Summary and recommendation
IBM QRadar user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
IBM QRadar uses a two-layer permission model that separates functional access from data visibility.
Every user must be assigned both a User Role (controlling which tabs and actions are available) and a Security Profile (controlling which networks, log sources, and domains are visible).
Neither layer is optional - a user without a security profile cannot log in at all.
Built-in roles include Admin (unrestricted) and All (read-only console access).
Administrators can create custom roles with per-capability checkboxes covering Offenses, Log Activity, Network Activity, Assets, and Reports.
The Admin role grants fully unrestricted access with no internal granularity;
if you need scoped admin-like access, a custom role is the only path.
Quick facts
| Admin console path | Admin tab > User Management > Users |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | N/A |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Admin | Full access to all QRadar functions including system configuration, user management, network hierarchy, and all data domains. | Only users with the Admin role can access the Admin tab. Assigning Admin role grants unrestricted access; no granular restriction is possible within the Admin role itself. | |||
| All | Default role assigned to new users; provides basic access to the QRadar console with no administrative capabilities. | Cannot access Admin tab, manage users, or modify system configuration. | The 'All' role is a built-in role and cannot be deleted. | ||
| Custom role (user-defined) | Configurable subset of capabilities including access to specific tabs (Log Activity, Network Activity, Offenses, Assets, Reports), domain restrictions, and specific administrative functions. | Cannot exceed the permissions of the Admin role; domain-level restrictions can limit visibility to specific log sources or network segments. | Custom roles must be created before assigning to users. Security profiles (controlling data visibility) are separate from roles (controlling functional access) and both must be assigned. |
Permission model
- Model type: hybrid
- Description: QRadar uses a two-layer model: (1) User Roles define which functional capabilities (tabs, actions) a user can access; (2) Security Profiles define which data (networks, log sources, domains) a user can see. Both a role and a security profile must be assigned to every user. Built-in roles exist (Admin, All) and administrators can create custom roles with granular capability checkboxes.
- Custom roles: Yes
- Custom roles plan: Not documented
- Granularity: Per-capability checkboxes within roles (e.g., Offenses: Assign, Close, Protect; Log Activity: View, Export; Reports: Create, Distribute). Security profiles add data-level restrictions by network, log source, and domain.
How to add users
- Log in to QRadar as an Admin user.
- Click the Admin tab in the top navigation.
- In the System Configuration section, click User Management.
- Click Add User.
- Enter the required fields: Username, Password, First Name, Last Name, Email.
- Select a User Role from the dropdown.
- Select a Security Profile from the dropdown.
- Optionally set the user's locale and timezone.
- Click OK to save the user.
- Click Deploy Changes on the Admin tab if prompted to apply the configuration.
Required fields: Username, Password, First Name, Last Name, Email, User Role, Security Profile
Watch out for:
- Both a User Role and a Security Profile are mandatory; a user without a security profile cannot log in.
- Usernames are case-sensitive and must be unique.
- If LDAP authentication is configured, the password field may be managed externally, but the user record must still exist in QRadar.
- Changes to user accounts may require clicking 'Deploy Changes' on the Admin tab to take effect.
- The Admin tab is only visible to users with the Admin role; non-admin users cannot manage other users.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Not documented |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: This app exposes delete operations in its API documentation, but the admin-console path may present removal as deactivation, archiving, or deletion depending on tenant configuration. Confirm whether the UI action is reversible before treating removal as recoverable.
- Log in to QRadar as an Admin user.
- Click the Admin tab.
- Click User Management.
- Select the user account to remove.
- Click Delete.
- Confirm the deletion in the dialog.
- Click Deploy Changes if prompted.
| Data impact | Behavior |
|---|---|
| Owned records | Official documentation does not explicitly describe what happens to offenses, reports, or saved searches owned by a deleted user. Behavior is not confirmed in available official sources. |
| Shared content | Official documentation does not explicitly describe the impact on shared dashboards or reports created by a deleted user. |
| Integrations | API tokens or authorized services associated with the deleted user may need to be separately revoked via Admin > Authorized Services. |
| License freed | QRadar licensing is based on Events Per Second (EPS) or Managed Virtual Servers (MVS) throughput, not per named user seat. Deleting a user does not directly free a license unit. |
Watch out for:
- The built-in 'admin' account cannot be deleted.
- API tokens (Authorized Services) are managed separately and are not automatically revoked when a user is deleted; these must be manually removed.
- If the user was the only member of a custom security profile or role, those objects remain but are unassigned.
- For LDAP-authenticated users, disabling the account in the LDAP directory prevents login but the QRadar user record may persist until manually deleted.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Events Per Second (EPS) | Volume of log events ingested per second across all connected log sources. | Custom; usage-based pricing negotiated with IBM or partner. |
| Managed Virtual Servers (MVS) / Flows Per Minute (FPM) | Network flow data processing capacity. | Custom; usage-based pricing negotiated with IBM or partner. |
| Community Edition | Free tier limited to 50 EPS and 5,000 network flows per minute; single-host deployment only. | Free |
- Where to check usage: Admin tab > System and License Management > License Pool Manager
- How to identify unused seats: QRadar does not provide a native 'inactive user' report. Administrators can review the audit log (Admin > Audit Log) to identify users with no recent login activity.
- Billing notes: QRadar licensing is capacity-based (EPS/FPM/MVS), not per named user. Adding or removing user accounts does not directly affect license costs. License keys are managed under Admin > System and License Management.
The cost of manual management
QRadar licensing is capacity-based - priced on Events Per Second (EPS) or Managed Virtual Servers (MVS) - not on named user seats. Adding or removing user accounts has no direct effect on license costs. A free Community Edition exists, capped at 50 EPS and a single-host deployment.
The operational cost of manual user management is procedural, not financial. Every app that needs a new analyst requires an admin to resolve the correct role ID and security profile before the account can be created - there is no bulk CSV import path in the UI.
Inactive account identification requires manual audit log review, since QRadar provides no native last-login report in the User Management interface.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Manual management is viable for teams with stable, low-volume user rosters and an admin who understands the role-plus-security-profile pairing. The UI is functional but unforgiving: every app added to the environment means a new user record, a role lookup, a profile lookup, and a deploy step - each done individually.
For environments with frequent onboarding, offboarding, or role changes, the manual path accumulates toil quickly. The lack of a last-login report means inactive account hygiene depends entirely on audit log discipline. Teams managing more than a handful of analysts should evaluate the REST API path or an identity governance layer to reduce per-user overhead.
Bottom line
IBM QRadar's manual user management is precise but procedurally demanding. The two-layer model (roles + security profiles) gives fine-grained control over both functional access and data visibility, but every user provisioning action requires both layers to be correctly configured before access works.
There is no bulk import, no native inactive-user report, and LDAP integration does not eliminate manual role assignment inside QRadar.
Teams that manage every app in their environment through a consistent provisioning process will find the manual path workable at small scale, but the per-user overhead compounds quickly as headcount or role complexity grows.
Automate IBM QRadar workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
