Cornerstone OnDemand User Management Guide

• Model type: hybrid
• Description: Cornerstone uses a combination of Permission Sets (role-based bundles of feature and data permissions) and Organizational Units (OUs) to control what users can see and do. Permission Sets define which features and actions a user can access; OUs define which data (users, content, reports) they can access. Admins can create custom Permission Sets and assign them to users or groups. Constraints can be applied at the OU, division, or individual user level.
• Custom roles: Yes
• Custom roles plan: Available on all plans; complexity of configuration scales with platform tier
• Granularity: High granularity - permissions can be configured at the individual feature action level (e.g., view vs. edit vs. delete for specific objects). OU-based data scoping adds a second dimension of access control.

1. Log in as an administrator.
2. Navigate to Admin > Tools > Core Functions > Users.
3. Click 'Add User' to open the user creation form.
4. Enter required fields: First Name, Last Name, Username, Password (or configure SSO), and Email Address.
5. Assign the user to an Organizational Unit (OU) - this determines data visibility and reporting hierarchy.
6. Assign a Permission Set to define the user's feature access.
7. Set the user's Division, Position, and any other required custom fields configured for your portal.
8. Set the user's status to 'Active'.
9. Click 'Save' to create the user record.
10. Optionally, assign learning content or curricula immediately after creation.

Required fields: First Name, Last Name, Username (must be unique within the portal), Password (if not using SSO), Email Address, Organizational Unit (OU)

Watch out for:

• Usernames must be unique across the entire portal and cannot be changed after creation in some configurations - verify naming conventions before bulk imports.
• If SSO is enabled, password fields may be suppressed, but the user record must still be created manually or via provisioning before first login.
• Custom required fields vary by portal configuration; fields marked required by your admin must be populated or the save will fail.
• Users without a Permission Set assigned will have no feature access after login.
• OU assignment determines which manager can see the user and which content is auto-assigned - incorrect OU placement causes downstream training assignment errors.
• Email address uniqueness enforcement depends on portal configuration; some portals allow duplicate emails, which can cause SSO and notification issues.

• Can delete users: No
• Delete/deactivate behavior: Cornerstone OnDemand does not support permanent deletion of user records through the standard admin UI. Users can only be set to 'Inactive' status. Inactive users retain all historical records (transcript, completions, performance data) in the system. This is by design to preserve audit trails and compliance records. Physical data deletion may be possible via a formal data privacy/GDPR request process handled by Cornerstone support, but is not a self-service admin function.

1. Navigate to Admin > Tools > Core Functions > Users.
2. Search for the user by name, username, or email.
3. Open the user's profile by clicking their name.
4. Click 'Edit' on the user record.
5. Change the 'Status' field from 'Active' to 'Inactive'.
6. Save the record.
7. Optionally, remove the user from any active learning assignments or curricula to prevent notification emails from being sent to the inactive user.

Watch out for:

• Inactive users may still appear in some reports and OU counts depending on report filter configuration - always filter by 'Active' status when auditing current users.
• Deactivating a user does not automatically cancel any pending learning assignments; those assignments remain in the system and may generate system notifications.
• If a user is a manager in the OU hierarchy, deactivating them without reassigning their direct reports will leave those users without a manager, affecting manager-level reporting and approval workflows.
• GDPR/data deletion requests must be submitted to Cornerstone support and are not self-service - plan for lead time if compliance deletion is required.
• Reactivating a previously inactive user restores their full historical record and prior permission set assignments - verify permission sets are still appropriate before reactivation.
• Username of an inactive user cannot be reused for a new user in some portal configurations, which can cause issues when rehiring employees.

• Where to check usage: Admin > Tools > Core Functions > Users - filter by Active status and export to review current active user count. Licensing reports may also be available under Admin > Reports depending on portal configuration.
• How to identify unused seats: Run a user activity report filtered by last login date (Admin > Reports > User Reports > User Activity). Users with no login activity in 90+ days can be candidates for deactivation review. There is no built-in 'unused seat' dashboard - admins must build or schedule this report manually.
• Billing notes: Cornerstone does not publish standard pricing publicly. Contracts are negotiated annually with volume discounts. Additional modules (Performance, Succession, Recruiting, etc.) are priced separately. Confirm with your account manager whether inactive users count against contracted seat totals - this varies by contract. Overages above contracted seat counts may trigger true-up billing at renewal.

Adding users manually requires populating six or more required fields per record, including OU assignment and Permission Set - neither has a safe default. Every app that relies on Cornerstone training completion data is affected when a user lands in the wrong OU, because content auto-assignment and manager reporting both derive from that placement.

Bulk imports via CSV are available but validation errors surface as vague messages that typically require Cornerstone support to diagnose. Deactivation is the only offboarding action available in the UI; permanent deletion requires a formal support ticket, adding lead time to any GDPR compliance workflow.

The most high-impact operational issue reported by Cornerstone admins is the 2024 deprecation of the Microsoft Entra (Azure AD) SCIM provisioning integration. Organizations using Entra must now migrate to Okta or OneLogin for automated provisioning or fall back to manual or CSV-based user management.

Permission Set configuration is consistently flagged as non-intuitive - the interface exposes hundreds of individual checkboxes with no audit-friendly summary view.

Username immutability is a recurring pain point when rehiring former employees, since inactive usernames may be locked to old records and cannot be reused in some portal configurations.

Common complaints:

• Microsoft Entra (Azure AD) SCIM provisioning integration was deprecated in 2024, forcing organizations using Entra to migrate to Okta or OneLogin for automated provisioning or revert to manual/CSV-based user management.
• Complex SSO certificate management - certificate rotation requires coordinated updates between Cornerstone portal settings and the IdP, with risk of login outages if timing is misaligned.
• Permission Set configuration is described as overly complex and non-intuitive, with hundreds of individual permission checkboxes that are difficult to audit or document.
• No native permanent user deletion in the admin UI - GDPR deletion requests require opening a support ticket with Cornerstone, which adds lead time for compliance workflows.
• Username immutability causes operational issues when employees change names or when rehiring former employees whose usernames are still tied to inactive records.
• Bulk user import via CSV/data feed is error-prone; validation error messages are described as vague and difficult to troubleshoot without Cornerstone support involvement.
• Inactive users continuing to appear in reports and OU counts unless filters are manually applied, leading to inflated user counts in dashboards.
• Lack of a self-service seat usage dashboard makes it difficult for admins to proactively identify and reclaim unused licenses before renewal.
• Manager hierarchy disruption when a manager is deactivated without a reassignment workflow - direct reports lose manager linkage silently.
• Extended Enterprise portal configuration is described as significantly more complex than internal portal setup, with limited documentation for edge cases.

Manual management is viable for organizations with low user churn and a stable OU structure already in place. It becomes operationally expensive when headcount exceeds a few hundred, when OU hierarchies are complex, or when compliance deletion timelines are tight.

SCIM via Okta or OneLogin is the supported path for automated lifecycle management at Enterprise tier, with SSO as a hard prerequisite. Teams without Okta or OneLogin and without an HRIS integration should factor in the ongoing admin overhead of CSV imports and manual deactivation workflows before committing to this approach.

Bottom line

Cornerstone OnDemand's manual user management is functional but carries meaningful operational risk at scale. OU misconfiguration silently breaks training assignments and manager workflows across every app that consumes Cornerstone data.

The Entra SCIM deprecation has narrowed the automated provisioning path to Okta and OneLogin only, and the absence of self-service permanent deletion adds compliance process overhead that teams should plan for explicitly.