Add a User to Segment | OpsBlu Docs

Add a User to Segment

Invite the collaborator to your Segment workspace and assign source permissions.

Use this checklist to add the collaborator to Segment. Segment's workspace-based model with fine-grained source and destination permissions requires careful planning to ensure appropriate access levels.

Understanding Segment Roles and Permissions

Segment offers workspace-level roles with optional source/destination-specific permissions:

Workspace Owner

Complete administrative control including:

  • Full access to all sources, destinations, and workspace data
  • Manage billing, subscription, and workspace settings
  • Add, remove, and modify all team members
  • Configure SSO, SCIM, and security policies
  • Delete the workspace entirely
  • Access audit logs and compliance features
  • Manage API tokens and workspace secrets

Typically reserved for client stakeholders or senior leadership.

Workspace Admin

Administrative capabilities without billing access:

  • Create and modify sources and destinations
  • Configure tracking plans and data governance policies
  • Manage team member access (except removing Owners)
  • View and modify all workspace configurations
  • Access audit logs and security settings
  • Manage Functions, Protocols, and Personas
  • Configure data warehouse connections

Use for collaborators managing implementation and configuration.

Workspace Member

Standard access for daily operations:

  • View all sources and destinations
  • Create and modify tracking plans (if permitted)
  • Access debugger and live events
  • Create schemas and manage event specs
  • Configure destinations (if granted access)
  • Limited access to workspace settings

Default role for most collaborator accounts.

Read-Only

View-only access with no modification rights:

  • View workspace configuration and settings
  • See source and destination lists
  • Access documentation and schemas
  • View tracking plans and event specifications
  • Cannot modify any settings or data

Use for reporting, analysis, or oversight roles.

Source and Destination Permissions

In addition to workspace roles, Segment supports granular controls:

  • Assign access to specific sources only
  • Grant destination configuration rights selectively
  • Restrict visibility to production vs. staging environments
  • Control who can enable/disable destinations

Prerequisites

Workspace Identification

  • Identify the Segment workspace (production, staging, development) the collaborator should join.
  • Verify the workspace tier and ensure user limits haven't been reached.
  • Confirm the workspace name and ID to avoid inviting to the wrong environment.

Role and Access Planning

  • Determine the workspace role (Owner, Admin, Member, Read-only) based on engagement scope.
  • List specific sources the collaborator needs access to.
  • Identify destinations they should manage or configure.
  • Define whether access is permanent or time-limited.

SSO and Identity Management

  • If SCIM/SSO is in use, prepare the user in your identity provider first.
  • Verify the user's email domain is authorized for SSO.
  • Confirm SCIM group mappings align with intended Segment roles.
  • Ensure the user is provisioned in the correct IdP groups before sending the Segment invitation.

Administrative Prerequisites

  • Ensure you have Workspace Owner or Admin rights to invite users.
  • Gather the collaborator's service account email (not a personal address).
  • Verify budget approval for additional seats if on a per-user pricing model.
  • Review your contract to confirm the workspace falls within the engagement scope.

Invite the Service Account

Standard Invitation Process

  1. Sign into Segment and navigate to the appropriate workspace.
  2. Open Settings → Team Members from the workspace menu.
  3. Review the current member list to ensure the collaborator doesn't already have access.
  4. Click Invite Member or Add User.
  5. Enter the collaborator's service account email address.
  6. Choose the appropriate Workspace Role:
    • Member for standard implementation and configuration support (most common)
    • Admin for broader workspace management and governance oversight
    • Read-only for reporting and analysis-only access
    • Owner only when absolutely necessary and explicitly approved
  7. Click Next or Continue to proceed to permissions configuration.

Configuring Source and Destination Access

If your workspace has fine-grained permissions enabled:

  1. Under Source Access, select the sources the collaborator should manage:
    • Check specific sources (e.g., website, mobile app, server)
    • Or grant access to all sources if appropriate
  2. Under Destination Access, choose which destinations they can configure:
    • Select specific destinations (e.g., Google Analytics, Amplitude)
    • Or allow access to all destinations if they're managing full data pipeline
  3. Review the summary of permissions before finalizing.
  4. Click Send Invitation to dispatch the invite email.

SSO-Enabled Workspaces

For workspaces with SSO enforcement:

  1. Ensure the user exists in your IdP and belongs to the appropriate groups mapped to Segment.
  2. Verify their email domain matches your SSO configuration.
  3. Send the invitation through Segment (the user will be prompted for SSO login when accepting).
  4. Coordinate with your IT team to confirm the user can authenticate successfully.
  5. Test SSO login immediately after invitation to catch any IdP issues early.

SCIM-Provisioned Workspaces

If using SCIM for automated provisioning:

  1. Add the user to the appropriate group in your identity provider (e.g., Okta, Azure AD).
  2. Wait for the SCIM sync to create the user in Segment automatically.
  3. Verify the user appears in Segment with the correct role based on group mapping.
  4. Manual invitations may conflict with SCIM - coordinate with your IT team on the preferred approach.

Documentation and Logging

After sending the invitation:

  1. Log the request in your IAM tracker with:
    • Collaborator's service account email
    • Workspace name and environment (prod/staging)
    • Assigned workspace role
    • Specific sources and destinations granted
    • Request ticket or approval reference
    • Invitation date and expected acceptance timeline
  2. Update your engagement documentation with the new access grant.
  3. Record any temporary access expiration dates if applicable.
  4. Note any special permissions or exceptions to standard access policies.

