Summary and recommendation
Secureframe user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Secureframe is a GRC and compliance automation platform, and like every app in a compliance stack, controlling who has access is as important as the compliance data itself.
User management lives at Settings → Team (https://app.secureframe.com/settings/team), where Admins can invite, assign roles, and deactivate users.
The platform uses a fixed role model - Owner, Admin, Member, and Auditor - with no custom role creation documented.
Quick facts
| Admin console path | Settings → Team (within the Secureframe web app) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Complete |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Admin | Full access to all Secureframe features including integrations, frameworks, tests, personnel management, billing, and user management. Can invite and deactivate users, assign roles, and configure SSO/SCIM. | At least one Admin must remain active; removing the last Admin is not permitted. | |||
| Owner | Highest privilege level. All Admin capabilities plus ownership-level billing and account controls. Typically assigned to the account creator. | Only one Owner per account. Ownership transfer requires contacting Secureframe support. | |||
| Member | Can complete assigned tasks, upload evidence, and view compliance status relevant to their assigned scope. Cannot manage users, integrations, or billing. | Cannot invite or remove users, configure integrations, or access billing settings. | Members only see content and tasks assigned to them; they do not have visibility into the full compliance program by default. | ||
| Auditor | Read-only access to compliance evidence, controls, and test results for audit review purposes. Cannot modify any records. | Cannot edit controls, upload evidence, manage users, or access billing. | Auditor seats are typically used for external auditors; confirm with Secureframe whether Auditor seats count against licensed seat totals. |
Permission model
- Model type: role-based
- Description: Secureframe uses a fixed set of predefined roles (Owner, Admin, Member, Auditor). Permissions are assigned at the role level and are not individually configurable per user. There is no evidence of custom role creation in official documentation.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Role-level only; no per-user or per-resource permission overrides documented in official sources.
How to add users
- Log in to Secureframe and navigate to Settings → Team.
- Click 'Invite User' or 'Add User'.
- Enter the user's email address.
- Select the appropriate role (Admin, Member, or Auditor).
- Click 'Send Invite'. The user receives an email invitation to create or link their account.
Required fields: Email address, Role
Watch out for:
- Invited users must accept the email invitation before they appear as active in the team roster.
- SSO enforcement (if configured) may require the user's email domain to match the configured IdP.
- SCIM provisioning (available on Complete plan with SSO enabled) can automate user creation; manual invites and SCIM provisioning can conflict if both are active.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Complete plan (requires SSO; contact accountmanagement@secureframe.com to enable SCIM) |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Secureframe's official help documentation describes deactivating users rather than permanently deleting them. Deactivated users lose access to the platform but their historical records, evidence uploads, and audit trail entries are retained. No official documentation confirms a hard-delete option for user accounts.
- Navigate to Settings → Team.
- Locate the user in the team list.
- Click the options menu (ellipsis or action button) next to the user's name.
- Select 'Deactivate' or 'Remove User'.
- Confirm the action when prompted.
| Data impact | Behavior |
|---|---|
| Owned records | Evidence and task records previously submitted by the deactivated user are retained in the system for audit trail continuity. |
| Shared content | Controls and tests previously assigned to or completed by the user remain visible to Admins. |
| Integrations | Any integrations configured by the user remain active; integration ownership does not automatically transfer. |
| License freed | Deactivating a user frees their seat for reassignment, though billing cycle timing for seat reduction is subject to contract terms. |
Watch out for:
- Deactivating the sole Admin or Owner account is blocked; another Admin or Owner must be designated first.
- If SCIM is enabled, deprovisioning the user in the IdP will automatically deactivate them in Secureframe; manual deactivation may be redundant.
- Seat count reduction after deactivation may not take effect until the next billing period; confirm with Secureframe account management.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named User Seat | Access for one invited team member (Admin, Member, or Auditor role). Pricing scales with total employee headcount and number of compliance frameworks. | Included in annual contract; per-seat cost not published. Base pricing starts ~$7,500/yr (Fundamentals) or ~$14,000–$20,000/yr (Complete). Contact Secureframe for seat-level pricing. |
- Where to check usage: Settings → Team (shows all active and pending users and their roles)
- How to identify unused seats: Review the Team settings page for users with no recent activity or pending invitation status. Secureframe does not document an automated inactive-user report in official help articles.
- Billing notes: Pricing is contract-based and scales with employee headcount and frameworks selected. Seat additions mid-contract may be prorated. SCIM and SSO are available on the Complete plan only. Contact accountmanagement@secureframe.com for seat changes.
The cost of manual management
Deactivating a user does not automatically reassign their open tasks; an Admin must handle reassignment manually after each departure.
SCIM provisioning - the only path to automated lifecycle management - requires direct engagement with Secureframe account management to enable, so IT teams on the Complete plan still face a manual setup step before automation is possible. These gaps compound quickly as headcount grows.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Every app in a compliance-heavy environment carries access risk, and Secureframe's four fixed roles - Owner, Admin, Member, Auditor - keep things simple but limit delegation at scale. Members cannot be scoped to a specific framework or control set, and Auditor seats have limited configurability, which can force Admins to over-share access with external reviewers.
If granular delegation across multiple frameworks is a hard requirement, validate this against Secureframe's current roadmap before committing.
Bottom line
Secureframe's manual user management is straightforward for teams already operating within its four-role model, but the absence of granular permissions and the manual SCIM enablement requirement mean onboarding and offboarding events carry real administrative overhead.
Teams running lean IT operations should factor in the task-reassignment gap on deactivation and the account-management dependency for SCIM before assuming full lifecycle automation is available out of the box.
Automate Secureframe workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
