Summary and recommendation
Pigment user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Pigment user management runs through Workspace Settings → Members (https://app.pigment.com/settings/members). Every app inside a workspace uses a two-layer model: a workspace-level role (Admin or Member) plus a per-application seat type (Contributor, Editor, or Explorer). There are no custom roles; all permissions are tied to those predefined seat types.
Quick facts
| Admin console path | Workspace Settings → Members |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Workspace Admin | Full workspace control: invite/remove members, manage roles, configure SSO/SCIM, manage billing and integrations, create and delete applications. | All plans | Counts as a Contributor seat | At least one Workspace Admin must remain at all times; you cannot remove the last admin. | |
| Contributor | Can build and edit models, create metrics, write formulas, manage data imports, and publish content within applications they have access to. | Cannot manage workspace-level settings unless also assigned Workspace Admin role. | All plans | $2,000–$3,500/year (list price, negotiable) | Highest-cost seat type; often over-provisioned when Editors or Explorers would suffice. |
| Editor | Can edit data inputs, update assumptions, and interact with boards and reports within applications they are granted access to. Cannot modify model structure. | Cannot create or modify metrics, formulas, or model structure. | All plans | $1,200–$2,000/year (list price, negotiable) | Distinction between Editor and Contributor is application-level; a user can be an Editor in one application and a Contributor in another. |
| Explorer | Read-only access to boards and reports within applications they are granted access to. Can interact with filters and drill-downs. | Cannot edit data, models, or reports. | All plans | $500–$800/year (list price, negotiable) | Explorer seats are the lowest cost but still require a paid license; free viewer access is not available. |
Permission model
- Model type: hybrid
- Description: Pigment uses a two-layer permission model. At the workspace level, users are assigned a global role (Workspace Admin or Member). At the application level, each user is assigned a seat type (Contributor, Editor, or Explorer) per application, allowing different access levels across different planning applications within the same workspace.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Workspace-level admin toggle plus per-application seat-type assignment (Contributor / Editor / Explorer). No custom role builder is available; permissions are tied to predefined seat types.
How to add users
- Navigate to Workspace Settings → Members.
- Click 'Invite Members'.
- Enter the invitee's email address.
- Select the workspace role (Admin or Member).
- Optionally assign the user to one or more applications and select their seat type (Contributor, Editor, or Explorer) per application.
- Click 'Send Invite'. The user receives an email invitation to join the workspace.
Required fields: Email address, Workspace role (Admin or Member)
Watch out for:
- Application-level seat type assignment can be done at invite time or after the user accepts; if not set, the user has no application access until assigned.
- Invited users consume a seat license once they accept the invitation, not when the invite is sent - verify with your contract terms.
- SSO-enforced workspaces may require the user's email domain to match the configured IdP before they can log in.
- There is no native bulk CSV import for invitations; bulk provisioning requires SCIM (Enterprise tier).
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | Unknown | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Pigment allows removing (revoking) a user from the workspace via Workspace Settings → Members. Removal revokes all access immediately. There is no separate 'deactivate' state distinct from removal in the standard UI; SCIM deprovisioning suspends the user account when triggered from the IdP.
- Navigate to Workspace Settings → Members.
- Locate the user in the member list.
- Click the options menu (⋯) next to the user's name.
- Select 'Remove from workspace'.
- Confirm the removal in the dialog.
| Data impact | Behavior |
|---|---|
| Owned records | Content (boards, reports, metrics) created by the removed user remains in the workspace and is accessible to other users with appropriate permissions. |
| Shared content | Shared boards and applications the user contributed to are unaffected; the user's contributions persist. |
| Integrations | Any personal API tokens or integration credentials associated with the removed user should be rotated manually, as they may become orphaned. |
| License freed | The seat license is freed upon removal and can be reassigned to a new user. |
Watch out for:
- Removing the last Workspace Admin is blocked; assign another admin before removing.
- SCIM-provisioned users deprovisioned via the IdP are suspended/deactivated rather than hard-deleted; re-enabling in the IdP restores access.
- Personal API tokens belonging to the removed user are not automatically invalidated in all configurations - verify token revocation separately.
- If the user owns scheduled reports or data syncs, those automations may fail silently after removal.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Contributor | Full model-building and editing capabilities within assigned applications. | $2,000–$3,500/year per seat (list price) |
| Editor | Data input and assumption editing within assigned applications; no model-structure changes. | $1,200–$2,000/year per seat (list price) |
| Explorer | Read-only board and report access with filter/drill-down interactivity. | $500–$800/year per seat (list price) |
- Where to check usage: Workspace Settings → Members (shows all members and their assigned seat types per application).
- How to identify unused seats: No built-in last-login or activity report is surfaced in the standard admin UI. Admins must manually review the Members list or use IdP activity logs (if SSO is configured) to identify inactive users.
- Billing notes: Seat counts and types are negotiated at contract signing. Significant discounts (36–47%) are common for contracts over $100K. Use-case add-ons (FP&A, SPM, Workforce Planning) are priced separately at approximately $30,000–$50,000/year each. SCIM provisioning is only available on the Enterprise tier. SSO is available on all tiers.
The cost of manual management
Seat costs vary significantly by type: Contributor seats carry the highest list price ($2,000–$3,500/year), followed by Editor ($1,200–$2,000/year) and Explorer ($500–$800/year). Because seat-type assignments are per-application, a single user can hold different seat types across every app in the workspace - which adds overhead when auditing spend at scale.
There is no built-in last-login or activity report in the admin console. Identifying unused seats requires manually reviewing the Members list or cross-referencing IdP activity logs if SSO is in place. Bulk provisioning without SCIM means invitations must be sent one at a time.
What IT admins are saying
Admins on G2 consistently flag that the Contributor/Editor/Explorer distinction is not intuitive, leading to routine over-provisioning of the highest-cost seat type. The absence of a native activity report compounds this: without IdP logs, there is no reliable signal for which seats are dormant.
Two operational gaps surface repeatedly in community feedback. First, removing a user does not automatically invalidate their API tokens - that step is manual and easy to miss.
Second, per-application seat assignments create meaningful administrative overhead in large workspaces with many planning applications.
Common complaints:
- Users report that there is no native bulk CSV import for inviting multiple users at once; SCIM is the only bulk option and requires Enterprise tier.
- Reviewers on G2 note that the distinction between Contributor, Editor, and Explorer seat types is not always intuitive, leading to over-provisioning of higher-cost Contributor seats.
- Some admins report that there is no built-in activity or last-login report in the admin console, making it difficult to identify unused seats without relying on IdP logs.
- Users note that removing a user does not automatically invalidate API tokens, requiring a separate manual step.
- Community feedback indicates that seat-type assignments are per-application, which adds administrative overhead when managing users across many applications in a large workspace.
The decision
Manual management is viable for small, stable teams where seat counts are low and application sprawl is limited. Once a workspace spans multiple planning applications with frequent onboarding and offboarding, the lack of bulk invite tooling and activity reporting makes manual administration error-prone.
SCIM provisioning (Enterprise tier, SSO required) is the only supported path to bulk lifecycle automation. Teams on sub-Enterprise plans have no programmatic alternative - every user action must go through the UI.
Bottom line
Pigment's manual user management is straightforward for day-to-day adds and removes but carries real operational risk at scale. The per-application seat model means every app must be audited independently to catch over-provisioning, and without a native activity report, that audit depends on external IdP data.
Teams managing more than a handful of users across multiple planning applications should treat SCIM provisioning as a prerequisite, not an enhancement - and should budget for the Enterprise tier accordingly.
Automate Pigment workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
