Summary and recommendation
BambooHR user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
BambooHR is an HR system of record that provisions access outbound to other tools - it does not accept inbound provisioning. Every app that receives identity data from BambooHR depends on BambooHR being the authoritative source; changes must originate here or they will not propagate downstream.
Access is controlled through a hybrid permission model: four predefined system roles (Account Owner, Full Admin, Manager, Employee) plus fully configurable Custom Access Levels available on all plans.
Quick facts
| Admin console path | Settings (gear icon, top-right) > Access Levels |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Varies by IdP |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Account Owner | Top-level account authority. Can request removal of SSO/SAML integrations, manage all API keys, reset any user's 2-Step Login, and perform all Full Admin actions. | No documented restrictions beyond Full Admin; only one Account Owner per account. | All plans | Included in per-employee PEPM pricing; no separate seat cost documented. | Only the Account Owner (or Full Admin) can request SSO/SAML integration removal via BambooHR Customer Support. |
| Full Admin | View and edit all fields for all employees and all account settings. Can reset any user's 2-Step Login and manage SSO/SAML integrations. | Cannot remove SSO/SAML integration unilaterally without contacting Customer Support; cannot exceed Account Owner authority. | All plans | Included in per-employee PEPM pricing; no separate seat cost documented. | Should be strictly limited; Full Admins have unrestricted read/write access to all employee data and settings. |
| Payroll Admin | Can run and approve payroll. Retains Edit permissions on Pay Info tab. Can be scoped by EIN for multi-EIN organizations. | Cannot perform non-payroll Full Admin actions unless also assigned Full Admin access level. | BambooHR Payroll add-on required | Included in per-employee PEPM pricing; Payroll add-on pricing is separate and quote-based. | A separate 'Payroll Admin (Non-Approver)' sub-role exists that can run but not approve payroll. |
| Manager | View information about direct and indirect reports. Can edit notes on direct/indirect reports. Can approve time-off and other workflow actions for their team. | Cannot edit most employee fields; cannot access settings; field visibility is further restricted by admin-configured field-level permissions. | All plans | Included in per-employee PEPM pricing. | Admins can hide specific fields from Manager-level users; the Manager level does not grant editing rights beyond notes. |
| Custom Access Level | Admin-defined, field-level View Only or Edit permissions scoped to specific employee populations (e.g., All Employees, Direct Reports). Can optionally include Performance module management, report creation, and password/2-Step Login reset delegation. | Cannot exceed permissions explicitly granted by a Full Admin during level configuration. Performance reports are not automatically included even when Performance management is enabled. | All plans | Included in per-employee PEPM pricing. | Custom levels default to 'No Access' for new fields; admins must explicitly grant each permission. Performance reports must be separately shared even if Performance management is enabled for the level. |
| Employee (Self-Service) | View own profile data. Edit fields where HR admin has granted edit access. Request time off, view time-off balances, view company directory and org chart (if enabled), access shared files. | Cannot view other employees' data beyond what is in the company directory. Cannot change own access level. Field edits may require approval workflow depending on field configuration. | All plans | Included in per-employee PEPM pricing. | Employee access level defaults to 'View' for Pay Info fields. Some field changes trigger an approval workflow rather than saving immediately. |
| Non-Employee User | A BambooHR account not tied to an employee record. Assigned a Custom Access Level. Used for integrations, API key generation, or third-party service accounts. | Permissions are entirely determined by the assigned Custom Access Level; no inherent permissions. | All plans | Not documented as a billable seat; created via Settings > Access Levels > [Custom Level] > gear icon > Add a Non-Employee BambooHR User. | Non-employee users receive a welcome email to set a password. If SSO is enabled company-wide, non-employee users may need a separate login path. |
Permission model
- Model type: hybrid
- Description: BambooHR uses a hybrid model combining predefined system roles (Account Owner, Full Admin, Manager, Employee) with fully configurable Custom Access Levels. Custom levels are built by selecting field-level permissions (View Only or Edit) per data category (Personal, Job, Compensation, etc.) and scoping them to employee populations (All Employees, Direct Reports, Specific Employees). A user can be assigned to multiple access levels simultaneously. Permissions are additive across assigned levels.
