Summary and recommendation
Rubrik user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Rubrik Security Cloud manages users through a Role-Based Access Control (RBAC) model where every permission is tied to a role and scoped to a specific object hierarchy - cluster, workload, or global.
Three principal account types exist: Administrator, End User, and Custom Role accounts.
Administrators hold the only keys to user management;
at least one must remain active at all times.
User provisioning lives at Rubrik Security Cloud > Settings > Access Management > Users.
Adding a user requires an email address, display name, and at least one role assignment with an explicit object scope - a role without a defined scope grants no effective access.
New local accounts trigger an email invitation that must be accepted before the user can log in.
Quick facts
| Admin console path | Rubrik Security Cloud > Settings > Access Management > Users |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Full access to all Rubrik Security Cloud features, including user management, policy configuration, cluster management, and billing settings. | Only Administrators can create or modify other users and roles. At least one Administrator account must remain active. | |||
| End User | Can view and manage self-service recovery of data objects assigned to them. Cannot access administrative settings. | Cannot manage other users, configure policies, or access cluster-level settings. | End Users only see objects explicitly assigned to them via role assignments. | ||
| Custom Role (user-defined) | Permissions are defined by the administrator at creation time, scoped to specific object hierarchies and permission sets. | Cannot exceed the permissions of the assigning administrator. | Custom roles require explicit object-level scope assignment; a role without an assigned scope grants no effective access. |
Permission model
- Model type: role-based
- Description: Rubrik Security Cloud uses Role-Based Access Control (RBAC). Permissions are assigned via roles, which are then scoped to specific objects or object hierarchies (e.g., clusters, SLAs, workloads). Both built-in roles and administrator-defined custom roles are supported.
- Custom roles: Yes
- Custom roles plan: Not documented
- Granularity: Role permissions are scoped to object hierarchies (global, cluster, or specific workload objects). Granular permission sets within a custom role can include read, modify, and manage capabilities per feature area.
How to add users
- Log in to Rubrik Security Cloud at app.rubrik.com.
- Navigate to Settings > Access Management > Users.
- Click 'Add User'.
- Enter the user's email address and display name.
- Select one or more roles to assign to the user.
- Define the scope (object hierarchy) for each assigned role.
- Click 'Save' to create the user. An invitation email is sent to the specified address.
Required fields: Email address, Display name, Role assignment
Watch out for:
- Users receive an email invitation and must accept it before they can log in.
- A role must be assigned at creation; a user with no role has no access to any resources.
- Local user accounts are separate from SSO/SCIM-provisioned accounts; mixing both for the same email address may cause login conflicts.
- If SCIM provisioning is active, user creation should be managed from the IdP to avoid duplication.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Rubrik Security Cloud supports deleting local user accounts from Settings > Access Management > Users. SCIM-provisioned users are deprovisioned (deactivated) from the connected IdP, which removes their access in Rubrik.
- Navigate to Settings > Access Management > Users.
- Locate the user in the list.
- Select the user and choose 'Delete' (for local accounts) or deprovision the user in the connected IdP (for SCIM-managed accounts).
- Confirm the action when prompted.
| Data impact | Behavior |
|---|---|
| Owned records | Backup policies, SLA assignments, and protected objects are not owned by individual users; they persist after user removal. |
| Shared content | Reports or saved views created by the user may remain in the system depending on configuration. |
| Integrations | API tokens and service account credentials associated with the deleted user are invalidated upon deletion. |
| License freed | Not documented |
Watch out for:
- Deleting a user does not remove or alter any backup data or SLA policies they configured.
- API tokens issued to a deleted local user are immediately invalidated, which may break automated scripts or integrations.
- SCIM-provisioned users must be deprovisioned via the IdP; manually deleting them in Rubrik may cause re-provisioning on the next IdP sync.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Rubrik Security Cloud – Foundation | Core data protection and management features; custom pricing. | Custom pricing |
| Rubrik Security Cloud – Business | Adds threat monitoring, anomaly detection, and additional security features over Foundation. | Custom pricing |
| Rubrik Security Cloud – Enterprise | Full platform including SCIM provisioning, advanced compliance, and all security features. | Custom pricing (~$57K/year average, up to ~$160K per available market data) |
- Where to check usage: Settings > Account > Subscription (within Rubrik Security Cloud)
- How to identify unused seats: No built-in 'last login' report is documented in official sources for identifying inactive users. Administrators can review the user list under Settings > Access Management > Users and cross-reference audit logs for activity.
- Billing notes: Rubrik licensing is capacity- and feature-based (e.g., data under management, workload type), not strictly per-seat for standard users. User seat counts do not directly map to incremental license costs in the standard model. Enterprise tier is required for SCIM provisioning.
The cost of manual management
Rubrik's licensing is capacity- and feature-based rather than strictly per-seat, so adding or removing individual users does not directly change your invoice. However, SCIM provisioning - the mechanism that eliminates manual user management at scale - is gated behind the Enterprise tier, which carries custom pricing averaging around $57K/year based on available market data.
Without SCIM, every app in your stack that connects to Rubrik requires administrators to handle onboarding and offboarding by hand. There is no native bulk CSV import, so large-scale user changes without an IdP integration mean working through the UI one account at a time.
Rubrik also lacks a built-in last-login report, so identifying inactive accounts requires cross-referencing the user list against exported audit logs.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Manual user management in Rubrik is viable for small, stable teams where the user roster changes infrequently. The UI workflow is straightforward, and the RBAC model is expressive enough to cover most access patterns without custom tooling.
The calculus shifts once your team grows or turnover increases. No bulk import, no last-login visibility, and no automated deprovisioning means every app access change is a manual task with real audit exposure.
If your organization is already on the Enterprise tier, enabling SCIM from your IdP is the operationally sound path - it removes the duplication risk between local and IdP-managed accounts and ensures deprovisioning propagates reliably.
Bottom line
Rubrik Security Cloud's RBAC model is powerful but operationally demanding without automation. Manual provisioning works at small scale, but the absence of bulk import tools and native inactive-user reporting creates compounding overhead as your user base grows.
SCIM provisioning resolves the core lifecycle management problem, but it requires the Enterprise tier - making the manual path a long-term cost for organizations not yet at that tier.
Automate Rubrik workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
