Summary and recommendation
Redash user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Redash is an open-source data visualization and querying tool that runs entirely on self-hosted infrastructure.
The official cloud service was discontinued in November 2021 following the Databricks acquisition, so every app deployment today is either self-managed or hosted through a third-party provider.
There is no per-seat licensing cost in the open-source version; third-party managed hosting carries its own pricing set by those providers, not the Redash project.
Quick facts
| Admin console path | Settings > Users (accessible at /users on the Redash instance) |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Self-hosted (free) |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Admin | Full access: manage users, groups, data sources, query snippets, organization settings, and all queries/dashboards regardless of ownership. | Self-hosted (no paid tier required) | Admin status is a flag on the user record, not a separate group. Any user can be promoted to admin by an existing admin. | ||
| Regular User (default) | Can create queries and dashboards, view shared content they have been granted access to via groups, and manage their own profile. | Cannot manage other users, data sources, or organization settings. Cannot access queries/data sources not shared with their groups. | Self-hosted (no paid tier required) | Access to data sources and queries is controlled entirely by group membership. A user with no group assignments beyond 'default' has very limited access. |
Permission model
- Model type: role-based
- Description: Redash uses a group-based permission model. Every user belongs to one or more groups. Data sources are granted to groups, and queries/dashboards inherit visibility from group membership. There are two built-in groups: 'default' (all users) and 'admin'. Admins can create additional custom groups and assign data sources to them.
- Custom roles: Yes
- Custom roles plan: Self-hosted (no paid tier required; custom groups are available in the open-source version)
- Granularity: Data-source level: access is granted per data source per group. Query and dashboard sharing is per-object. There is no row-level or column-level permission control.
How to add users
- Log in as an Admin.
- Navigate to Settings > Users (path: /users).
- Click the 'New User' button.
- Enter the user's Name and Email address.
- Click 'Create'.
- An invitation email is sent to the provided address. The user sets their own password via the invitation link.
- Optionally, assign the user to additional groups from the user detail page.
Required fields: Name, Email address
Watch out for:
- Invitation emails require a correctly configured mail server (REDASH_MAIL_* environment variables). If mail is not configured, the invitation link will not be delivered.
- New users are automatically added to the 'default' group. They will not have access to any data sources unless the 'default' group has data sources assigned, or they are added to another group with data source access.
- There is no built-in bulk CSV import for users in the standard UI.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Self-hosted; SSO via SAML 2.0 or Google OAuth can auto-provision users on first login. Okta, OneLogin, and Entra ID are supported as SAML identity providers. |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Redash supports both disabling (deactivating) and deleting users. Disabling a user prevents login but retains their data. Deletion is available via the admin UI or API and permanently removes the user record. The official help docs and source code both reference a disable action; deletion is also present in the codebase and admin interface.
- Log in as an Admin.
- Navigate to Settings > Users (path: /users).
- Locate the user and open their profile.
- Click 'Disable' to deactivate the user. The user will no longer be able to log in.
- To re-enable, return to the same profile and click 'Enable'.
| Data impact | Behavior |
|---|---|
| Owned records | Queries and dashboards created by the disabled/deleted user remain in the system and are still accessible to users who had prior access via groups or sharing. |
| Shared content | Shared dashboards and queries are not removed when a user is disabled or deleted. |
| Integrations | API keys associated with the user are invalidated when the user is disabled or deleted. |
| License freed | Redash is open-source and self-hosted; there is no per-seat license cost to free up. Disabling a user prevents login but has no billing impact. |
Watch out for:
- Disabling a user does not revoke existing shared links to dashboards if those links are public/token-based.
- If SSO is enabled, a disabled user may still be able to attempt login via the IdP; the disable flag in Redash will block the session regardless.
- Deleted users' queries and dashboards become orphaned (no owner) but remain accessible.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Self-hosted user | Full access to all Redash features as permitted by group membership. No per-seat cost. | $0 (open-source, self-hosted) |
- Where to check usage: Settings > Users (path: /users) - lists all users with their status (active/disabled) and last login information.
- How to identify unused seats: Sort or filter the user list by 'Last Active At' column in Settings > Users to identify users who have not logged in recently. No automated idle-user report is built in.
- Billing notes: Redash is open-source software with no per-seat licensing. The official Redash cloud service was discontinued in November 2021 following the Databricks acquisition. Third-party managed hosting providers (e.g., Elestio) may charge per-user fees under their own pricing, which is not set by the Redash project.
The cost of manual management
Because Redash has no native SCIM support, user lifecycle tasks that would be automated in other tools fall back to manual administration or custom scripting against the REST API.
Adding a user requires an admin to navigate to Settings > Users, create the record, and then separately assign group memberships - group assignment is the only mechanism that controls data source access.
Removing a user means locating their profile and clicking Disable; there is no bulk offboarding workflow built into the UI, and disabling a user does not automatically revoke access to shared dashboards with public or token-based links.
The decision
When evaluating Redash against every app in your BI or analytics stack, the key variable is how much operational ownership your team can absorb. The group-based model works well when data source boundaries map cleanly to team boundaries, but it breaks down when you need object-level or attribute-level access control.
If your organization requires IdP-driven lifecycle management, Redash's SAML integration handles authentication but leaves provisioning and deprovisioning as a manual or scripted responsibility. Teams should weigh the operational overhead of self-hosting against the absence of licensing costs before committing.
Bottom line
Redash delivers capable query and dashboard tooling at zero licensing cost, but that trade-off comes with full operational ownership. User lifecycle management - onboarding, group assignment, and offboarding - is entirely manual through the admin UI or the REST API, with no SCIM path available.
For small, technically fluent teams with stable rosters the overhead is manageable; for organizations with frequent staff changes or compliance-driven provisioning requirements, the gap between what Redash offers natively and what enterprise IAM workflows demand will require deliberate engineering investment to close.
Automate Redash workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
