Summary and recommendation
Segment user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Segment's access management lives under Workspace Settings > Access Management and follows a two-level RBAC model: workspace-level roles (Workspace Owner, Workspace Member) and resource-level roles scoped to specific sources, destinations, Tracking Plans, or Engage spaces.
Users can hold multiple roles simultaneously, but there are no fully custom roles - every app integration and permission assignment draws from a predefined set.
SCIM provisioning is available, but only on the Business tier and only after SSO is fully configured.
Quick facts
| Admin console path | Workspace Settings > Access Management |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Business |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Workspace Owner | Full administrative access to the workspace: manage users, billing, integrations, sources, destinations, and all workspace settings. | All plans | At least one Workspace Owner must exist at all times; the last owner cannot be removed. | ||
| Workspace Member | Base role assigned to all invited users. Actual capabilities depend on additional resource-level roles granted. | Cannot manage billing, SSO, SCIM, or workspace-level settings without additional roles. | All plans | Users invited via SSO JIT provisioning receive read-only access by default unless roles are explicitly mapped. | |
| Source Admin | Create, edit, and delete sources; manage source settings and connected integrations. | Cannot manage workspace-level settings or billing. | All plans | Role is scoped to specific sources, not the entire workspace, unless granted globally. | |
| Source Read-only | View source data, settings, and connected integrations. Cannot make changes. | Cannot edit or delete sources, destinations, or any settings. | All plans | Default role assigned to JIT-provisioned SSO users. | |
| Tracking Plan Admin | Create, edit, and delete Tracking Plans. | Cannot manage sources, destinations, or workspace settings. | Plans that include Protocols/Tracking Plans | ||
| Tracking Plan Read-only | View Tracking Plans only. | Cannot edit Tracking Plans or any other workspace resources. | Plans that include Protocols/Tracking Plans | ||
| Personas/Engage Admin | Full access to Engage (formerly Personas) spaces: create and manage audiences, computed traits, and journeys. | Cannot manage workspace-level settings or billing. | Plans that include Engage | Engage access is scoped to specific Engage spaces. | |
| Personas/Engage Read-only | View Engage spaces, audiences, and computed traits. | Cannot create or edit audiences, traits, or journeys. | Plans that include Engage |
Permission model
- Model type: role-based
- Description: Segment uses a role-based access control (RBAC) model with built-in roles applied at two levels: workspace-level (global) and resource-level (scoped to specific sources, destinations, Tracking Plans, or Engage spaces). Users can hold multiple roles simultaneously. There are no fully custom roles; permissions are assigned by selecting from predefined role options per resource.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Roles can be scoped globally to the workspace or individually to specific resources (e.g., a single source or a single Engage space), allowing fine-grained access control without custom role creation.
How to add users
- Navigate to Workspace Settings > Access Management in the Segment app.
- Click 'Invite Team Member'.
- Enter the invitee's email address.
- Select workspace-level role(s) to assign (e.g., Workspace Member, Workspace Owner).
- Optionally assign resource-level roles for specific sources, destinations, Tracking Plans, or Engage spaces.
- Click 'Send Invite'.
- Invitee receives an email and must accept the invitation to gain access.
Required fields: Email address, At least one workspace-level role
Watch out for:
- Invitations expire if not accepted; a new invite must be sent.
- Users provisioned via SSO JIT receive read-only (Source Read-only) access by default unless role mappings are configured in the IdP.
- SCIM provisioning requires SSO to be configured first and is only available on the Business tier.
- A user must accept the invite before they appear as an active member; pending invites are listed separately.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Business |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Segment allows workspace owners to remove (delete) a user from the workspace via the Access Management settings page. Removing a user revokes their access immediately. When provisioned via SCIM, deprovisioning in the IdP removes the user from the Segment workspace.
- Navigate to Workspace Settings > Access Management.
- Locate the user in the members list.
- Click the options menu (three dots or 'Remove') next to the user.
- Confirm removal.
| Data impact | Behavior |
|---|---|
| Owned records | Sources, destinations, and Tracking Plans created by the removed user remain in the workspace and are not deleted. |
| Shared content | Shared resources (sources, destinations, audiences) are unaffected by user removal. |
| Integrations | Connected integrations and API keys associated with the workspace remain active after user removal. |
| License freed | Segment does not publicly document per-seat billing; removing a user may affect seat counts on plans with user limits, but specific license-freeing behavior is not explicitly documented. |
Watch out for:
- The last Workspace Owner cannot be removed; another owner must be assigned first.
- Removing a user via the UI does not automatically deprovision them in a connected IdP; SCIM deprovision must be initiated from the IdP side.
- Pending invitations can be cancelled from the Access Management page before the user accepts.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Workspace Member | Access to the Segment workspace with roles as assigned. All invited users occupy a seat. |
- Where to check usage: Workspace Settings > Access Management (lists all active members and pending invites)
- How to identify unused seats: Review the Access Management member list for users with no recent activity. Segment does not natively surface last-login timestamps in the UI per official docs; admins must cross-reference with IdP logs or audit events.
- Billing notes: Segment's pricing is primarily based on Monthly Tracked Users (MTUs) and events, not per-seat user counts. The number of workspace members does not directly drive per-seat billing charges on standard plans. Business tier pricing is custom and negotiated. SCIM and SSO are included in the Business tier.
The cost of manual management
Without SCIM, every invite cycle requires navigating to Access Management, entering an email, selecting roles, sending, and waiting for acceptance. Invitations expire if not accepted, and there is no CSV bulk-import path - each user must be invited individually.
Identifying inactive members is also manual, since Segment does not surface last-login timestamps in the Access Management UI; admins must cross-reference IdP logs or audit events to find stale seats.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Manual management is workable for small, stable teams where invite volume is low and role changes are infrequent. Once headcount grows or offboarding speed matters, the absence of bulk invite tooling and native activity reporting creates compounding overhead across every app a departing employee touched in the workspace.
SCIM via Okta, Microsoft Entra ID, or OneLogin resolves provisioning and deprovisioning at scale, but the Business tier cost and the SSO prerequisite are real gates - confirm both are in place before planning an automated workflow. Domain-based auto-join is not supported; every user must be explicitly invited or provisioned regardless of email domain.
Bottom line
Segment's RBAC model is well-structured for teams that need granular, resource-scoped permissions without building custom roles.
The manual path is straightforward for low-volume access changes but does not scale cleanly - no bulk invite, no native activity reporting, and no domain whitelisting mean every app access event requires deliberate action.
SCIM closes the automation gap effectively, but it is gated behind Business tier pricing and a working SSO configuration, so teams should validate both prerequisites before committing to an automated provisioning design.
Automate Segment workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
