Summary and recommendation
Workiva user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Workiva provides a role-based permission model with two layers: account-level roles (Administrator, User, Viewer/Guest) and workspace- or document-level permissions assigned independently.
Administrators manage users from Account Menu → Administration → Users at app.workiva.com.
Because the two layers are decoupled, granting an account role does not automatically grant access to any workspace content.
Quick facts
| Admin console path | Account Menu → Administration → Users |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Full account administration: manage users, roles, integrations, SSO/SCIM settings, and workspace configuration. | Administrator role grants broad account-level access; should be assigned only to trusted personnel. | |||
| User | Access to workspaces, documents, and features as granted by workspace-level permissions and role assignments. | Cannot access Administration panel or manage other users. | Workspace-level permissions are separate from account-level roles; a user may have different access in different workspaces. | ||
| Viewer / Guest | Read-only or limited access to specific documents or workspaces as explicitly shared. | Cannot edit documents or manage workspace settings. | Exact guest/viewer seat availability and licensing terms depend on contract; verify with Workiva account team. |
Permission model
- Model type: role-based
- Description: Workiva uses a role-based permission model with built-in account-level roles (e.g., Administrator, User) combined with workspace-level and document-level permission assignments. Permissions can be set at the workspace, folder, and document level, allowing granular control over who can view, edit, or manage specific content.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Account-level roles control administrative access; workspace and document-level permissions control content access. Permissions can be assigned to individual users or groups.
How to add users
- Log in to Workiva and navigate to the Administration panel via the account menu.
- Select 'Users' from the Administration menu.
- Click 'Add User' or 'Invite User'.
- Enter the user's email address and assign an account-level role (e.g., User or Administrator).
- Optionally assign the user to one or more workspaces.
- Send the invitation; the user receives an email to set up their account.
Required fields: Email address, Account role
Watch out for:
- Users must accept the email invitation before they can log in.
- Workspace access must be granted separately after the account is created.
- Email domain restrictions may apply depending on SSO/SCIM configuration.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Unknown | Not documented |
| Domain whitelisting | Unknown | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise |
How to remove or deactivate users
- Can delete users: Unknown
- Delete/deactivate behavior: Workiva's official documentation describes deactivating users, which removes their ability to log in and frees the seat. Whether a full permanent deletion of a user record is available is not explicitly confirmed in publicly available official documentation.
- Navigate to Administration → Users in the Workiva admin console.
- Locate the user to be deactivated using search or the user list.
- Select the user and choose the option to deactivate or disable the account.
- Confirm the deactivation action.
| Data impact | Behavior |
|---|---|
| Owned records | Documents and files owned by the deactivated user remain in the workspace and are accessible to other users with appropriate permissions. |
| Shared content | Shared documents and workspaces the user had access to remain intact; the deactivated user loses access. |
| Integrations | Not documented |
| License freed | Deactivating a user frees the associated license seat for reassignment. |
Watch out for:
- Deactivated users' content is not automatically reassigned; administrators should manually transfer ownership of critical documents before deactivation.
- If SCIM provisioning is active, deprovisioning in the IdP will automatically deactivate the user in Workiva.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Full User | Full access to Workiva platform features as permitted by role and workspace assignments. | |
| Viewer/Guest | Limited read-only or restricted access; exact seat type availability depends on contract. |
- Where to check usage: Administration → Users (shows active user count and status)
- How to identify unused seats: Review the Users list in Administration for users who have not logged in recently; last login date may be visible in user details.
- Billing notes: Workiva is sold on an enterprise contract basis with custom pricing (reported range ~$36K–$156K/year). Seat counts and types are negotiated at contract time. Contact the Workiva account team for seat additions or reductions.
The cost of manual management
Workiva is sold on enterprise contracts with custom pricing; no self-serve or lower-tier plans are publicly listed. Seat counts and types are negotiated at contract time, so every app addition or removal that affects headcount should be coordinated with the Workiva account team.
There is no native bulk CSV import for users, meaning large-scale onboarding without SCIM requires inviting users one at a time through the admin console.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Choose manual administration if your Workiva user base is small, stable, and changes infrequently enough that one-at-a-time invitations are acceptable. If your organization manages frequent joiners, movers, or leavers across multiple workspaces, the lack of bulk import makes manual administration operationally expensive at scale.
SCIM provisioning via an IdP is the practical path for any team where every app in the HR or IT stack needs to stay in sync with Workiva access automatically.
Bottom line
Workiva's admin console gives full control over user lifecycle, but the split between account-level roles and workspace-level permissions requires deliberate setup to avoid unintended access. Deactivation is the documented and reversible offboarding action;
whether full permanent deletion of a user record is available is not confirmed in public documentation, so treat deactivation as the safe default.
For teams beyond a handful of users, the absence of bulk import and the complexity of the two-layer model make IdP-backed SCIM provisioning the more sustainable operating model.
Automate Workiva workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
