Summary and recommendation
ConnectWise user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
ConnectWise PSA manages internal users as Members, each assigned exactly one Security Role that defines granular Add/Edit/Delete/Inquire permissions per functional module. There is no native SCIM support, so every app that feeds into your IdP directory sync still requires a separate, manual member record inside ConnectWise PSA.
SAML SSO is available via Okta and Azure AD, but SSO configuration does not eliminate the requirement for a matching member record in the PSA.
Quick facts
| Admin console path | System > Members (in ConnectWise PSA); System > Security Roles for role management |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Full Member (Licensed User) | Full access to PSA modules as configured by assigned Security Role; can create/edit tickets, manage time entries, access billing, run reports, and configure system settings depending on role permissions. | Cannot exceed permissions defined in their assigned Security Role; cannot self-elevate privileges. | Standard ConnectWise PSA license | Custom pricing; approximately $25/user/month as a starting point per vendor quotes | Each Full Member consumes a named license seat. Seat count is contractually fixed; adding members beyond the contracted count requires a license amendment. |
| API Member | Programmatic access to ConnectWise PSA REST API; used for integrations and automation. Assigned a Security Role like any other member. | Cannot log into the PSA UI interactively; intended solely for API/integration use. | Standard ConnectWise PSA license; API members may consume a license seat depending on contract terms | Varies by contract; some agreements include dedicated API member seats | API Members still require a Security Role assignment. Overly permissive API member roles are a common security misconfiguration. |
| Admin / System Administrator | Unrestricted access to all PSA modules including System configuration, member management, security roles, and integrations. Assigned via a Security Role with all permissions enabled. | Standard ConnectWise PSA license | Same as Full Member seat cost | There is no separate 'super admin' account type; admin access is granted by assigning a fully-permissioned Security Role to a standard member. | |
| Inactive Member | No active system access; record is retained in the database. | Cannot log in or perform any actions. Historical records (time entries, tickets) remain attributed to the member. | N/A – inactive members do not consume a billable seat once deactivated | No ongoing seat cost after deactivation | Deactivation does not delete the member record. Reactivating a previously inactive member immediately consumes a seat again. |
Permission model
- Model type: role-based
- Description: ConnectWise PSA uses Security Roles, which are named permission sets assigned to each member. Each Security Role defines granular access (Add, Edit, Delete, Inquire) per functional module (e.g., Service Desk, Time & Expense, Billing, System). A member is assigned exactly one Security Role. Roles are fully customizable by administrators.
- Custom roles: Yes
- Custom roles plan: Available on all ConnectWise PSA plans; no separate tier required
- Granularity: Per-module CRUD-level permissions (Add, Edit, Delete, Inquire) across all PSA functional areas. Some modules support additional sub-level restrictions (e.g., restricting access to specific boards or departments).
How to add users
- Log in to ConnectWise PSA as an administrator.
- Navigate to System > Members.
- Click the '+' (New Member) button.
- Enter required fields: Member ID (username), First Name, Last Name, Default Email, and assign a Security Role.
- Set the member's Default Location, Default Department, and Time Zone.
- Assign a License Class (Full Member or API Member).
- Set a temporary password or configure SSO authentication as applicable.
- Click Save to create the member record.
- Notify the new member of their credentials or SSO login instructions.
Required fields: Member ID (unique username), First Name, Last Name, Default Email Address, Security Role, Default Location, Default Department, License Class
Watch out for:
- Member ID cannot be changed after creation; choose carefully as it appears in audit logs and ticket history.
- A Security Role must exist before creating a member; there is no default 'basic user' role pre-configured out of the box in all environments.
- Adding a member beyond the contracted seat count will not be blocked by the system automatically but will result in overage charges at next billing reconciliation.
- SSO (SAML via Okta or Azure AD) must be configured separately at the system level; new members must still have a matching member record in PSA even when SSO is enabled.
- No native SCIM provisioning is available; member creation cannot be automated directly from an IdP directory sync without a third-party integration or custom API scripting.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Requires SAML SSO configuration (available on standard PSA plans); Okta and Azure AD supported. Provisioning is authentication-only (JIT login), not full lifecycle provisioning - member records must still be pre-created manually in PSA. No native SCIM for automated provisioning. |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: ConnectWise PSA does not support deleting member records. Members can only be set to Inactive status. Inactive members retain all historical associations (tickets, time entries, notes) and their record remains in the database. This preserves audit trail integrity but means former employee records accumulate over time.
- Log in to ConnectWise PSA as an administrator.
- Navigate to System > Members.
- Search for and open the member record to be deactivated.
- Uncheck the 'Active' checkbox on the member record.
- Click Save.
