. |
| License freed | Seat reuse behavior is contract-dependent and not publicly documented in detail. |
Watch out for:
- Offboarding should include token and integration review, not just interactive login removal.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named user | Administrative or standard access to the tenant. |
- Where to check usage: Settings / Administration > Users and Roles
- How to identify unused seats: Review the tenant user list and any visible login or activity metadata. No public unused-seat report was verified.
- Billing notes: Pricing is not publicly listed on a per-seat basis. Indicative figures from third-party sources suggest starting costs around $5,000/month (mid-tier) to $15,000/month (enterprise), but these are not confirmed by official Kyriba pricing pages and should be verified directly with Kyriba sales.
The cost of manual management
Because Kyriba's help center and admin console require authenticated login, step-by-step user management workflows are not publicly verifiable. This means every app action - adding a user, adjusting a role, removing a leaver - likely requires navigating an undocumented UI path without a reliable public reference.
The absence of per-seat pricing transparency adds a second layer of friction: license audits must go through Kyriba sales rather than a self-serve dashboard. Third-party sources indicate indicative costs in the range of ~$5,000–$15,000/month, but these figures are unconfirmed by official Kyriba pricing pages and should be validated directly with their sales team.
The decision
Manual user management in Kyriba is viable for small, stable teams where provisioning events are infrequent.
For organizations where every app in the stack needs to stay in sync with HR or IdP changes - new hires, role changes, departures - the lack of documented self-service workflows and the Enterprise-only SCIM gate create meaningful operational risk.
Teams on sub-Enterprise plans have no confirmed automated provisioning path and should factor that into their access governance planning.
Bottom line
Kyriba's RBAC model and native SCIM 2.0 support give Enterprise customers a credible foundation for automated user lifecycle management, but the opacity of its admin UI, gated documentation, and unconfirmed deactivation-vs-deletion behavior mean that manual processes carry real risk of access drift.
Organizations that need every app to reflect real-time identity changes should prioritize getting SCIM configured at onboarding and confirm offboarding behavior with Kyriba support before go-live.
Automate Kyriba workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