- Custom roles: Yes
- Custom roles plan: All plans
- Granularity: Field-level (per data field within each tab: Personal, Job, Compensation, Time Off, etc.) with population scoping (All Employees, Direct Reports, Specific Employees). Module-level toggles exist for Performance and Reports.
How to add users
- Log in as Full Admin or Account Owner.
- Click the 'People' tab (or 'Employees' in the top navigation).
- Click 'Add Employee' button.
- Enter required fields in the employee form.
- Click Save.
- Navigate to the employee profile and click the lock icon (or 'Manage Access') to assign an access level.
- Select the appropriate access level(s) and save.
- BambooHR sends a 'Create Your Account' or 'Welcome' email to the employee based on their hire date and assigned access level.
Required fields: First Name, Last Name, Work Email (required for system access and SSO matching)
Watch out for:
- The welcome/account-creation email timing depends on the employee's hire date and access level assignment; it is not always sent immediately upon record creation.
- If SSO is enabled, the welcome email still sends once, allowing the employee to optionally set a backup password.
- Employees must have a valid work email address to receive login credentials and to be matched in IdP integrations.
- A user can be assigned to multiple access levels simultaneously; permissions are additive.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Settings (gear icon) > Import (via BambooHR's built-in importer at https:// |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Requires SSO/SAML setup (available on all plans per documented integrations); Okta provisioning uses BambooHR as the HR source of record (outbound from BambooHR to Okta). BambooHR does not support inbound SCIM provisioning. IdP integration plan requirements vary by IdP and BambooHR plan tier. |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: BambooHR supports both termination (End Employment) and deletion. 'End Employment' (formerly 'Terminate Employee') sets an effective termination date and changes the employee's status to terminated, which removes their BambooHR login access while retaining their historical record. Deletion removes the user account entirely. Termination is the standard and recommended path for offboarding; deletion is available but removes the record.
- Log in as Full Admin or Account Owner.
- Navigate to the employee's profile (People tab > select employee).
- Click the cogwheel (options) icon on the employee profile.
- Select 'End Employment'.
- Set the 'Effective Date' for the termination.
- Click 'End Employment' to confirm.
- Employee's BambooHR access is revoked as of the effective date.
| Data impact | Behavior |
|---|---|
| Owned records | Employee record is retained in BambooHR with 'Terminated' status. Historical data (job history, compensation, time off, documents) is preserved and accessible to admins via reports. |
| Shared content | Files shared with the terminated employee remain in BambooHR. Shared reports and documents are not automatically removed. |
| Integrations | Termination event in BambooHR triggers downstream integrations (e.g., Okta deprovisioning, benefits termination in Maxwell, equipment return in Firstbase) if those integrations are configured. Integration sync timing varies by partner (e.g., some run once per day). |
| License freed | Terminated employees are moved to 'Terminated' status and no longer count as active employees for billing purposes, though BambooHR's per-employee pricing model is quote-based and seat reduction timing should be confirmed with BambooHR sales. |
Watch out for:
- BambooHR does not automatically deprovision access in connected SaaS tools; downstream deprovisioning requires configured integrations (e.g., Okta, Zapier) or manual action.
- The 'End Employment' action was previously labeled 'Terminate Employee'; the word 'terminated' persists in reports and employee list views.
- Integration partners (e.g., Firstbase) may offboard employees the day after the effective termination date to avoid premature access removal before employee notification.
- The employment-status field in BambooHR's API has been reported to return blank data in some Zapier 'Updated Employee' trigger configurations, complicating automated offboarding workflows.
- Benefits termination dates in integrated systems (e.g., Maxwell) must be manually confirmed for COBRA eligibility after the BambooHR termination event.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Active Employee Seat (Core plan) | Employee records, workflows, ATS (limited job openings), time-off management, basic reporting, employee self-service, onboarding tools. | ~$10/employee/month (PEPM); flat rate of $250/month for organizations with 25 or fewer employees. |
| Active Employee Seat (Pro plan) | All Core features plus performance management, employee satisfaction/wellbeing surveys, AI assistant, employee community features, advanced compliance training. | ~$15–22/employee/month (PEPM); exact pricing requires sales quote. |
| Active Employee Seat (Elite plan) | All Pro features plus custom dashboards and analytics, compensation management, HR benchmarking, 300+ compliance training courses, premium services. | Quote-based; higher than Pro tier. |
| Add-on: Payroll | Native payroll processing, tax filing, timesheet import, Payroll Admin access level. | Quote-based; separate from base PEPM. |
| Add-on: Benefits Administration | Benefits enrollment, carrier feeds, HSA/FSA/commuter benefits. | Quote-based; separate from base PEPM. |
| Add-on: Time Tracking | Clock-in/out, timesheet tracking. | Quote-based; separate from base PEPM. |
- Where to check usage: Settings (gear icon) > Access Levels > Assignments export (CSV/Excel) to see all users and their assigned access levels. Active employee count visible in the employee list filtered by Employment Status = Active.
