Summary and recommendation
Terraform Cloud user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Terraform Cloud manages users through a team-based permission model.
Every app interaction a user can perform from reading workspace state to applying runs
is gated by the team they belong to and the permissions that team holds on a given workspace or project.
Users added to an organization but not assigned to a team with workspace access cannot perform any workspace operations.
Organization-level roles cover administrative actions such as managing workspaces, policies, VCS settings, and membership.
Workspace-level roles (Read, Plan, Write, Apply, Admin) are granted per team per workspace.
Granular multi-team configurations require Plus or Enterprise;
on Free and Standard plans, only the owners team is available with full permissions.
Quick facts
| Admin console path | app.terraform.io → [Organization] → Settings → Teams / Members |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Business / Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Organization Owner | Full administrative control over the organization: manage members, teams, workspaces, projects, billing, SSO, and all settings. Can perform all workspace operations. | Cannot be removed as owner without another owner being designated first. | All plans (Free, Standard, Plus, Enterprise) | Counts as a billable user/resource consumer under the RUM model | At least one owner must exist at all times; the last owner cannot remove themselves. |
| Organization Member (via team) | Permissions are determined entirely by team membership and the permissions granted to those teams on specific workspaces or projects. | Has no organization-level permissions by default unless explicitly granted via team settings. | All plans | Counts as a billable user under the RUM model | Users added to an organization but not added to any team with workspace access cannot perform any workspace operations. |
| Team Member (workspace-level roles) | Workspace permissions include: Read, Plan, Write, Apply, and Admin. Granted per-team per-workspace or per-project. | Cannot exceed the permissions granted to their team on a given workspace. | Multiple teams with custom permissions require Plus or Enterprise; Free/Standard plans include limited team functionality. | No separate seat cost per role; all members count under the same billing model | On Free and Standard plans, only one team (owners) is available with full permissions; additional teams with granular permissions require Plus or Enterprise. |
Permission model
- Model type: role-based
- Description: Terraform Cloud uses a team-based permission model. Users are assigned to teams, and teams are granted permissions on workspaces or projects. Organization-level permissions (manage workspaces, manage policies, manage VCS settings, etc.) are set per team. Workspace-level permissions (Read, Plan, Write, Apply, Admin) are set per team per workspace. Project-level permissions can also be assigned to teams.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Organization-level (manage workspaces, manage policies, manage VCS settings, manage providers, manage modules, manage run tasks, manage membership) and workspace-level (Read, Plan, Write, Apply, Admin). Project-level team access is also supported.
How to add users
- Navigate to app.terraform.io and select the target organization.
- Go to Settings → Teams (or Settings → Members for direct invite).
- To invite a new user: go to Settings → Members, click 'Invite a user', enter the user's email address.
- The invited user receives an email invitation and must accept it to join the organization.
- Once the user has joined, navigate to Settings → Teams, select the relevant team, and add the user to that team.
- Assign the team appropriate workspace or project permissions under the workspace or project settings.
Required fields: Email address of the user being invited
Watch out for:
- Users must have or create a Terraform Cloud account to accept an invitation; the invite is tied to the email address.
- Simply inviting a user to the organization does not grant them any workspace access; they must also be added to a team with workspace permissions.
- On Free and Standard plans, granular team permissions are not available; all non-owner members have limited access.
- SSO-enabled organizations may require users to authenticate via SSO before they can access the organization.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Plus or Enterprise (SSO required; SCIM provisioning available on Enterprise) |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Terraform Cloud does not delete user accounts at the organization level. Administrators can remove a user from an organization (revoking all access), which removes them from all teams within that organization. The user's Terraform Cloud account itself is not deleted. Users can also be removed from individual teams without being removed from the organization entirely.
- Navigate to app.terraform.io and select the target organization.
- Go to Settings → Members.
- Locate the user in the member list.
- Click the remove/revoke option next to the user's name to remove them from the organization.
- Alternatively, to remove from a specific team only: go to Settings → Teams, select the team, and remove the user from that team.
| Data impact | Behavior |
|---|---|
| Owned records | Runs, workspaces, and state files created by the user remain intact and are not deleted when the user is removed from the organization. |
| Shared content | Workspace configurations, state, and variables created by the removed user remain accessible to remaining team members. |
| Integrations | API tokens generated by the removed user are invalidated when they are removed from the organization. |
| License freed | Removing a user from an organization removes them from resource consumption counting for that organization under the RUM billing model. |
Watch out for:
- If the user being removed is the sole organization owner, removal is blocked; another owner must be designated first.
- User-generated API tokens (user tokens) are tied to the individual user account, not the organization; removing the user from the org does not automatically revoke their user tokens unless the tokens are explicitly revoked.
- In SSO-enabled organizations with SCIM, deprovisioning the user in the IdP will remove them from the organization automatically.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Managed Resources (RUM) | All infrastructure resources managed by Terraform Cloud workspaces. Billing is per resource per hour. | Free: up to 500 managed resources at $0. Standard: $0.00014/hour/resource ($1/month per 1,000 resources). Plus: contact sales. Enterprise: from $15,000/year (self-hosted). |
- Where to check usage: app.terraform.io → [Organization] → Settings → Usage (shows managed resource count and run usage)
- How to identify unused seats: Review workspaces with no recent runs via app.terraform.io → [Organization] → Workspaces, sorted by last run date. Workspaces with zero managed resources do not contribute to RUM billing.
- Billing notes: Billing is resource-based (RUM), not per-seat. The Free tier (up to 500 managed resources) reaches end-of-life on March 31, 2026. After that date, Free tier organizations will need to migrate to a paid plan. User count does not directly drive billing costs; managed resource count does.
The cost of manual management
Terraform Cloud billing is resource-based (RUM: managed resources per hour), not per-seat, so user count does not directly drive costs. However, every app that requires granular access control - separate teams for developers, reviewers, and operators - is gated behind Plus or Enterprise plans, which start at contact-sales and $15,000/year respectively.
The Free tier (up to 500 managed resources) reaches end-of-life on March 31, 2026; organizations on Free will need to migrate to a paid plan. There is no native CSV import for bulk user invitations, so onboarding large teams requires either manual invite-by-email or API scripting.
Removing a user from the organization does not automatically revoke their personal API tokens; those must be revoked separately.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Terraform Cloud is a strong fit for infrastructure teams already standardized on Terraform who need a managed run environment with audit trails and workspace-level access control. Every app in the infrastructure stack that provisions resources through Terraform benefits from centralized state management and team-scoped permissions.
The model becomes harder to justify for small teams on tighter budgets: granular team permissions, SSO, and SAML-based provisioning all require Plus or Enterprise. Teams that need automated user lifecycle management without manual API scripting should evaluate whether the Enterprise tier is within reach, since no native SCIM is available at any plan level.
Bottom line
Terraform Cloud's team-based permission model is well-suited to infrastructure organizations that need workspace-level access control and centralized run management. The two-step invite-then-assign flow and the restriction of granular teams to Plus/Enterprise are the most operationally significant limitations for growing teams.
Billing is resource-based rather than per-seat, but the feature tier required for real access governance adds meaningful cost. With the Free tier ending March 31, 2026, any organization still on Free needs a migration plan in place now.
Automate Terraform Cloud workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
