Summary and recommendation
Vanta user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Vanta user management lives at Settings > People (https://app.vanta.com/settings/people).
Admins invite users by email, assign one of three fixed roles - Admin, Member, or Auditor - and remove access from the same screen.
There is no granular permission toggling on standard plans;
permissions are bundled per role.
Quick facts
| Admin console path | Settings > People (within the Vanta web app) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Admin | Full access to all Vanta features including integrations, tests, policies, vendor risk, and user management. Can invite and remove users, assign roles, and configure organization settings. | At least one Admin must remain in the account at all times; you cannot remove the last Admin. | |||
| Member | Can view assigned tasks, complete evidence requests, and interact with controls assigned to them. Limited access to organization-wide settings. | Cannot manage integrations, invite or remove other users, or access billing settings. | Members only see the portions of Vanta relevant to their assigned tasks; they do not have visibility into the full compliance dashboard by default. | ||
| Auditor | Read-only access to compliance evidence, controls, and test results for the purpose of conducting an audit. Cannot modify any data. | Cannot edit controls, upload evidence, manage users, or change settings. | Auditor access is typically granted temporarily for the duration of an audit engagement. |
Permission model
- Model type: role-based
- Description: Vanta uses a predefined role-based access model. Users are assigned one of several fixed roles (Admin, Member, Auditor) that determine their access scope across the platform. As of available documentation, fully custom role creation is not supported for standard plans.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Role-level; permissions are bundled per role and cannot be individually toggled per user on standard plans.
How to add users
- Log in to Vanta and navigate to Settings > People.
- Click 'Invite People' or 'Add User'.
- Enter the user's email address.
- Select the appropriate role (Admin, Member, or Auditor).
- Click 'Send Invite'. The user receives an email invitation to join the Vanta organization.
Required fields: Email address, Role
Watch out for:
- Invited users must accept the email invitation before they appear as active in the People list.
- Users added manually via invitation are separate from employees synced via integrations (e.g., Google Workspace, Okta, BambooHR); manually invited users are Vanta platform users, while synced employees are tracked for compliance coverage.
- If SSO is enforced, users may be required to authenticate via the configured IdP on first login.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise |
How to remove or deactivate users
- Can delete users: Unknown
- Delete/deactivate behavior: Vanta's official documentation describes removing users from the organization (revoking their access), but does not explicitly distinguish between a 'deactivate' state and a permanent 'delete' with data purge. The available help documentation uses the term 'remove'. Whether removed users' records are fully purged or retained in an inactive state is not explicitly documented in publicly available help articles.
- Navigate to Settings > People.
- Locate the user in the list.
- Click the options menu (three dots or similar) next to the user's name.
- Select 'Remove' or 'Remove from organization'.
- Confirm the action when prompted.
| Data impact | Behavior |
|---|---|
| Owned records | Not explicitly documented in official sources. Controls, evidence, and tasks previously assigned to the removed user may remain in place but become unassigned or require reassignment. |
| Shared content | Not explicitly documented. |
| Integrations | If the user was connected to any integrations or was the owner of an integration connection, those connections may need to be re-authenticated by another Admin. |
| License freed | Not explicitly documented in terms of per-seat billing impact; Vanta is sold as an annual platform subscription rather than a per-seat model for most plans. |
Watch out for:
- You cannot remove the last Admin from an organization.
- If SCIM provisioning is active, user removal should be managed via the IdP to ensure the SCIM deprovision flow triggers correctly; manually removing a SCIM-provisioned user in Vanta may cause sync inconsistencies.
- Employees tracked for compliance purposes (synced via HR/IdP integrations) are distinct from Vanta platform users; removing a platform user does not automatically remove them from compliance monitoring if they still appear in a connected integration.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Platform subscription | Access for all invited Vanta users under the organization's account. Pricing is based on company size (employee count) and number of compliance frameworks, not strictly per named seat for standard users. | Varies by plan tier and employee count. Core plan approximately $7,500–$11,500/year for 1 framework; pricing scales at 20, 50, 100+ employee thresholds. |
- Where to check usage: Settings > People (shows list of all active users and pending invitations)
- How to identify unused seats: Review the People list in Settings for users with no recent activity or pending invitations that have not been accepted. Vanta does not appear to surface a native 'last login' or activity report in standard help documentation.
- Billing notes: Vanta pricing is primarily based on the number of employees in the organization (for compliance monitoring scope) and the number of frameworks, not on the number of named Vanta platform users. Annual contracts are standard. Add-ons such as Trust Center and Vendor Risk Management are priced separately.
The cost of manual management
Vanta's pricing is scoped to employee count and compliance frameworks, not named platform seats. That means the billing exposure from unmanaged users is indirect: stale platform accounts with Admin roles expand your blast radius, and employees still appearing in connected integrations after offboarding continue to count toward compliance monitoring scope.
Vanta does not surface a native last-login report in standard help documentation, so identifying dormant accounts requires a manual review of the People list for unaccepted invitations or inactive entries.
Removing a user who owns an integration connection can silently break that integration, requiring an Admin to re-authenticate - a risk that compounds when offboarding is handled inconsistently across every app.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Manual user management in Vanta is workable for small teams with infrequent changes. The process is straightforward: invite by email, assign a role, remove via the three-dot menu. The operational risk rises with team size.
Offboarding requires coordinating platform user removal, IdP deprovisioning, and compliance monitoring scope - three separate actions that Vanta does not consolidate automatically on non-SCIM plans. If your organization manages every app through a central IdP and is on the Enterprise tier, SCIM provisioning eliminates most of this coordination overhead.
Below Enterprise, manual processes remain the only option.
Bottom line
Vanta's manual user management is functional but requires deliberate process design to stay clean. The platform/employee distinction creates a persistent source of confusion, role options are limited to three fixed presets, and there is no built-in activity reporting to surface stale access.
Teams that treat Vanta user hygiene as a periodic audit task rather than a continuous workflow will find gaps accumulating - particularly around offboarding, where a single missed step can leave a terminated employee visible in compliance monitoring scope or an orphaned integration breaking silently.
Automate Vanta workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
