Summary and recommendation
ThreatQ user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
ThreatQ is an enterprise threat intelligence platform deployed on-premises or in a private cloud.
It uses role-based access control (RBAC) to govern what analysts, administrators, and read-only users can access.
User management lives under Settings > User Management and is restricted to the Maintenance Account and users with the Administrative Access role
every app in your stack that touches ThreatQ access must be managed through this path.
Quick facts
| Admin console path | Settings / Administration > Users and Roles (exact labels vary by tenant) |
| SCIM available | No |
| SCIM tier required | N/A |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Can manage tenant settings, integrations, and user access. | Cannot grant capabilities outside the licensed ThreatQ deployment. | Detailed built-in role names are not fully documented publicly. | ||
| Analyst / User | Can work with threat intelligence objects and workflows exposed to their role. | May not be able to manage tenant settings or other users. | Actual privileges can vary by tenant configuration. |
Permission model
- Model type: role-based
- Description: ThreatQ is documented as using role-based access control (RBAC) in general product descriptions, but specific role names, permission boundaries, and plan requirements are not publicly documented in accessible official docs.
- Custom roles: Unknown
- Custom roles plan: Not documented
- Granularity: Expect role-based separation between tenant administration and analyst workflows, with exact scopes configured inside the platform.
How to add users
- Log in to ThreatQ as an administrator.
- Open settings or administration and navigate to users.
- Choose the add or invite user action.
- Enter the user's work email or username and assign the appropriate role.
- Save the user and complete any password or SSO onboarding required by the tenant.
Required fields: Email address or username, Role
Watch out for:
- Public documentation for manual user administration is limited, so exact labels may vary by tenant.
- If SSO is enabled, upstream IdP assignment may still be required.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Unknown | Not documented |
| Domain whitelisting | Unknown | Automatic domain-based user add |
| IdP provisioning | Unknown | Not documented |
How to remove or deactivate users
- Can delete users: Unknown
- Delete/deactivate behavior: Official documentation does not publicly describe delete or deactivate behavior for user accounts.
- Open the ThreatQ users area as an administrator.
- Locate the user to offboard.
- Disable, revoke, or remove the account using the controls available in that tenant.
- Review any API tokens or integrations associated with the departing user.
| Data impact | Behavior |
|---|---|
| Owned records | Threat intelligence objects and workflow data remain tenant assets; public docs do not describe user-owned object semantics in detail. |
| Shared content | Shared dashboards and intelligence content remain available to the tenant unless separately changed. |
| Integrations | Review API tokens and integration ownership separately during admin offboarding. |
| License freed | Seat reuse behavior is contract-dependent and not publicly documented in detail. |
Watch out for:
- Offboarding should include API token rotation or revocation, not just interactive access removal.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Subscription | Custom enterprise subscription; seat types and costs not publicly disclosed. | Custom (subscription-based) |
- Where to check usage: Settings / Administration > Users and Roles
- How to identify unused seats: Review the tenant user list and any visible activity metadata. No public unused-seat report was verified.
- Billing notes: ThreatQ is sold as a custom enterprise subscription. Pricing, seat counts, and license management details are not publicly available and require direct vendor engagement.
The cost of manual management
ThreatQ is sold as a custom enterprise subscription; seat counts, pricing tiers, and license management details are not publicly disclosed and require direct vendor engagement. There is no self-serve license dashboard documented in public materials.
Identifying unused seats or reclaiming licenses means manually auditing the user roster inside the admin console, with no documented automated usage report.
The decision
Manual administration is the only supported path for user lifecycle management in ThreatQ today - there is no native SCIM provisioning and no publicly documented IdP-based automated provisioning. SAML SSO with Microsoft Entra ID is supported and enables just-in-time (JIT) user creation on first login, which reduces some onboarding friction.
For teams managing every app in a mixed security stack, JIT provisioning via SAML is the most practical option to reduce manual overhead without a full API build.
One important operational note: deleting a user is irreversible, and any dashboards, investigations, or data collections owned by that user must be reassigned before deletion or they will be permanently removed with the account.
Bottom line
ThreatQ requires hands-on administration for user lifecycle management. Access control is role-based, user creation and deletion are performed through the Settings console by admins only, and there is no native SCIM support.
SAML SSO with JIT provisioning is the most efficient path for reducing manual onboarding work, but offboarding still requires deliberate manual action - including ownership reassignment before account deletion - making it a process that demands documented runbooks rather than ad hoc execution.
Automate ThreatQ workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
