Summary and recommendation
Strapi user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Strapi runs two completely separate user systems under one roof: admin panel users (managed at Settings > Administration Panel > Users) and end-users who access content only through the public API.
Every app that touches Strapi needs to account for both systems, because permissions, roles, and offboarding steps differ entirely between them.
Admin roles ship with three built-in types - Super Admin, Editor, and Author - plus fully configurable custom roles available on every plan tier, including self-hosted Community Edition.
Quick facts
| Admin console path | Settings > Administration Panel > Users (for admin users); Settings > Administration Panel > Roles (for role management) |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Super Admin | Full access to all admin panel features, content types, settings, user management, and plugin configuration. Cannot be restricted. | Cannot have permissions reduced; role cannot be edited or deleted. | All plans (including self-hosted Community Edition) | Included; first admin seat included on Cloud plans. Additional admin seats $15/month on Cloud. | Only one Super Admin role exists and it cannot be modified. The first registered user becomes Super Admin. |
| Editor | Can create, read, update, and publish content across all collection types and single types by default. | Cannot access Settings or manage users/roles by default. | All plans (including self-hosted Community Edition) | Additional admin seats $15/month on Cloud. | Built-in role; permissions can be customized but the role itself cannot be deleted. |
| Author | Can create and manage their own content entries only; cannot publish by default. | Cannot edit or delete other users' content; cannot publish without explicit permission grant. | All plans (including self-hosted Community Edition) | Additional admin seats $15/month on Cloud. | Built-in role; cannot be deleted. Permissions are scoped to content the user created. |
| Custom Role | Fully configurable per-plugin, per-content-type, and per-action (create, read, update, delete, publish) permissions. | Cannot exceed Super Admin privileges. | Available on all plans including self-hosted Community Edition and Strapi Cloud. | Same seat cost as other admin users; $15/month per additional seat on Cloud. | Custom roles can be deleted only if no users are currently assigned to them. |
| End-User (API / Public User) | Accesses content via the public-facing API. Managed separately under Settings > Users & Permissions Plugin. Roles: Authenticated and Public. | Cannot access the Strapi admin panel. | All plans (including self-hosted Community Edition) | Not counted as admin seats; no per-seat cost documented for end-users. | End-users are a completely separate user system from admin panel users. Managed via a different settings section. |
Permission model
- Model type: role-based
- Description: Strapi uses two parallel role-based permission systems: one for admin panel users (Administration Panel roles) and one for API/end-users (Users & Permissions plugin roles). Admin roles control access to admin panel sections, content types, and actions. Permissions are configured at the role level and applied to all users assigned that role. Granular permissions can be set per content type and per action (create, read, update, delete, publish, unpublish).
- Custom roles: Yes
- Custom roles plan: Available on all plans including Community Edition (self-hosted) and all Strapi Cloud tiers.
- Granularity: Per content type, per action (create, read, update, delete, publish, unpublish), per plugin section, and per settings section. Field-level permissions are available for hiding or making fields read-only.
How to add users
- Log in to the Strapi admin panel as Super Admin or a user with user-management permissions.
- Navigate to Settings > Administration Panel > Users.
- Click the 'Invite new user' button.
- Enter the new user's first name, last name, and email address.
- Select one or more roles to assign to the user.
- Click 'Invite user'. An invitation email is sent to the provided address.
- The invited user must click the link in the email and set their password to activate their account.
Required fields: First name, Last name, Email address, Role (at least one must be selected)
Watch out for:
- Invitation emails expire; if the user does not accept in time, a new invitation must be sent.
- The email address must be unique across admin users; duplicate emails are rejected.
- Users are not active until they accept the invitation and set a password.
- On Strapi Cloud, each additional admin seat beyond the plan's included seats costs $15/month.
- Self-hosted instances require a working SMTP/email provider configuration for invitation emails to be delivered.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | No | Not documented |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: This app exposes delete operations in its API documentation, but the admin-console path may present removal as deactivation, archiving, or deletion depending on tenant configuration. Confirm whether the UI action is reversible before treating removal as recoverable.
| Data impact | Behavior |
|---|---|
| Owned records | Content entries created by the deleted admin user remain in the database and are not deleted. The 'created by' metadata field retains the reference but the user account no longer exists. |
| Shared content | Shared or co-authored content entries are unaffected and remain accessible to other admin users. |
| Integrations | API tokens and transfer tokens associated with the deleted user's actions are not automatically revoked; token management is separate under Settings > Global Settings > API Tokens. |
| License freed | On Strapi Cloud, deleting an admin user frees the seat and should reduce the per-seat billing at the next billing cycle, per the $15/seat additional pricing model. |
Watch out for:
- The Super Admin account cannot be deleted through the admin UI.
- Deleting a user does not automatically revoke API tokens they may have created; those must be managed separately.
- There is no built-in deactivation/suspend feature; deletion is permanent.
- Content created by a deleted user remains but loses the active user association.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Admin Panel User (Cloud) | Access to the Strapi admin panel with an assigned role. First seat(s) included depending on Cloud plan tier. | $15/month per additional admin seat on Strapi Cloud (beyond plan-included seats). |
| End-User / API User | Access to content via the public API only; no admin panel access. | Not billed as a seat on documented Cloud plans. |
- Where to check usage: Strapi Cloud Dashboard > Project > Settings (for seat and billing overview); admin panel Settings > Administration Panel > Users (to view current admin user list).
- How to identify unused seats: Review the user list at Settings > Administration Panel > Users and check the 'Last active' or last login information if available. Strapi does not document a built-in 'inactive user' report; manual review of the user list is required.
- Billing notes: Strapi Cloud charges $15/month per additional admin seat beyond the included allocation for the plan tier. Self-hosted Community Edition has no per-seat licensing cost. Enterprise Edition pricing is custom and user-based; contact Strapi sales for details. SSO is available as an add-on or on Enterprise plans.
The cost of manual management
Strapi Cloud charges $15/month per additional admin seat beyond whatever your plan tier includes. Self-hosted deployments carry no per-seat licensing cost, but require you to maintain SMTP configuration for invitation emails to reach new users.
SSO is gated to the Enterprise Edition or available as a paid add-on, and SCIM provisioning is not natively available on any plan - meaning every user lifecycle event (hire, role change, offboard) requires a manual admin action.
On Cloud, unreviewed seats accumulate at $15/month each, so periodic audits of Settings > Administration Panel > Users are the only built-in cost-control mechanism.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Strapi's manual user management is workable for small teams with stable headcount and a self-hosted deployment. The role model is genuinely granular - permissions can be scoped per content type, per action, and per field - so every app can be configured with appropriately tight access boundaries without needing an Enterprise contract.
The ceiling appears when headcount grows or turnover increases: no deactivation, no SCIM, and no inactive-user report means offboarding requires deliberate manual steps every time. Teams on Strapi Cloud should audit admin seats regularly, as there is no automated mechanism to flag or reclaim unused seats.
Bottom line
Strapi gives administrators fine-grained, role-based control over every app's content and settings access, and that control is available on every plan including the free self-hosted tier.
The practical limits are offboarding and scale: permanent deletion is the only removal option, invitation delivery depends on SMTP reliability, and there is no native way to automate user provisioning or deprovisioning without moving to Enterprise and building custom middleware.
Teams with predictable, low-churn user bases will find the manual workflow sufficient; teams with frequent role changes or compliance requirements around access trails will hit those limits quickly.
Automate Strapi workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