- Optionally, reassign any open service tickets or project assignments owned by the member to an active member before deactivating.
| Data impact | Behavior |
|---|---|
| Owned records | All tickets, time entries, notes, and project tasks previously created or assigned to the member remain in the system and retain the member's name as the author/assignee. Historical data is not altered. |
| Shared content | Shared calendar entries, dispatch portal assignments, and board assignments associated with the inactive member remain but the member will no longer appear in active assignment dropdowns. |
| Integrations | API Member tokens associated with the deactivated member will cease to authenticate. Any integrations using that member's credentials must be reconfigured to use an active API member. |
| License freed | The seat is freed upon deactivation and is available for reassignment to a new member at the next billing cycle or immediately depending on contract terms. |
Watch out for:
- Deactivating a member does not automatically reassign their open tickets; unassigned or mis-assigned tickets can fall through the cracks if not manually reassigned first.
- If the departing member was the sole owner of certain workflow rules or automation setups, those rules may fail silently after deactivation.
- SSO sessions are not immediately terminated upon deactivation in all configurations; verify with your IdP that the user's SSO access is also revoked.
- Member records cannot be merged; if a member was accidentally duplicated, both records persist indefinitely.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Full Member | Full interactive access to ConnectWise PSA UI and all modules permitted by Security Role. Includes time entry, ticketing, billing, reporting, and system configuration access. | Custom pricing; approximately $25/user/month starting point per vendor quotes |
| API Member | API-only access for integrations and automation. No UI login capability. | Varies by contract; may be included as a fixed number of API seats or billed separately |
- Where to check usage: System > Members - filter by Active status to view all currently active (billable) members. No built-in license utilization dashboard is available natively.
- How to identify unused seats: No native 'last login' report is surfaced in the standard PSA UI. Administrators can query member activity indirectly via audit logs (System > Audit Trail) or by reviewing time entry and ticket activity per member. ConnectWise does not provide an automated unused-seat detection tool within the PSA.
- Billing notes: ConnectWise PSA uses named-user licensing, not concurrent-user licensing. Each active member record consumes one seat regardless of login frequency. Seat counts are set contractually; overages are reconciled at billing intervals. Pricing is custom-quoted and not publicly listed. Multiple ConnectWise products (PSA, Automate, Control/ScreenConnect) are licensed and billed separately.
The cost of manual management
ConnectWise PSA uses named-user licensing, meaning every active account consumes a contracted seat regardless of login frequency. There is no built-in last-login report in the standard UI; identifying unused seats requires manually cross-referencing the audit trail or reviewing per-member ticket and time-entry activity.
Seat counts are contractually fixed and require a formal amendment to increase, with no self-service portal to adjust counts between billing cycles.
What IT admins are saying
Practitioners consistently flag three friction points in ConnectWise PSA user management. First, the absence of native SCIM means every onboarding and offboarding event requires a manual step in the PSA, independent of whatever IdP directory sync is in place.
Second, deactivating a member does not auto-reassign open tickets, creating real offboarding risk if the step is skipped. Third, Member ID is immutable after creation - a meaningful operational problem when employee usernames change due to legal name changes or organizational rebranding.
Common complaints:
- Complex multi-product SSO setup across PSA, Automate, and Control requiring separate configuration per product.
- No native SCIM support means onboarding and offboarding cannot be automated via IdP directory sync; member records must be created and deactivated manually in PSA.
- No built-in last-login reporting makes it difficult to identify inactive or unused seats for license optimization.
- Member ID cannot be changed after creation, causing issues when employee usernames change (e.g., name changes after marriage).
- Deactivating a member does not auto-reassign open tickets, creating risk of work items being orphaned during offboarding.
- License seat counts are contractually fixed and require a formal amendment to increase, with no self-service seat management portal.
- Security Role configuration is granular but complex; initial setup requires significant time investment to configure correctly across all modules.
The decision
Manual administration is viable for teams with low member turnover and a small, stable headcount, but the process becomes error-prone at scale because every app in your stack that depends on ConnectWise identity must be reconciled by hand. There is no automated seat reclamation, no idle-user detection, and no bulk provisioning path without custom tooling.
Teams managing frequent onboarding cycles or operating across multiple ConnectWise products (PSA, Automate, Control) should expect compounding overhead, since SSO and member management must be configured separately per product.
Bottom line
ConnectWise PSA's manual user management workflow is functional but deliberately hands-on: every member record is created, role-assigned, and deactivated by an administrator with no directory sync shortcut available.
The named-user licensing model makes undetected inactive seats a real cost risk, and the lack of last-login visibility means seat audits require manual effort.
Teams that need lifecycle automation will need to build it on top of the REST API or route through a middleware integration platform.
Automate ConnectWise workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
