Summary and recommendation
Sourcegraph user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Sourcegraph user management lives entirely in the Site Admin panel under Users & Auth → Users. Every app in your stack has a provisioning story; Sourcegraph's is built around a flat admin/user role split at the instance level, with optional RBAC custom roles layered on top for feature-level control on Enterprise.
SCIM is available on Enterprise with an active SSO provider (SAML or OIDC), making automated provisioning viable for Okta and Entra ID shops. Teams below 50 developers on Enterprise Starter get a lighter tier, but SCIM and custom RBAC roles are not included at that level.
Quick facts
| Admin console path | Site Admin → Users & Auth → Users |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Site Admin | Full access to all site-admin settings, user management, repository configuration, license management, authentication providers, and all organization-level settings. | Cannot be restricted below full admin access; no partial admin delegation available without custom RBAC roles. | All plans | Counts as a licensed seat | Promoting a user to site admin grants unrestricted access to all instance settings and all code on the instance. There is no scoped admin role without Enterprise RBAC. |
| User (standard) | Can search code, use Cody AI features, create and manage own saved searches, manage own account settings, and access repositories permitted by repository permissions. | Cannot access site-admin panel, manage other users, configure auth providers, or view billing/license details. | All plans | Counts as a licensed seat | Repository-level access is governed by the connected code host's permissions (e.g., GitHub, GitLab). If permission syncing is not configured, all users may see all repositories by default. |
| Custom Role (RBAC) | Admin-defined permission sets scoped to specific Sourcegraph features (e.g., Batch Changes, ownership management). Permissions are additive on top of the base User role. | Cannot grant site-admin capabilities through custom roles; custom roles operate within the user permission boundary. | Enterprise | Counts as a licensed seat | Custom roles are configured via the site-admin RBAC panel and must be explicitly assigned to users or groups. Not available on Enterprise Starter. |
Permission model
- Model type: hybrid
- Description: Sourcegraph uses a hybrid model: a flat role system (Site Admin vs. User) for instance-level access, combined with optional RBAC custom roles for feature-level permissions on Enterprise, and code-host-mirrored repository permissions for data access control.
- Custom roles: Yes
- Custom roles plan: Enterprise
- Granularity: Feature-level (Batch Changes, Cody, ownership) and repository-level (mirrored from code host). Instance-level admin is binary (admin or not).
How to add users
- Sign in as a site admin.
- Navigate to Site Admin → Users & Auth → Users (URL: /site-admin/users).
- Click 'Create user account'.
- Enter the username and email address.
- Optionally set a password or leave blank to send an email invitation.
- Click 'Create account'. The user receives an email to set their password if no password was set.
Required fields: Username, Email address
Watch out for:
- If the instance uses SSO (SAML/OIDC) as the primary auth provider, manually created accounts may conflict with SSO-provisioned accounts unless the email matches exactly.
- Email delivery must be configured on the instance (SMTP settings) for invitation emails to send.
- Usernames must be unique and follow Sourcegraph's username format (alphanumeric, hyphens, dots); spaces are not allowed.
- Manually created users still consume a licensed seat immediately upon creation, even before first login.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | Yes | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Sourcegraph supports both deactivation (soft disable) and hard deletion. Deactivation prevents login and frees the seat while preserving user data. Hard deletion permanently removes the user account and associated data (saved searches, settings). Hard delete is available via the site-admin Users panel or the GraphQL API.
- Sign in as a site admin.
- Navigate to Site Admin → Users & Auth → Users (/site-admin/users).
- Locate the user by searching their username or email.
- Click the user's name to open their profile.
- Click 'Deactivate user' to disable login without deleting data, or 'Delete user' for permanent removal.
- Confirm the action in the dialog.
| Data impact | Behavior |
|---|---|
| Owned records | Deactivation: saved searches, code monitors, and settings are retained but inaccessible. Hard deletion: all owned records (saved searches, code monitors, access tokens, external account links) are permanently deleted. |
| Shared content | Batch Changes changesets created by the user remain on the code host but the Sourcegraph association is removed on hard delete. Shared notebooks or insights created by the user may become orphaned. |
| Integrations | Personal access tokens issued to the user are revoked on deactivation or deletion. External account links (GitHub, GitLab OAuth) are removed on hard delete. |
| License freed | Deactivating a user frees the licensed seat immediately. The seat count in Site Admin → Licensing reflects the change. |
Watch out for:
- Hard deletion is irreversible; Sourcegraph does not provide a restore mechanism for deleted users.
