Summary and recommendation
Wiz user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Wiz user management lives at Settings > User Management (https://app.wiz.io/settings/user-management).
Access is controlled through a hybrid permission model: four built-in roles (Global Admin, Global Reader, Project Member, Project Admin) plus custom roles available on the Enterprise tier.
Every app in a security platform context demands tight role scoping - in Wiz, that means deciding upfront whether a user needs tenant-wide visibility or project-scoped access only.
Quick facts
| Admin console path | Settings > User Management |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Global Admin | Full access to all Wiz features, settings, integrations, and user management across the entire tenant. | Global Admin role should be assigned sparingly; changes to tenant-wide settings take effect immediately. | |||
| Global Reader | Read-only access to all resources and findings across the entire tenant; cannot modify settings or configurations. | Cannot create, edit, or delete any resources, rules, or settings. | |||
| Project Member | Access scoped to assigned projects; can view findings, issues, and resources within those projects. | Cannot access resources or findings outside assigned projects; cannot manage tenant-wide settings. | Project scope is defined at invitation or role assignment; users only see data for projects they are explicitly added to. | ||
| Project Admin | Administrative access within assigned projects, including managing project members and project-level settings. | Cannot manage tenant-level settings or users outside their assigned projects. | |||
| Custom Role | Configurable combination of permissions scoped to specific resources, actions, and projects as defined by an admin. | Permissions are limited to what is explicitly granted; no implicit elevation. | Enterprise | Custom roles require Enterprise tier; not available on lower tiers. |
Permission model
- Model type: hybrid
- Description: Wiz uses a combination of built-in roles (Global Admin, Global Reader, Project Member, Project Admin) and custom roles. Permissions can be scoped at the tenant level or restricted to specific projects. Custom roles allow granular permission sets to be defined and assigned.
- Custom roles: Yes
- Custom roles plan: Enterprise
- Granularity: Permissions can be scoped by action type (read, write, manage) and by project or tenant scope. Resource-level and action-level granularity is available within custom roles.
How to add users
- Navigate to Settings > User Management in the Wiz portal.
- Click 'Invite User'.
- Enter the user's email address.
- Select the role to assign (built-in or custom).
- Optionally assign the user to one or more projects.
- Click 'Send Invitation'. The user receives an email invitation to activate their account.
Required fields: Email address, Role
Watch out for:
- Users must accept the email invitation before they can log in.
- If SSO is enforced, users must authenticate via the configured identity provider; password-based login may be disabled.
- Project assignment is optional at invite time but required for project-scoped roles to be meaningful.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Wiz documentation describes the ability to remove users from the tenant via the User Management settings page. Removed users lose access immediately. The official docs use 'remove' terminology; whether this is a soft deactivation or hard delete is not explicitly distinguished in publicly available documentation.
- Navigate to Settings > User Management.
- Locate the user in the user list.
- Select the user and choose the option to remove or revoke access.
- Confirm the action.
| Data impact | Behavior |
|---|---|
| Owned records | Not documented |
| Shared content | Not documented |
| Integrations | Not documented |
| License freed | Not documented |
Watch out for:
- If SCIM provisioning is active, user deprovisioning should be managed from the identity provider to avoid sync conflicts.
- Removing a user via the portal while SCIM is enabled may result in the user being re-provisioned on the next SCIM sync if not also deprovisioned in the IdP.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named User | Access to the Wiz portal with assigned role and project scope. |
- Where to check usage: Settings > User Management (shows list of all active users and their roles)
- How to identify unused seats: Review the user list in Settings > User Management; last login timestamps may be visible to identify inactive users, though this depends on tenant configuration.
- Billing notes: Wiz pricing is custom/enterprise and not publicly listed. Seat counts and billing terms are negotiated directly with Wiz. Contact Wiz sales or your account manager for seat-level billing details.
The cost of manual management
Wiz pricing is custom/enterprise and not publicly listed; seat counts and billing terms are negotiated directly with Wiz. Custom roles require the Enterprise tier and are unavailable on lower plans.
There is no CSV bulk-import path for users - large initial onboarding must go through SCIM/IdP integration or individual portal invitations, which adds meaningful overhead at scale.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Use SCIM provisioning if your organization is on Enterprise tier and has SSO configured - it is the only path to automated lifecycle management across every app in your stack that Wiz touches. For smaller teams or non-Enterprise tenants, manual provisioning via Settings > User Management is the only option; budget time for one-by-one invitations.
Assign Global Admin sparingly: changes to tenant-wide settings take effect immediately and there is no staging or approval layer. Custom roles are worth configuring for teams that need action-level or resource-level granularity, but they require Enterprise tier and deliberate permission design.
Bottom line
Wiz's permission model is capable but demands intentional setup - project scopes, role assignments, and SCIM configuration all need to be right before access is meaningful.
Every app that feeds into your cloud security posture is only as well-governed as the user access controlling it, and Wiz is no exception.
Teams without Enterprise tier face a manual-only provisioning workflow with no bulk tooling, making IdP-driven SCIM the clear operational target for organizations that can reach it.
Automate Wiz workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
