Summary and recommendation
MicroStrategy user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
MicroStrategy (now Strategy One) manages users through a layered model that combines Security Roles for system-level privileges with object-level ACLs on individual reports, dashboards, and folders. Provisioning happens inside MicroStrategy Workstation or the legacy Developer console - there is no self-serve admin portal.
Every app in an enterprise BI stack that touches MicroStrategy inherits this complexity, so understanding the permission model before onboarding users at scale is essential.
Quick facts
| Admin console path | MicroStrategy Workstation → Environment → Users & Groups (legacy path: MicroStrategy Developer → Administration → User Manager) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Full system access: create/edit/delete users and groups, assign security roles and privileges, manage projects, configure authentication, access System Administration project | Cannot exceed license seat count; some actions require direct server-level access (e.g., Intelligence Server configuration) | All paid tiers; at least one Administrator account is required per environment | Counts against named-user or CPU license depending on contract | Administrator accounts in the default 'System Administrators' group inherit all privileges; removing a user from this group immediately revokes admin access |
| Power User (Analyst) | Create, edit, and publish reports and dashboards; use MicroStrategy Web and Workstation; schedule report delivery; access granted objects | Cannot manage other users, modify security roles, or access System Administration project unless explicitly granted | Named User license or equivalent tier | Consumes one named-user seat | Privileges are additive from security roles; a Power User with no security role assigned may have fewer capabilities than expected |
| Consumer / Viewer | View and interact with shared dashboards and reports via MicroStrategy Web; run pre-built reports; subscribe to report distributions | Cannot create or edit reports, dashboards, or objects; cannot access MicroStrategy Developer | Named User license (Consumer tier) or included in certain bundle contracts | Typically lower-cost named-user seat; exact pricing requires vendor quote | Consumer accounts still consume a named-user seat; they are not 'free' viewer seats |
| Guest / Anonymous | Read-only access to specifically published content without authentication, if anonymous access is enabled on the project | Cannot save personal content, subscribe to reports, or access secured objects | Requires explicit configuration by Administrator; subject to license terms | Typically does not consume a named-user seat, but subject to contract terms | Anonymous access must be explicitly enabled per project; disabled by default for security |
Permission model
- Model type: hybrid
- Description: MicroStrategy uses a layered permission model combining Security Roles (sets of system-level privileges assigned to users or groups), Access Control Lists (ACLs) on individual objects (reports, dashboards, folders, etc.), and Group membership. Security Roles define what actions a user can perform system-wide; ACLs define what objects a user can see or modify. Privileges are additive across all roles and groups a user belongs to.
- Custom roles: Yes
- Custom roles plan: Available on all paid tiers; custom Security Roles are created in the System Administration project
- Granularity: Object-level ACLs (per report, dashboard, folder, schema object) combined with system-level privilege sets; supports Browse, Use, Execute, Read, Write, Delete, Control permissions per object per user or group
How to add users
- Open MicroStrategy Workstation (or Developer) and connect to the target Intelligence Server environment
- Navigate to the Users & Groups section (Workstation: Environment panel → Users & Groups; Developer: Administration → User Manager)
- Right-click the target group or the Users root node and select 'Create User'
- Enter required fields: Full Name, Login Name, and Password (or configure for LDAP/SSO authentication)
- Optionally set password expiration, account expiration date, and concurrent session limits
- Assign the user to one or more Groups to inherit group-level security roles and ACLs
- Assign Security Roles directly to the user if needed (in addition to group-inherited roles)
- Click OK / Save to create the account; the user can now log in based on their assigned authentication method
Required fields: Full Name, Login Name (username), Password (required unless LDAP or SSO authentication is configured)
Watch out for:
- New users have no privileges until assigned to a group or given a Security Role directly; they will see an empty environment on first login
- Login Name must be unique across the entire Intelligence Server metadata; duplicate login names are rejected
- If LDAP provisioning is enabled, manually created users with the same login as an LDAP user may cause authentication conflicts
- Account creation in Workstation/Developer only creates the metadata record; the user does not receive an automated welcome email by default - notification must be handled externally
- Named-user seat consumption is immediate upon account creation, not upon first login
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | MicroStrategy supports bulk user import via the Command Manager scripting tool (Administration → Command Manager) using CREATE USER commands in batch scripts; direct CSV upload UI is not available in the standard web console |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | LDAP auto-provisioning is available on all server editions; SCIM 2.0 provisioning (Okta, Entra ID) requires Strategy One Enterprise tier (documented as available from September 2025 release) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: MicroStrategy supports both disabling (deactivating) and permanently deleting user accounts. Disabling sets the account status to 'Disabled' so the user cannot log in but the account and all associated metadata (owned objects, subscriptions, preferences) are preserved. Deleting permanently removes the user account from the metadata; owned objects become orphaned or must be reassigned before deletion. Deletion is irreversible.
