Summary and recommendation
Puppet user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Puppet Enterprise manages console users through Role-Based Access Control (RBAC), accessible at Access Control > Users inside the PE console web UI (https://<PE_MASTER_HOSTNAME>:443).
Permissions are assigned to roles, and users inherit access by being added to one or more roles.
Four predefined roles exist - Administrator, Operators, Viewers, and Code Deployers - and custom roles with granular, object-scoped permissions can be created in Puppet Enterprise.
Every app and service that interacts with PE infrastructure requires its own user record and explicit role assignment before access is granted.
Quick facts
| Admin console path | Access Control > Users (within the PE console web UI) |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Full access to all PE console features, including user management, node management, code deployment, and RBAC configuration. | Puppet Enterprise | The default 'admin' user cannot be deleted or have its Administrator role removed. | ||
| Operators | Can view and trigger Puppet runs, view reports, and manage nodes. Cannot manage users or RBAC settings. | Cannot manage users, roles, or RBAC configuration. | Puppet Enterprise | Predefined role; permissions are fixed unless a custom role is created. | |
| Viewers | Read-only access to the PE console. Can view node reports and facts but cannot trigger runs or make changes. | Cannot trigger Puppet runs, deploy code, or modify any configuration. | Puppet Enterprise | Predefined role; permissions are fixed unless a custom role is created. | |
| Code Deployers | Can deploy code via Puppet's code management tools. | Cannot manage users, nodes, or RBAC settings. | Puppet Enterprise | Predefined role intended for CI/CD service accounts. |
Permission model
- Model type: role-based
- Description: Puppet Enterprise uses Role-Based Access Control (RBAC). Permissions are assigned to roles, and users are assigned to one or more roles. Predefined roles exist (Administrators, Operators, Viewers, Code Deployers, etc.). Administrators can create custom roles with granular permission sets drawn from a defined permissions catalog.
- Custom roles: Yes
- Custom roles plan: Puppet Enterprise
- Granularity: Permissions are object-type and action scoped (e.g., 'Nodes: view', 'Puppet agent runs: run', 'Users: edit', 'Roles: edit'). Permissions can be scoped to specific node groups or applied globally.
How to add users
- Log in to the PE console as an Administrator.
- Navigate to Access Control > Users.
- Click 'Add local user'.
- Enter the user's full name and login (username).
- Click 'Add local user' to save.
- Click the user's name to open their profile.
- Click 'Generate password reset' and send the link to the user so they can set their password.
- Assign the user to one or more roles via Access Control > Roles, selecting the role and adding the user.
Required fields: Full name, Login (username)
Watch out for:
- New local users cannot log in until they set a password via the generated reset link; there is no option to set a password directly during creation.
- Users must be explicitly assigned to at least one role to have any permissions in the console.
- Users imported from an external directory (LDAP/AD) are created automatically on first login if directory integration is configured; they do not need to be manually added.
- Email address is not a required field for local users; the login field is the unique identifier.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Puppet Enterprise (requires LDAP/AD directory service configuration) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Puppet Enterprise supports both revoking (deactivating) and deleting users. Revoking a user prevents them from logging in but retains their record. Deleting a user permanently removes them from the PE console. Both actions are available via the PE console UI and the RBAC API. The built-in 'admin' user cannot be deleted.
- Log in to the PE console as an Administrator.
- Navigate to Access Control > Users.
- Click the user's name.
- To revoke (deactivate): click 'Revoke user access'. The user's status changes to 'Revoked' and they cannot log in.
- To delete: use the RBAC API DELETE /rbac-api/v1/users/
endpoint, or use the 'Delete' option if available in the console UI for that PE version.
| Data impact | Behavior |
|---|---|
| Owned records | Audit log entries and activity records associated with the user are retained after deletion. |
| Shared content | Not documented |
| Integrations | If the user is a service account used in API integrations, those integrations will fail after the user is deleted or revoked. |
| License freed | Puppet Enterprise licensing is per-node, not per-user. Removing a user does not directly affect node license consumption. |
Watch out for:
- The default 'admin' user cannot be revoked or deleted.
- Revoking a user from an external directory does not remove them from the directory itself; it only prevents PE console access.
- If a revoked directory user is re-imported (e.g., logs in again after revocation is lifted), their role assignments may need to be re-verified.
- Deleting a user via the API requires the user's subject ID (sid), not their username.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Node license | Puppet Enterprise is licensed per managed node. Each node under active management consumes one license seat. User accounts in the console do not consume separate license seats. | Varies by edition and support tier; per-node annual pricing applies. |
- Where to check usage: PE console > License (or via the pe_license fact and 'puppet license' command on the primary server)
- How to identify unused seats: Run 'puppet license' on the PE primary server to view total licensed nodes vs. active nodes. Nodes not checking in can be identified via the PE console's node list filtered by last check-in date.
- Billing notes: Puppet Enterprise is billed per managed node per year, not per user. Adding or removing console users has no direct billing impact. Volume discounts and custom pricing are available for large deployments.
The cost of manual management
Puppet Enterprise is licensed per managed node, not per console user. Adding or removing user accounts has no direct billing impact. Node licensing is priced annually per node, with Standard and Premium support tiers and volume discounts available for large deployments.
Without automation or directory integration, each onboarding and offboarding event is a manual, multi-step process: create the user, generate a password reset link, send it out-of-band, then assign roles separately. There is no built-in email notification and no bulk import path for local users.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Every app and service account that needs PE console access must be explicitly created and role-assigned - there is no automated provisioning without directory integration or API tooling.
For any team larger than a handful of people, LDAP or Active Directory integration is the operationally sound choice: remote users are created automatically on first login and bypass the manual password reset flow entirely.
Custom roles are only available in Puppet Enterprise. If your permission requirements go beyond the four predefined roles, confirm you are on a PE license before investing time in RBAC design.
Revocation (disabling access without deleting the record) is the safest offboarding action for auditing purposes. Permanent deletion requires either the RBAC API or a PE version that exposes the delete option in the console UI - verify your version before relying on the UI alone.
Bottom line
Puppet Enterprise's RBAC system is capable and granular, but it is built for infrastructure teams comfortable with manual workflows or directory integration - not for organizations expecting automated provisioning out of the box.
Every app and service account that needs PE console access must be explicitly created and role-assigned, with no bulk import and no native email delivery for credentials. Teams that invest in LDAP/AD integration or API-driven provisioning will eliminate the most painful manual steps;
teams that do not will find user lifecycle management to be a persistent, low-level operational burden.
Automate Puppet workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
