Summary and recommendation
Spinnaker user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Spinnaker is an open-source continuous delivery platform originally built at Netflix.
It is self-hosted and carries no per-seat licensing cost in its open-source form;
enterprise support is available through Armory or OpsMx under vendor-negotiated terms.
There is no native SCIM support in any distribution, and because access to every app is governed entirely by external role provider group membership, user management has no built-in GUI
all administration runs through Halyard CLI configuration files and the Fiat authorization service.
Quick facts
| Admin console path | Spinnaker has no built-in GUI admin console for user management. Administration is performed via Halyard CLI configuration files and the Fiat authorization service API. |
| SCIM available | No |
| SCIM tier required | Open Source / Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Authenticated User | Access to Spinnaker resources (applications, accounts, pipelines) is determined entirely by roles assigned via the configured role provider (LDAP, GitHub Teams, Google Groups, SAML groups, etc.). Without Fiat enabled, all authenticated users have full access. | Cannot access resources for which their role provider groups do not grant READ or WRITE permissions when Fiat is enabled. | Free (self-hosted open source) | User identity and group membership are resolved at login time from the external identity/role provider. There is no user record to create inside Spinnaker itself; access is entirely delegated to the external provider. | |
| Service Account | A named Fiat service account that can be granted READ and/or WRITE permissions on applications and accounts. Used for automated pipeline execution and CI/CD integrations. | Service accounts cannot log in interactively via the UI. They are not human user accounts. | Free (self-hosted open source) | Service accounts must be explicitly created via the Fiat API or configuration and then assigned to pipelines. They are not provisioned through an IdP. | |
| Admin (Fiat admin flag) | When a user's role is listed under fiat.admin.roles in Fiat configuration, that user bypasses all authorization checks and has full access to all resources. | Free (self-hosted open source) | Admin status is granted by including a role name in the Fiat configuration file, not through a UI toggle. Any user whose IdP groups include that role name becomes an admin. |
Permission model
- Model type: role-based
- Description: Spinnaker uses Fiat (its authorization microservice) to implement RBAC. Permissions are defined per-resource (application or account) and per-action (READ, WRITE, EXECUTE). Roles are sourced from an external provider (LDAP groups, GitHub Teams, Google Groups, SAML/OAuth2 group claims). Each Spinnaker application and account can have an explicit list of roles that are granted READ, WRITE, or EXECUTE. Users with no matching role for a resource cannot see or modify it.
- Custom roles: Yes
- Custom roles plan: Free (self-hosted open source) – roles are defined in the external role provider and referenced in Spinnaker resource configuration.
- Granularity: Per-resource (application and account level) with READ, WRITE, and EXECUTE permission types. Pipeline-level permissions are inherited from the application.
How to add users
- Configure an authentication provider (OAuth2, SAML 2.0, LDAP, or X.509) in Halyard using 'hal config security authn
edit' commands. - Configure a role provider (LDAP, GitHub Teams, Google Groups, or SAML groups) in Halyard using 'hal config security authz
edit' commands. - Enable authorization in Halyard: 'hal config security authz enable'.
- Apply configuration: 'hal deploy apply'.
- Assign the user to the appropriate groups in the external role provider (e.g., add them to the relevant LDAP group or GitHub Team).
- In each Spinnaker application's configuration (Settings > Permissions), add the role name and grant READ, WRITE, or EXECUTE as needed.
- For account-level access, edit the account configuration in Halyard to include the role under 'requiredGroupMembership' or the permissions block.
- The user can now log in; Fiat resolves their roles from the external provider at login time.
Required fields: External identity provider account for the user, Group/role membership in the configured role provider, Role name referenced in Spinnaker application or account permissions
Watch out for:
- There is no 'create user' action inside Spinnaker. Users are provisioned entirely through the external IdP and role provider.
- If Fiat is enabled but a user has no matching roles for any resource, they will see an empty Spinnaker UI with no applications or accounts.
