Summary and recommendation
WhiteSource user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
WhiteSource - now rebranded as Mend.io - is a developer security platform covering SCA and SAST scanning.
User management lives at Administration > Users inside the Mend web application (https://saas.mend.io).
The platform uses a four-level role hierarchy: System, Organization, Product, and Project.
A single user can hold different roles at each level simultaneously, which gives fine-grained scoping but requires deliberate assignment planning across every app and project in your portfolio.
Quick facts
| Admin console path | Administration > Users (accessible from the top-right account menu or left-side navigation panel within the Mend web application) |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| System Administrator | Full access to all organizations, products, projects, and system-level settings including user management, integrations, and billing configuration. | System Administrator role is scoped to the entire account; granting it gives unrestricted access across all products and projects. | |||
| Organization Administrator | Full administrative access within a specific organization, including managing users, products, and projects within that organization. | Cannot manage system-level settings or other organizations outside their assigned scope. | A user can be an Organization Administrator in one organization and a lower role in another. | ||
| Product Manager | Can manage products and projects within assigned products, including viewing reports and configuring policies at the product level. | Cannot manage users or organization-level settings. | |||
| Project Manager | Can manage assigned projects, view project-level reports, and configure project-level policies. | Cannot manage products, organizations, or users. | |||
| Viewer | Read-only access to assigned products or projects; can view reports and scan results but cannot modify settings or policies. | Cannot edit policies, manage users, or trigger scans. |
Permission model
- Model type: role-based
- Description: Mend (WhiteSource) uses a hierarchical role-based access control model with roles assignable at the system, organization, product, and project levels. A user can hold different roles at different levels of the hierarchy simultaneously.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Roles are assigned at four levels: System, Organization, Product, and Project. Permissions are predefined per role and are not individually configurable.
How to add users
- Log in to the Mend web application at https://saas.mend.io.
- Navigate to the Administration section via the top navigation or account menu.
- Select 'Users' from the administration panel.
- Click 'Invite User' or 'Add User'.
- Enter the user's email address and assign a role at the appropriate level (System, Organization, Product, or Project).
- Submit the invitation; the user receives an email to set up their account.
Required fields: Email address, Role assignment (at least one level: System, Organization, Product, or Project)
Watch out for:
- Users must accept the email invitation before they can log in; pending invitations do not consume a confirmed seat until accepted.
- If SSO is enforced, users must authenticate via the configured IdP and may be provisioned automatically on first login depending on SSO configuration.
- Role assignments are additive across hierarchy levels; a user with no explicit role at a level inherits no access at that level.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Unknown | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (SSO/SAML configuration is required as a prerequisite for IdP-based provisioning) |
How to remove or deactivate users
- Can delete users: Unknown
- Delete/deactivate behavior: Official documentation describes the ability to remove users from the system, but the precise distinction between deactivation (soft disable) and permanent deletion, and any restoration capability, is not explicitly detailed in publicly available official docs at the time of research.
- Navigate to Administration > Users in the Mend web application.
- Locate the user in the user list.
- Select the user and choose the option to remove or deactivate them from the account.
| Data impact | Behavior |
|---|---|
| Owned records | Not documented |
| Shared content | Not documented |
| Integrations | Not documented |
| License freed | Not documented |
Watch out for:
- Official documentation does not explicitly state whether scan history, reports, or policy configurations associated with a removed user are retained or deleted.
- If the user was the sole administrator of an organization or product, administrative access to that scope may be lost until another user is promoted.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Developer seat | Full access to SCA and/or SAST scanning capabilities depending on licensed modules; counted per developer in the organization. | $800/developer/year for SAST Advanced or SCA Advanced; ~$1,000/developer/year for Premium tier. Minimum purchase of 20 developer seats ($15,000 minimum). |
- Where to check usage: Administration > Users within the Mend web application shows current user count; license consumption details may also be available under Administration > Account or via the Mend support/account team.
- How to identify unused seats: No officially documented automated unused-seat identification feature in the admin UI; administrators must manually review the user list and last-login activity or contact Mend support for usage reports.
- Billing notes: Licensing is per-developer with a $15,000 minimum purchase (20-developer minimum). Multi-year discounts are available. Pricing is negotiated and not publicly listed; contact Mend sales for current rates. The product was rebranded from WhiteSource to Mend.io in 2022.
The cost of manual management
Mend operates on per-developer licensing with a 20-seat, $15,000 minimum purchase, so seat costs accumulate quickly. No officially documented automated unused-seat detection exists in the admin UI; identifying dormant accounts requires manually reviewing the user list and last-login activity, or engaging Mend support for usage reports.
Pending invitations do not consume a confirmed seat until accepted, but unaccepted invites can obscure your true active headcount if left unmonitored.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Manual administration is workable for teams with stable headcount and a single organization scope, but ensuring every app reflects accurate access state becomes error-prone at scale. There is no documented bulk CSV import for users, and role assignments across multiple Mend organizations must be managed one user at a time.
Teams managing frequent onboarding or offboarding cycles will hit the limits of the admin UI quickly. SSO with JIT provisioning is the practical middle path before committing to full API automation.
Bottom line
Mend (WhiteSource) gives administrators granular role control across a four-level hierarchy, but the manual workflow has meaningful gaps: no bulk import, no automated unused-seat detection, and an SSO setup that requires vendor support involvement.
For teams with predictable, low-churn developer rosters, the admin UI is sufficient. For everyone else, the absence of native SCIM means the REST API or IdP-native JIT provisioning becomes the only scalable path to keeping every app's access state accurate.
Automate WhiteSource workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
