Summary and recommendation
Rapid7 user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Rapid7's Insight Platform manages users through a role-based access control model with three predefined platform-level roles: Platform Administrator, Product Administrator, and Read-Only.
Custom roles are not supported;
access granularity within products like InsightVM is achieved through site and asset group scoping, not custom role definitions.
Every app in your stack that relies on Rapid7 data inherits the access boundaries set here, so role assignments carry real downstream consequence.
Quick facts
| Admin console path | Insight Platform → Administration → Users |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | N/A |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Platform Administrator | Full access to all Insight platform settings, user management, product provisioning, SSO configuration, and billing/license management. | Only Platform Administrators can invite new users and manage roles; product-level admins cannot manage platform-wide settings. | |||
| Product Administrator | Administrative access within a specific Insight product (e.g., InsightVM, InsightIDR). Can manage product-level settings, assets, and users within that product. | Cannot manage platform-wide user accounts, SSO settings, or billing. | Product Admin scope is limited to the product(s) they are assigned to; cross-product administration requires Platform Admin. | ||
| Read-Only User | Can view dashboards, reports, and data within assigned products. Cannot modify configurations, create assets, or manage users. | Cannot edit settings, create or delete content, or manage other users. | |||
| Restricted User (InsightVM) | Access limited to specific asset groups or sites as configured by an administrator within InsightVM. | Cannot access assets or sites outside their assigned scope. | InsightVM subscription required. | Asset group/site restrictions must be configured explicitly; default access is broader. |
Permission model
- Model type: role-based
- Description: Rapid7 Insight Platform uses a role-based access control model with predefined platform-level roles (Platform Admin, Product Admin, Read-Only) and product-specific roles within individual products (e.g., InsightVM site/asset group restrictions). Role assignments are made per user at the platform level and optionally scoped per product.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Platform-level roles are predefined and not customizable. Product-level scoping (e.g., asset groups, sites in InsightVM) provides additional access restriction within a product.
How to add users
- Log in to the Insight Platform at insight.rapid7.com.
- Navigate to Administration → Users.
- Click 'Invite User'.
- Enter the user's email address.
- Select the platform role (Platform Administrator, Product Administrator, or Read-Only).
- Optionally assign the user to specific products and configure product-level roles.
- Click 'Send Invitation'. The user receives an email to activate their account.
Required fields: Email address, Platform role
Watch out for:
- Invitations expire; if the user does not activate within the expiry window, the invitation must be resent.
- Users must have a valid email address accessible to them to complete activation.
- If SSO is enforced, users authenticate via the configured IdP and may not set a local password.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Not documented |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Rapid7 Insight Platform documentation describes the ability to delete users from the platform via Administration → Users. Deleted users lose access immediately. The documentation does not describe a separate 'deactivate' state distinct from deletion at the platform level.
- Log in to the Insight Platform at insight.rapid7.com.
- Navigate to Administration → Users.
- Locate the user in the user list.
- Select the user and choose the option to delete or remove the user.
- Confirm the action.
| Data impact | Behavior |
|---|---|
| Owned records | Official documentation does not explicitly describe what happens to data owned by a deleted user. Verify with Rapid7 support before deleting users who own critical assets or configurations. |
| Shared content | Official documentation does not explicitly describe the impact on shared dashboards or reports owned by a deleted user. |
| Integrations | Official documentation does not explicitly describe the impact on API keys or integrations associated with a deleted user. |
| License freed | Removing a user frees the associated seat/license, making it available for reassignment. |
Watch out for:
- Deleting a user is irreversible; the user must be re-invited to regain access.
- Data ownership transfer behavior upon user deletion is not explicitly documented; confirm with Rapid7 support for production environments.
- If SSO is in use, disabling the user in the IdP prevents login but does not automatically remove the user from the Insight Platform user list.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named User Seat | Access to licensed Insight platform products (e.g., InsightVM, InsightIDR, InsightAppSec) based on subscription. Each invited user consumes a seat. |
- Where to check usage: Administration → Users (shows current user count); license/subscription details may be available under Administration → Subscription or via Rapid7 account management.
- How to identify unused seats: Review the user list in Administration → Users and check last login timestamps to identify inactive users. No automated unused-seat report is documented in official help docs.
- Billing notes: Rapid7 products are sold on a subscription basis with custom enterprise pricing. Seat counts and billing terms are negotiated per contract. Contact Rapid7 account management for license adjustments.
The cost of manual management
Every app connected to Rapid7 exposes a gap when offboarding is manual: disabling a user in your IdP does not automatically remove them from the Insight Platform, leaving an active account until an admin manually deletes it.
Product-level role assignments must be configured individually per product, so onboarding a user across InsightVM, InsightIDR, and InsightAppSec requires multiple discrete steps with no bulk tooling documented. Invitations also expire silently, requiring a resend if the user misses the activation window - a friction point that compounds at scale.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Choose manual management if your Rapid7 environment is small, stable, and already governed by a mature IdP with disciplined offboarding checklists that include a Rapid7 console step. If your team spans multiple Insight products, experiences regular onboarding and offboarding, or operates under compliance requirements that demand timely deprovisioning, the manual process introduces meaningful audit risk.
The absence of SCIM and the SSO-deprovisioning gap are the two structural constraints that most directly determine whether manual management remains viable at your scale.
Bottom line
Rapid7's Insight Platform gives administrators a straightforward console for user management, but the architecture has two hard limits that matter operationally: no SCIM support and no automatic deprovisioning on IdP disable.
Every app and product in your Rapid7 subscription requires individual role configuration per user, and deletions are permanent with no documented data-ownership transfer behavior.
Teams with high user turnover or strict deprovisioning SLAs should treat the manual process as a gap to close, not a steady-state workflow.
Automate Rapid7 workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