- Role membership is cached by Fiat; changes in the external role provider may not take effect immediately. Fiat syncs on a configurable interval.
- Enabling Fiat on an existing Spinnaker instance will immediately restrict access for all users who do not have matching roles configured.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Free (self-hosted open source) – provisioning is handled entirely by the external IdP and role provider (LDAP, SAML, OAuth2, GitHub Teams, Google Groups). |
How to remove or deactivate users
- Can delete users: Unknown
- Delete/deactivate behavior: Spinnaker does not maintain an internal user database to delete from. To remove a user's access, revoke their membership from the relevant groups in the external role provider (LDAP, GitHub Teams, Google Groups, etc.). Fiat will deny access on the next role sync or login. There is no deactivate or delete action within Spinnaker itself.
- Remove the user from the relevant groups in the external role provider (e.g., remove from LDAP group, GitHub Team, or Google Group).
- Optionally, disable or delete the user's account in the external IdP to prevent authentication entirely.
- Fiat will revoke access on its next sync cycle (interval is configurable) or immediately on the user's next request if the session is invalidated.
| Data impact | Behavior |
|---|---|
| Owned records | Pipelines, applications, and other resources created by the user remain in Spinnaker. Ownership is not tied to a deletable user record. |
| Shared content | Shared pipelines and application configurations are unaffected by removing a user's role provider membership. |
| Integrations | Service accounts used in pipelines are separate from human user accounts and are unaffected. |
| License freed | Spinnaker open source has no per-seat licensing. Removing a user frees no license seat. |
Watch out for:
- Fiat caches role memberships; a removed user may retain access until the next sync cycle completes.
- If the user has an active session, they may continue to operate until the session expires or Fiat invalidates it.
- Removing a user from the role provider does not delete any pipelines or resources they created.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Open Source | Full Spinnaker functionality, self-hosted. No per-seat licensing. | Free (infrastructure costs only) |
| Enterprise (Armory or OpsMx) | Commercial support, additional enterprise features (varies by vendor). Licensing terms are vendor-specific. | Custom pricing via Armory (armory.io) or OpsMx (opsmx.com) |
- Where to check usage: Not documented
- How to identify unused seats: No built-in tooling for identifying unused user accounts. Operators can query Fiat's REST API (GET /v1/roles or /v1/users) to enumerate users who have authenticated and their current role assignments.
- Billing notes: Open source Spinnaker has no seat-based billing. Enterprise licensing through Armory or OpsMx is negotiated directly with those vendors and is not documented publicly.
The cost of manual management
Because Spinnaker holds no internal user records, access decisions for every app are delegated to an external identity and role provider at login time.
Onboarding a user means configuring the right IdP group memberships and then ensuring those role names are referenced in every app's permission block - a step that must be repeated per application with no bulk assignment available.
Offboarding requires removing the user from the external role provider, but Fiat caches role state on a sync interval, so access is not revoked instantly. An active session can persist until it expires or an admin manually triggers a role sync.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Spinnaker suits teams that already operate a mature IdP (Okta, Entra ID, LDAP) and are comfortable managing access to every app entirely through group membership in that provider. It is a poor fit for teams expecting a point-and-click user management console or automated provisioning via SCIM. SAML 2.0 SSO is supported;
SCIM is not available in any tier. Teams evaluating enterprise distributions (Armory, OpsMx) should confirm authorization and provisioning capabilities directly with those vendors, as neither documents SCIM support publicly.
Bottom line
Spinnaker offloads every identity and access decision to an external provider - there is no user record to create, no seat to assign, and no deactivation toggle inside the platform itself.
That architecture keeps the open-source distribution free of per-seat cost but places the full operational burden of access governance on whoever manages the upstream IdP and role provider.
Teams without a disciplined group-management practice in their IdP will find role drift and sync lag to be ongoing operational costs.
Automate Spinnaker workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