- Open MicroStrategy Workstation or Developer and connect to the Intelligence Server environment
- Navigate to Users & Groups
- Locate the user account (search by name or browse groups)
- Right-click the user and select 'Edit'
- In the user properties dialog, check the 'Account is disabled' checkbox (or equivalent toggle in Workstation)
- Click OK / Save; the user is immediately prevented from logging in
| Data impact | Behavior |
|---|---|
| Owned records | Objects owned by a disabled user remain intact and accessible to users with appropriate ACL permissions. If the user is deleted, owned objects become orphaned; administrators should reassign object ownership before deletion using the 'Change Owner' function in Developer or via Command Manager. |
| Shared content | Shared reports, dashboards, and folders remain accessible to other users who have been granted ACL access; disabling or deleting the owner does not revoke other users' access to those objects |
| Integrations | Scheduled report subscriptions owned by the disabled/deleted user will fail to execute; subscriptions must be reassigned or deleted separately before removing the account |
| License freed | Disabling an account does not automatically free the named-user seat in all license models; seat release depends on contract terms and may require manual adjustment with MicroStrategy licensing. Deleting the account removes the seat consumption from the metadata count. |
Watch out for:
- Deleting a user without first reassigning owned objects leaves those objects orphaned; they may become inaccessible to end users even if ACLs were previously set
- Scheduled subscriptions (email bursting, file delivery) owned by a deleted user will silently fail unless reassigned
- In LDAP-provisioned environments, a disabled LDAP account may be automatically re-enabled or re-created on next LDAP sync if the sync policy is set to create-on-login; the MicroStrategy account must also be disabled or the LDAP group mapping must be updated
- There is no bulk-disable UI; disabling multiple users requires either individual edits or Command Manager batch scripts
- Named-user seat counts in the license manager may not update in real time after deletion; a server restart or license refresh may be required
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named User – Analyst/Power User | Full create/edit/publish access to reports and dashboards via MicroStrategy Web and Workstation; scheduled delivery; mobile access | Estimated $25–$50/user/month (varies by contract volume and tier; contact MicroStrategy for current pricing) |
| Named User – Consumer/Viewer | View and interact with shared dashboards and reports; run pre-built reports; subscribe to distributions | Lower than Analyst tier; exact pricing requires vendor quote |
| CPU / Core-based License | Unlimited named users within the licensed server CPU/core count; typically used for large enterprise deployments | Contact MicroStrategy for pricing; typically $2,000–$20,000+/month depending on core count and modules |
- Where to check usage: MicroStrategy Developer → Administration → License Manager OR MicroStrategy Workstation → Environment → License Usage (shows current named-user count vs. licensed seats and module entitlements)
- How to identify unused seats: Use the MicroStrategy Telemetry Server or System Manager reports to identify users with no login activity within a defined period; alternatively, query the MicroStrategy Statistics database (MicroStrategy Statistics project) for last-login timestamps per user account
- Billing notes: MicroStrategy uses a perpetual or subscription license model negotiated directly with the vendor; there is no self-serve seat add/remove in an online portal. Seat overages may trigger compliance review. The 30-day free trial is available for Strategy One (cloud-hosted); trial accounts convert to paid on expiration. SCIM-based provisioning (Enterprise tier) does not automatically adjust billing - license seat changes require a contract amendment.
The cost of manual management
Named-user seats are consumed the moment an account is created, not on first login. Bulk operations - disabling multiple accounts, reassigning owned objects before deletion, or auditing last-login timestamps - require either individual edits in the UI or Command Manager batch scripts.
There is no native audit log UI; tracking who created or modified a user account means querying the Statistics database directly. Seat counts in the license manager may not reflect deletions in real time, requiring a manual license refresh or server restart.
What IT admins are saying
Administrators consistently flag three friction points: orphaned content when users are deleted without first reassigning owned objects, LDAP sync silently re-enabling accounts that were manually disabled in MicroStrategy, and the absence of a bulk-disable UI.
Confusion between Security Roles (what a user can do system-wide) and ACLs (what objects a user can access) is a recurring troubleshooting theme - a user may be able to see an object but unable to execute it, and diagnosing why requires checking both layers.
Scheduled subscriptions owned by a deleted user fail silently unless reassigned before deletion.
Common complaints:
- Users report that bulk user management requires Command Manager scripting rather than a GUI, creating a steep learning curve for administrators unfamiliar with MicroStrategy's scripting syntax
- Multiple community posts note that deleting users without first reassigning owned objects causes orphaned content that is difficult to recover
- Administrators report confusion between Security Roles (system-level privileges) and ACLs (object-level permissions), particularly when troubleshooting why a user can see an object but cannot execute it
- Users note that disabling an account in MicroStrategy does not automatically free a named-user seat, requiring manual coordination with MicroStrategy licensing support
- Community members report that LDAP sync can re-enable previously disabled MicroStrategy accounts if the LDAP group membership is not also updated
- Administrators note the lack of a native audit log UI for user management actions; tracking who created or modified a user account requires querying the Statistics database or enabling external logging
The decision
SCIM 2.0 provisioning is available on the Enterprise plan (Strategy One, September 2025 release or later) and requires SAML SSO to be configured first - it is not a standalone add-on. For teams already on Enterprise with Okta or Entra ID, SCIM eliminates the manual provisioning loop and reduces the risk of orphaned accounts.
Teams on lower tiers, or on older MicroStrategy versions, are limited to manual Workstation/Developer workflows or LDAP group-based provisioning. Every app decision here has a downstream licensing implication: Consumer/Viewer accounts are not free seats, and seat overages trigger a compliance review rather than a self-serve upgrade.
Bottom line
Manual user management in MicroStrategy is functional but operationally expensive at scale. The permission model is powerful - object-level ACLs combined with additive Security Roles give fine-grained control - but it demands administrator fluency that takes time to build.
Teams that can meet the Enterprise plan and SSO prerequisites should prioritize SCIM provisioning to reduce ongoing overhead; those that cannot should invest in Command Manager scripting and a disciplined offboarding checklist to avoid orphaned content and silent subscription failures.
Automate MicroStrategy workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