- If SCIM provisioning is active, deprovisioning the user in the IdP will automatically deactivate (not hard-delete) the Sourcegraph account; manual hard deletion must still be done in Sourcegraph if required.
- Deactivated users still appear in the user list with a 'Deactivated' badge; they must be filtered out manually when auditing active seat usage.
- Site admins cannot deactivate their own account; another site admin must perform the action.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Licensed User Seat | Access to all Sourcegraph features permitted by the plan (code search, Cody AI, Batch Changes, etc.) for one active user account. | Enterprise Starter: $19/user/month (up to 50 users). Enterprise: $59/user/month. |
- Where to check usage: Site Admin → Licensing (/site-admin/license) shows total licensed seats, seats in use, and license expiry. Site Admin → Users (/site-admin/users) shows all active and deactivated accounts.
- How to identify unused seats: Navigate to Site Admin → Users (/site-admin/users) and sort or filter by 'Last active' date to identify users who have not logged in recently. There is no built-in automated idle-user report; admins must manually review last-active timestamps.
- Billing notes: Seat count is based on active (non-deactivated) user accounts at the time of billing. Deactivating a user reduces the active seat count. License keys are applied at Site Admin → Licensing; exceeding the licensed seat count triggers a warning but does not immediately lock out users on self-hosted instances.
The cost of manual management
Adding a user manually takes six steps: sign in as site admin, navigate to /site-admin/users, click 'Create user account', enter username and email, optionally set a password, and confirm. The seat is consumed immediately on creation, before the user ever logs in.
If your instance uses SSO as the primary auth provider, manually created accounts must have an email that matches exactly what the IdP will assert, or you risk duplicate account conflicts. SMTP must be configured for invitation emails to reach the new user at all.
Removing a user is either a soft deactivation (login blocked, seat freed, data preserved) or a hard delete (permanent, no restore path). Hard deletion orphans any shared content - notebooks, code insights - with no reassignment workflow.
If SCIM is active, the IdP handles deactivation automatically via PATCH active: false, but hard deletion still requires a manual action inside Sourcegraph.
There is no built-in idle-user report. Identifying unused seats means manually sorting the Users list by 'Last active' date - a recurring audit task with no automation unless you script it against the GraphQL API.
What IT admins are saying
Practitioners flag a consistent set of friction points with Sourcegraph's user management. SCIM support is officially tested only against Okta and Entra ID; any other IdP requires manual workarounds with no documented path.
Entra ID's SCIM validator in particular surfaces edge-case errors during initial setup that are not well-explained in official docs.
Bulk user creation has no native CSV import path. Teams that need to onboard large cohorts outside of SCIM must script against the GraphQL API or create accounts one at a time.
The absence of automated idle-user detection is a recurring complaint for license-conscious admins who need to reclaim seats without building their own tooling.
Common complaints:
- Limited to tested IdPs (Okta, Entra ID) for SCIM; other IdPs require manual workarounds.
- Azure AD (Entra ID) SCIM validator issues can cause confusion during initial setup.
- No built-in CSV import for bulk user creation; bulk provisioning requires SCIM or manual API scripting.
- No automated idle-user detection or reporting; admins must manually audit last-active timestamps to reclaim seats.
- Hard deletion of users can orphan shared content (notebooks, insights) with no reassignment workflow.
- Domain-based allow-listing (auto-provisioning users from a trusted email domain) behavior depends on auth provider configuration and is not a simple toggle in all setups.
- Network requirements for private/air-gapped deployments add complexity to SCIM and SSO configuration.
The decision
Manual management is workable for small teams or one-off changes, but it does not scale cleanly. Every app your team uses benefits from a consistent offboarding process; Sourcegraph's lack of automated idle detection and no-restore hard-delete behavior make discipline around deprovisioning especially important here.
If your organization is already on Enterprise with Okta or Entra ID, SCIM provisioning eliminates the manual overhead and keeps seat counts accurate automatically. Teams on Enterprise Starter should plan for manual or API-scripted provisioning, since SCIM is not available at that tier.
Custom RBAC roles are also Enterprise-only, so feature-level permission scoping is not an option below that plan.
Bottom line
Sourcegraph's manual user management is straightforward for day-to-day adds and removes but carries real operational cost at scale: no idle-user automation, no bulk import, and a hard-delete that is irreversible with no content reassignment.
Teams on Enterprise with Okta or Entra ID should prioritize SCIM setup to keep provisioning consistent and seat counts accurate.
Everyone else should build a recurring audit habit around the Last Active filter in the Users panel, and treat hard deletion as a deliberate, high-stakes action rather than a routine offboarding step.
Automate Sourcegraph workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
