ADP User Management Guide

• Model type: hybrid
• Description: ADP Workforce Now uses a hybrid model combining predefined security roles (security master, security administrator, user master, user administrator, product user, self-service user) with security groups and custom security profiles. Security groups control what content and module features users can see. Product profiles (consisting of a service, a role, and associated company codes) control access to specific ADP modules. Administrators can create custom security groups with defined membership rules. All group members share the same permissions; to modify permissions for a single employee, a new group must be created for that individual.
• Custom roles: Yes
• Custom roles plan: Available on Workforce Now (all tiers); custom security groups and profiles are configured by the Portal Administrator or Security Administrator.
• Granularity: Module-level and feature-level within modules (Menus & Features, People Access, Payroll Processing Access, Sensitive Personal Information masking per field). Cannot assign a user to both a default group and a custom group for the same role.

1. Switch Role Selector to Portal Administrator in Workforce Now.
2. Navigate to Security Access → Security Management User Administration (Netsecure).
3. Click People → Manage Users → '+' to add a new user.
4. Fill in the Add a New User form: first name, last name, email address, user type, and user role.
5. Assign at least one product profile by selecting from Available Service Profiles and moving to Selected Service Profiles.
6. Proceed through confirmation steps; a username is auto-generated by ADP.
7. Navigate to Setup → Security → Access Permissions → Manage People to find the new user.
8. Click Manage Profile Memberships and assign the appropriate security profile (e.g., Standard Practitioner).
9. Set People Access (View Only or View & Edit) and Payroll Processing Access as required.
10. Configure Sensitive Personal Information masking settings if needed.
11. User receives a welcome email with credentials and must self-register or be issued a personal registration code.

Required fields: First name, Last name, Email address (must be unique within the organization), User type, User role, At least one product profile

Watch out for:

• Username is auto-generated by ADP and cannot be chosen by the administrator.
• Email address must be unique within the organization; non-unique emails prevent registration code issuance.
• Personal registration codes issued by administrators are valid for only 15 days.
• ADP Workforce Now Cloud uses a different setup process; standard practitioner instructions do not apply.
• ADP Administrative Service and ADP TotalSource (PEO) customers must contact their ADP account representative to add users as 3rd Party Practitioners.
• Sensitive fields (SSN, birth date, bank info) are masked by default on practitioner profiles and must be explicitly unmasked per field.
• If updating an existing service account user runs into issues, ADP recommends deleting and recreating the user from scratch.

• Can delete users: Yes
• Delete/deactivate behavior: ADP supports both suspension (deactivation) and permanent deletion. Suspension removes login access but retains the user record. Deletion is permanent and irreversible - the user and all their information are permanently removed from the organization's records. Suspended accounts not reactivated within ADP's defined timeframe are automatically scheduled for deletion, with alert emails sent 30 and 15 days prior. For employee terminations, the standard workflow is to process a termination in the HR/Time & Attendance module (Process → HR → Terminate), which sets the worker status to Terminated on the effective date after the pay period closes; this is distinct from deleting the security account.

1. For employee termination: Navigate to Process → HR → Terminate in Workforce Now.
2. Enter the termination date and reason for leaving; configure severance if applicable.
3. The employee is marked for termination but remains active until the pay period containing the termination date is closed.
4. After payroll run and period close, employee status changes to Terminated and the employee no longer appears in active module views.
5. For security account suspension: Security masters, security administrators, user masters, or user administrators navigate to People → Manage Users in Security Management.
6. Locate the user and update their status to Suspended/Inactive.
7. To permanently delete a security account: locate the user in Security Management and select Delete (action cannot be undone).

Watch out for:

• Termination in the Time & Attendance module does not immediately remove access; the employee remains in the system until the pay period is closed.
• Permanent deletion of a security account cannot be undone; the user loses access to all pay statements, benefits history, and W-2s.
• Federated SSO-only terminated employees may need a Personal Registration Code issued to access post-termination pay statements and W-2s if their corporate SSO is revoked.
• If terminating a manager, direct reports cannot be automatically reassigned to a new manager via the Worker Termination API; this must be done manually in the UI.
• If terminating a Time & Attendance supervisor, a new supervisor cannot be assigned via API; manual reassignment is required.

• Where to check usage: Security Access → Netsecure User Administration → Reports (Registration Status Report) to view registered vs. unregistered users. Active employee headcount is visible in HR module reporting.
• How to identify unused seats: Run a Registration Status Report via Security Access → Netsecure User Administration → Reports to identify users who have not registered or have not logged in. Administrators can also view last login date and registration date per user in Security Management.
• Billing notes: ADP pricing is per-employee per-month and varies by product tier (RUN, Workforce Now, Vantage HCM), company size, and modules enabled. Implementation fees range from $25–$200 per employee. Advanced modules (talent management, learning, analytics) are typically add-ons that increase per-employee cost. ADP Canada is a separate offering with different data and support constraints.