After Inviting

Monitor Invitation Status

  • Navigate to Settings → Team Members → Pending Invites to track acceptance status.
  • Follow up if not accepted within 48 hours (check spam folders).
  • Resend invitation if expired (Segment invites typically expire after 7 days).
  • Document actual acceptance date once confirmed.

Communication to Collaborator

Share the following information with the collaborator's team:

  • Segment workspace name and URL
  • Assigned role and permissions summary
  • Sources and destinations they have access to
  • Any VPN, MFA, or SSO requirements for authentication
  • Links to internal Segment documentation or runbooks
  • Primary contact for questions or access issues
  • Expected timeline for initial login and verification

Initial Verification

  • Once accepted, verify the user appears in the active Team Members list.
  • Confirm the correct role is displayed next to their name.
  • Check that source/destination access matches what was intended.
  • Update your access inventory with the acceptance date and confirmation.
  • Schedule a review date if the access is temporary or project-based.

Special Considerations

API Tokens and Service Accounts

  • Segment workspace access is separate from API tokens for programmatic data ingestion.
  • If the collaborator needs to generate API tokens, document token creation separately.
  • Workspace tokens have different scopes than user access - plan accordingly.
  • Consider dedicated service accounts for automation vs. human users.

Multiple Workspaces

  • Segment access is per-workspace - access to Workspace A doesn't grant access to Workspace B.
  • If collaborators need access to multiple workspaces (e.g., prod and staging), send separate invitations for each.
  • Maintain a matrix tracking which users have access to which workspaces.
  • Consider consistent role assignments across workspaces unless specifically different requirements exist.

Tracking Plans and Protocols

  • Members may need explicit permissions to modify tracking plans.
  • Protocol access (source-to-destination controls) requires Admin or specific grants.
  • Personas and audience management may require additional configuration.
  • Ensure tracking plan permissions align with the collaborator's responsibilities.

Troubleshooting

Invite not delivered

  • Verify the email address is spelled correctly and matches the intended account.
  • Ask your email team to allowlist @segment.com and @segment.io in spam filters.
  • Check the collaborator's spam and quarantine folders.
  • Resend the invitation from the Pending Invites section.
  • For persistent issues, contact Segment support for delivery logs.

SSO enforced and user can't log in

  • Ensure the user exists in the correct IdP group before accepting the Segment invitation.
  • Verify their email domain is configured for SSO in Segment settings.
  • Check that SAML or OIDC configuration is correct and active.
  • Test SSO login with a different user to isolate account-specific vs. system-wide issues.
  • Review IdP logs for authentication failures or misconfigurations.

Access denied to specific sources or destinations

  • Revisit Settings → Sources → Access Management to grant the correct permissions.
  • Similarly check Settings → Destinations → Access Management for destination access.
  • Workspace role may not include source-level permissions - elevate role or grant explicit access.
  • SCIM group mappings may override manual grants - coordinate with IT team.
  • Refresh the Segment UI or have the user log out and back in to refresh permissions.

User limit reached

  • Segment plans often have maximum user limits per workspace.
  • Remove inactive users or upgrade the plan to add more seats.
  • Contact Segment support or your account manager for temporary overages.
  • Consider rotating temporary access to stay within limits.

Wrong workspace invited

  • Cancel the pending invitation from the incorrect workspace.
  • Send a new invitation from the correct workspace.
  • Communicate the correction to avoid confusion.
  • Document the error and correction for audit purposes.

Invitation expired before acceptance

  • Resend from the Pending Invites section using the Resend option.
  • Segment invitations typically expire after 7 days of non-acceptance.
  • Follow up directly with the collaborator to ensure timely acceptance.
  • Consider extending review processes if delays are systemic.

SCIM conflicts with manual invitations

  • If SCIM is enabled, prefer adding users via IdP groups rather than manual invites.
  • Manual invitations may be overridden or conflict with SCIM sync.
  • Coordinate with your IT team on the authoritative source for user provisioning.
  • Document exceptions when manual invitations are necessary despite SCIM.

Security Best Practices

  • Use dedicated service account emails rather than personal addresses for all invitations.
  • Apply the principle of least privilege - start with Member or Read-only and elevate only when necessary.
  • Document business justification for Admin or Owner roles in your IAM tracker.
  • Review workspace membership quarterly and remove inactive or expired accounts.
  • Rotate access for temporary engagements rather than leaving accounts active indefinitely.
  • Enable MFA for all workspace members if supported by your Segment plan.
  • Implement SSO for centralized identity management and easier offboarding.
  • Set calendar reminders to review access after project milestones or contract periods.

Compliance and Audit

  • Capture screenshots of the Team Members page showing the pending and accepted invitation.
  • Log all invitations in your IAM tracker with requester, approver, and date.
  • Retain invitation records for compliance audits (GDPR, SOC 2, etc.).
  • Ensure workspace access aligns with data processing agreements and customer contracts.
  • Document any data access or PII visibility implications of the invitation.
  • Include Segment access in regular access certification and recertification processes.

After granting access, provide the collaborator with:

  • Workspace-specific documentation (tracking plans, schemas, naming conventions)
  • Source and destination configuration guides
  • Debugging and troubleshooting runbooks
  • Data governance policies and compliance requirements
  • Escalation contacts for technical and access issues
  • Links to Segment's official documentation for reference
Back to top