Summary and recommendation
Orca Security user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Orca Security user management lives at Settings > User Management (https://app.orcasecurity.io/settings/users).
Admins invite users by email, assign a role, and optionally restrict scope to specific cloud accounts or business units before sending the invitation.
Every app in a cloud security platform carries real access risk, and Orca's RBAC model is designed to limit blast radius by scoping what each user can see and act on.
Quick facts
| Admin console path | Settings > User Management |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Custom |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Admin | Full platform access including user management, integrations, billing settings, and all security findings across all cloud accounts. | Admin role grants access to all cloud accounts and organizational settings; scope cannot be restricted to a subset of accounts for this role. | |||
| Power User | Can view and act on all security findings, manage alerts, and configure integrations. Cannot manage users or billing. | Cannot add/remove users, modify billing, or change organizational settings. | |||
| Member | Read-only access to security findings and dashboards within assigned scope. | Cannot modify configurations, manage users, or change alert settings. | Scope of visible assets can be restricted by cloud account or business unit. | ||
| Custom Role | Configurable combination of permissions defined by an Admin. Granularity includes read/write per feature area and asset scope restrictions. | Custom (Enterprise tier) | Custom roles availability depends on contract; not confirmed available on all tiers. |
Permission model
- Model type: hybrid
- Description: Orca uses a role-based access control (RBAC) model with a set of built-in roles (Admin, Power User, Member) and the ability to create custom roles with granular permission assignments. Permissions can be scoped to specific cloud accounts or business units.
- Custom roles: Yes
- Custom roles plan: Custom (Enterprise tier)
- Granularity: Per-feature read/write permissions combined with asset-scope restrictions (cloud account, business unit, or tag-based filtering).
How to add users
- Navigate to Settings > User Management in the Orca platform.
- Click 'Invite User'.
- Enter the user's email address.
- Select the desired role (Admin, Power User, Member, or a custom role if configured).
- Optionally restrict the user's scope to specific cloud accounts or business units.
- Click 'Send Invitation'. The user receives an email invitation to activate their account.
Required fields: Email address, Role
Watch out for:
- Users must accept the email invitation before they can log in; pending invitations can be resent from the User Management page.
- If SSO is enforced for the organization, invited users must authenticate via the configured IdP.
- Scope restrictions (cloud account/business unit) must be set at invitation time or edited afterward by an Admin.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Unknown | Not documented |
| Domain whitelisting | Unknown | Automatic domain-based user add |
| IdP provisioning | Yes | Custom (Enterprise tier; requires SSO to be configured first) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Orca Security documentation indicates that Admins can remove (delete) users from the platform via the User Management settings page. SCIM deprovisioning via an IdP also removes user access. The distinction between soft deactivation and hard deletion is not explicitly detailed in publicly available docs.
- Navigate to Settings > User Management.
- Locate the user in the list.
- Click the action menu (three dots or similar) next to the user.
- Select 'Remove User' or equivalent option.
- Confirm the removal.
| Data impact | Behavior |
|---|---|
| Owned records | Not documented |
| Shared content | Not documented |
| Integrations | Not documented |
| License freed | Not documented |
Watch out for:
- If SCIM provisioning is active, user removal should be managed from the IdP to avoid sync conflicts.
- Specific data retention behavior for removed users (e.g., assigned alerts, comments) is not explicitly documented in publicly available sources.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named User Seat | Access to Orca platform based on assigned role and scope. All users consume a seat regardless of role. | Included in custom enterprise contract; per-seat pricing not publicly listed. |
- Where to check usage: Settings > User Management (lists all active users and their roles)
- How to identify unused seats: Not documented
- Billing notes: Orca Security is sold under custom enterprise contracts. Seat counts and pricing are negotiated directly with Orca. No self-serve pricing tiers are publicly available.
The cost of manual management
Orca is sold under custom enterprise contracts with no publicly listed per-seat pricing. All users consume a seat regardless of role, and seat counts are negotiated directly with Orca. Custom roles-which unlock granular per-feature read/write permissions-are confirmed only on enterprise-tier contracts, so smaller deployments may find the built-in role set limiting.
License usage is visible at Settings > User Management, which lists all active users and their roles. No automated unused-seat detection is documented in public sources.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Use the built-in Admin, Power User, and Member roles if your team structure maps cleanly to those permission sets. If you need per-feature read/write granularity or asset-scope restrictions beyond cloud account and business unit, confirm custom role availability in your contract before building workflows around it.
If SSO is enforced in your organization, invited users must authenticate via the configured IdP-there is no fallback to local credentials. Scope restrictions must be set at invitation time or edited afterward by an Admin; they are not retroactively applied.
Bottom line
Orca Security's user management is functional and role-scoped, but several capabilities that enterprise security teams expect-custom roles, SCIM provisioning, and granular asset restrictions-are gated behind custom contracts and require support involvement to activate.
Every app connected to cloud infrastructure warrants tight access controls, and Orca's RBAC model supports that goal once fully configured.
Teams should audit active users regularly via Settings > User Management and manage offboarding through the IdP when SCIM is active to avoid sync conflicts and ensure clean removal.
Automate Orca Security workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