Manual access management in ADP compounds across every app in your stack, not just ADP itself.

Each new hire requires an admin to switch to the Portal Administrator role, navigate Security Management, complete a multi-step user creation form, assign at least one product profile, and then separately assign a security group membership - all before issuing a 15-day registration code that expires if the employee doesn't self-register in time.

Offboarding is a two-track process: HR termination (Process → HR → Terminate) and security account suspension are separate actions, and the employee retains system access until the pay period containing the termination date is closed.

Sensitive field masking (SSN, birth date, bank info) is on by default for Practitioner profiles and must be manually disabled per field - an easy step to miss during onboarding setup. Usernames are auto-generated by ADP and cannot be customized, which creates reconciliation overhead when matching ADP accounts to downstream directory identities.

Recurring friction reported by administrators centers on three areas: the complexity of the permission model, account lockout behavior, and the absence of native inbound provisioning. Accounts lock after three failed login attempts and require admin intervention to unlock, generating a steady volume of support tickets.

The security role hierarchy - Security Master, Security Administrator, User Master, User Administrator - is granular but non-intuitive; organizations that lose their Security Master must contact their ADP representative to recover, as no lower-tier role can assign a replacement.

Community reviewers consistently note that "strict security, frequent lockouts, and complex permissions make access and management difficult," and that the platform is "robust in theory but overly complex in practice." The lack of a native SCIM target endpoint is a persistent pain point for IT teams expecting standard IdP-driven provisioning.

Common complaints:

• Complex integration requires Aquera or similar third-party bridge for SCIM/IDP provisioning; ADP does not natively act as a SCIM target.
• ADP as HR source-of-record (not a SCIM target) creates confusion for IT teams expecting standard inbound provisioning.
• Enterprise and Workforce Now pricing is not publicly transparent; requires sales engagement for accurate quotes.
• Strict security settings, frequent account lockouts (after 3 failed attempts), and complex permission configuration make access management difficult for admins.
• Username is auto-generated by ADP and cannot be customized, causing confusion during onboarding.
• Sensitive field masking (SSN, birth date, bank info) is enabled by default on practitioner profiles and must be manually disabled per field, which is easy to overlook during integration setup.
• Termination does not immediately revoke access; the employee remains active until the pay period closes, creating a window of continued access.
• Permanent deletion of user accounts is irreversible and removes access to historical pay statements and W-2s, which can cause compliance issues.
• ADP Workforce Now Cloud uses a different setup process than standard Workforce Now, and many third-party integrations (including Finch) do not support the Cloud variant.
• Customer support response times are frequently cited as slow, with complex permission or access issues requiring multiple contacts to resolve.
• Advanced HR functions and additional modules require paid add-ons, increasing total cost significantly for mid-market customers.
• Updating an existing service account user can cause system issues; ADP recommends deleting and recreating the user, adding operational overhead.

Community observations (summarized from cited discussions):

• Most users comment that strict security, frequent lockouts, and complex permissions make access and management difficult. - Capterra editorial summary based on verified user reviews (https://www.capterra.com/p/155895/WorkforceNow/)

Representative quotes (verbatim):

The system itself is robust in theory but overly complex in practice, making simple tasks take far more time than they should.

• Verified user review, Software Advice (https://www.softwareadvice.com/hr/adp-workforce-now-profile/reviews/)

Manual ADP administration is viable for small organizations with stable headcount and a dedicated HR admin who owns the platform. It becomes a liability at scale: the multi-step user creation flow, separate termination and security suspension tracks, per-field sensitive data configuration, and absence of native inbound provisioning each add compounding overhead as headcount grows.

Organizations running ADP alongside an IdP (Okta, Entra ID, Google Workspace) should evaluate whether the Aquera bridge or a comparable integration layer is in place - without it, ADP employee data does not flow automatically to downstream app provisioning.

If your team is manually reconciling ADP worker status against access in every app, the risk of access persisting past termination is structural, not incidental.

Bottom line

ADP Workforce Now is a capable HR system of record, but its access management model was built for HR administrators, not IT or identity teams.

The hybrid role-and-profile permission system, auto-generated usernames, mandatory multi-step provisioning flow, and two-track offboarding process create meaningful manual overhead - and because ADP is not a native SCIM target, none of that overhead is automatically absorbed by a standard IdP integration.

Organizations that treat ADP as a passive HR database rather than an active provisioning source will find access hygiene across every connected app difficult to maintain without a dedicated integration layer or automation tooling.