- How to identify unused seats: Export Access Levels > Assignments report (CSV/Excel) to identify users with access levels assigned. Cross-reference with last-login data via the Audit Trail report (available to Full Admins). No native 'last login date' column in the standard employee list; Audit Trail is the primary tool.
- Billing notes: Pricing is per active employee per month (PEPM). Companies with 25 or fewer employees pay a flat $250/month. Volume discounts apply as headcount grows. A 15% discount is available for registered nonprofits. A 15% discount is available when bundling Payroll and Benefits Administration. Implementation fee is approximately 5–15% of annual software fees. Pricing is not publicly listed; a sales quote is required for exact figures. Month-to-month contracts are available (no mandatory annual lock-in documented).
The cost of manual management
Pricing is per active employee per month (PEPM) and is not publicly listed - a sales quote is required. Organizations with 25 or fewer employees pay a flat $250/month. Custom Access Levels are available on all plans, but SSO and IdP-based outbound provisioning require higher-tier or custom arrangements.
A 15% discount applies for registered nonprofits, and a separate 15% discount is available when bundling Payroll and Benefits Administration. Implementation fees run approximately 5–15% of annual software fees.
What IT admins are saying
The most consistent friction point reported is BambooHR's outbound-only provisioning model: every app downstream depends on BambooHR as the source of truth, but changes made in those downstream tools are never reflected back.
Automated offboarding workflows built on Zapier have reported blank employment-status data from the 'Updated Employee' trigger, making them unreliable without additional validation steps.
Auditing access levels is manual-heavy - BambooHR added a CSV/Excel permissions export in response to complaints, but cross-referencing it against the Audit Trail report is still a required step.
Custom Access Level users with Performance management enabled cannot see Performance reports unless those reports are separately shared, a split that catches admins off guard.
Common complaints:
- BambooHR-centric provisioning model can be confusing; it acts as the HR source of record and provisions outbound to other apps, but does not accept inbound SCIM provisioning.
- One-way sync means changes must originate in BambooHR; updates made in downstream tools (e.g., email address changes in PerformYard) are not reflected back in BambooHR.
- Integration quality varies by IdP; some Zapier 'Updated Employee' triggers return blank employment-status data, making automated offboarding workflows unreliable.
- Auditing access levels is described as cumbersome; BambooHR acknowledged this and added a CSV/Excel permissions export, but the process still requires manual review.
- Custom Access Level users with Performance management enabled cannot see Performance reports unless those reports are separately shared with them, creating a confusing split permission.
- Pricing is opaque; exact per-employee costs require a sales quote and are not published on the BambooHR website.
- Downstream deprovisioning (e.g., disabling Azure AD or Okta accounts) is not automatic upon BambooHR termination and requires separately configured integrations or manual IT action.
The decision
BambooHR is the right choice when HR owns the identity lifecycle and every app in the stack should receive employee data from a single authoritative source. It is a poor fit if you need bidirectional sync or inbound provisioning - neither is supported.
The permission model is granular enough for most mid-market needs: field-level, population-scoped Custom Access Levels on all plans. The main operational risk is offboarding: BambooHR's 'End Employment' action does not automatically deprovision access in connected SaaS tools; that requires a configured IdP integration or manual action in each system.
Bottom line
BambooHR works well as an HR source of truth when every app in your environment is provisioned outbound from it and your IdP integration is correctly configured to sync status changes.
The permission model is flexible and available on all plans, but the outbound-only architecture means offboarding gaps are real and require deliberate mitigation - either through a connected IdP or a documented manual checklist.
Pricing opacity and the manual effort required to audit access levels are the two most common operational complaints from teams managing it at scale.
Automate BambooHR workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
