Mandrill User Management Guide

• Model type: role-based
• Description: Mandrill inherits its user permission model from the parent Mailchimp account. Roles (Owner, Admin, Manager, Author, Viewer) are assigned at the Mailchimp level and determine what a user can do within Mandrill. Mandrill itself does not have a separate role management interface; access to Mandrill settings and API key management is gated by the user's Mailchimp account role. API keys provide programmatic access and are managed separately from user roles.
• Custom roles: No
• Custom roles plan: Not documented
• Granularity: Coarse-grained; role assignment is at the Mailchimp account level with no Mandrill-specific permission customization. API key access is all-or-nothing at the account level.

1. Log in to Mailchimp at mailchimp.com with Owner or Admin credentials.
2. Navigate to Account & Billing → Settings → Users.
3. Click 'Invite a User'.
4. Enter the invitee's email address.
5. Select the appropriate role (Admin, Manager, Author, or Viewer).
6. Click 'Send Invite'.
7. Invitee receives an email and must accept the invitation to gain access.
8. Once the user has a Mailchimp account role of Admin or higher, they can access Mandrill settings at mandrillapp.com using their Mailchimp credentials.
9. To grant API access, navigate to mandrillapp.com → Settings → SMTP & API Info and create a new API key.

Required fields: Email address of invitee, Role selection (Admin, Manager, Author, or Viewer)

Watch out for:

• Mandrill access requires the parent Mailchimp account to be on a Standard or Premium plan; users added to accounts on Free or Essentials plans cannot access Mandrill.
• Adding a user to Mailchimp does not automatically create a Mandrill API key for them; API keys must be created separately.
• Users must accept the Mailchimp invitation before they can log in; pending invitations do not grant access.
• Only Owner and Admin roles can access Mandrill account settings and manage API keys; lower roles (Manager, Author, Viewer) have no meaningful Mandrill access.
• Mandrill does not support inviting users directly within the Mandrill interface; all user management flows through the Mailchimp account.

• Can delete users: Yes
• Delete/deactivate behavior: Users can be removed from the Mailchimp account entirely, which revokes their access to Mandrill. Mailchimp uses the term 'remove' rather than 'deactivate' or 'delete'. Removed users lose access immediately but their historical activity (sent emails, reports) remains in the account. There is no separate deactivation/suspension state for Mailchimp users; removal is the only option to revoke access.

1. Log in to Mailchimp with Owner or Admin credentials.
2. Navigate to Account & Billing → Settings → Users.
3. Locate the user to be removed.
4. Click the options menu (three dots or 'Edit') next to the user.
5. Select 'Remove User' or 'Revoke Access'.
6. Confirm the removal.
7. Separately, revoke any Mandrill API keys associated with that user by navigating to mandrillapp.com → Settings → SMTP & API Info and deleting the relevant API keys.

Watch out for:

• Removing a user from Mailchimp does NOT automatically revoke Mandrill API keys that user created or used. API keys must be manually deleted in Mandrill settings to prevent continued programmatic access.
• There is no deactivation or suspension state; removal is immediate and permanent (the user can be re-invited later).
• The Owner cannot be removed without first transferring ownership to another user.
• Historical sending data and reports are retained at the account level and remain visible to remaining admins after user removal.

• Where to check usage: mandrillapp.com → Dashboard (shows email volume sent, blocks used, and remaining quota); Mailchimp Account & Billing → Billing for seat and plan details
• How to identify unused seats: Review API keys at mandrillapp.com → Settings → SMTP & API Info; keys with no recent activity can be identified by checking last-used timestamps if available. Review Mailchimp Users list at Account & Billing → Settings → Users for users who have not logged in recently (last login data available in Mailchimp user list).
• Billing notes: Mandrill billing is decoupled from Mailchimp seat billing. Email blocks are purchased separately and consumed as emails are sent. Unused blocks do not expire (as of last verified documentation). A Mailchimp Standard or Premium subscription is required to access Mandrill; the Mandrill add-on cannot be purchased standalone. Dedicated IPs are billed monthly regardless of usage.

Removing a user from Mailchimp does not revoke their Mandrill API keys - those must be deleted separately at mandrillapp.com → Settings → SMTP & API Info. Without that second step, a departed employee or contractor retains live programmatic sending access.

There is no deactivation state; removal is the only access-revocation mechanism, and it is incomplete by default.

Practitioners consistently flag two friction points. First, the split interface: user roles live in Mailchimp (mailchimp.com), while API key management lives in Mandrill (mandrillapp.com), and the two are not synchronized on user removal.

Second, API keys carry no granular permission scoping - every key has the same access level as the account role that created it, making least-privilege enforcement impractical. The absence of SCIM provisioning means all lifecycle management is manual with no automation path.

Common complaints:

• Users report confusion that removing a Mailchimp user does not automatically revoke their Mandrill API keys, creating a security gap.
• Users report frustration that Mandrill requires a Mailchimp Standard or Premium plan, as the Essentials plan does not include Mandrill access, resulting in unexpected upgrade requirements.
• Users note that there is no granular, per-user permission system within Mandrill itself; all access control flows through Mailchimp account roles, which are not Mandrill-specific.
• Users report that the transition from standalone Mandrill to Mailchimp Transactional Email caused confusion about where to manage users and settings, as the interface is split between mandrillapp.com and mailchimp.com.
• Users note the absence of SCIM provisioning for Mandrill, requiring all user management to be done manually through the Mailchimp UI.
• Users report that API keys have no granular permission scoping (e.g., read-only vs. send-only), making it difficult to follow least-privilege principles for integrations.

Every app in a stack that touches Mandrill requires a documented offboarding step for API key revocation, because user removal alone does not terminate programmatic access. Mandrill suits teams that need a reliable transactional email API and already use Mailchimp Standard or Premium.

It is not suited to organizations that require automated provisioning, fine-grained API key permissions, or a standalone transactional email product without a Mailchimp dependency.

Bottom line

Mandrill delivers a capable transactional email API, but its access control model is coarse and split across two interfaces. Every app or integration using a Mandrill API key needs to be tracked explicitly, because user removal alone will not cut off programmatic access.

Teams without a formal API key inventory and offboarding checklist will accumulate stale, active keys over time.