Coupa User Management Guide

• Model type: hybrid
• Description: Coupa uses a role-based access control model with a library of predefined system roles (e.g., Buyer, Approver, Requester) that can be assigned individually or in combination. Administrators can also create custom roles by selecting specific permission sets from a granular list of module-level and action-level permissions. Users can hold multiple roles simultaneously, and permissions are additive.
• Custom roles: Yes
• Custom roles plan: Not documented
• Granularity: Module-level and action-level (e.g., create, edit, view, approve per procurement module). Business group and content group scoping adds a second dimension of access control beyond role assignment.

1. Log in as an administrator and navigate to Setup > Users.
2. Click 'Create' or the '+' button to open the new user form.
3. Enter required fields: First Name, Last Name, Email (used as login), and Login (username).
4. Assign one or more Roles from the available role list.
5. Set the user's Default Business Group and any additional Business Group access.
6. Configure Content Groups if applicable to restrict data visibility.
7. Set Approval Limit if the user will act as an approver.
8. Click 'Save' to create the user. An activation email is sent to the user's email address.
9. User must click the activation link in the email to set their password and activate the account (unless SSO is configured, in which case the account activates on first SSO login).

Required fields: First Name, Last Name, Email, Login (username), At least one Role

Watch out for:

• The Login field must be unique across the instance; using email as the login is common practice but must be consistent.
• If SSO (SAML 2.0) is enabled, the Login or Email must exactly match the identity provider's NameID attribute or the mapped attribute, or login will fail.
• Activation emails can expire; administrators can resend activation from the user record.
• Users are not active until they complete the activation step; this is a common source of 'user can't log in' support tickets.
• Business Group assignment controls which organizational data the user can see and transact against; misconfiguration leads to users seeing no data or too much data.
• Coupa does not enforce password complexity by default unless configured under Setup > Security.

• Can delete users: No
• Delete/deactivate behavior: Coupa does not allow permanent deletion of user records. Users can only be deactivated (status set to 'Inactive'), which prevents login but preserves all historical transaction records, audit trails, and associations. This is by design to maintain procurement audit integrity.

1. Navigate to Setup > Users.
2. Search for and open the user record to be deactivated.
3. Change the 'Status' field from 'Active' to 'Inactive'.
4. Click 'Save'.
5. The user's session is terminated and they cannot log in. No notification is sent to the user automatically.

Watch out for:

• Approval chains referencing a deactivated user will cause transactions to stall in pending approval state; this must be remediated before or immediately after deactivation.
• Deactivated users still appear in historical reports and audit logs, which is expected behavior.
• If the user was a delegate or had delegates configured, delegation settings should be reviewed and removed.
• Coupa does not send an automated offboarding notification to the user upon deactivation.
• Reactivating a user restores their previous role assignments; verify roles are still appropriate before reactivating.

• Where to check usage: Setup > Users (filter by Status = Active to count active users); no dedicated license usage dashboard is documented in publicly available Coupa help content.
• How to identify unused seats: Filter Setup > Users by Status = Active, then cross-reference with last login date if available in the user list export. Coupa's reporting module may allow building a custom report on user last login timestamps.
• Billing notes: Coupa pricing is custom and contract-based. Seat counts and module access are defined at contract signing. Overages or additional users may require a contract amendment. Annual uplift of approximately 5% is commonly reported. Confirm seat reconciliation timing (real-time vs. annual true-up) with the Coupa account team.

Coupa uses custom, contract-based enterprise pricing - seat counts and module access are defined at signing, and overages may require a contract amendment. Requester-type users are the most common user type, but whether they consume named seats varies by contract; confirm with your Coupa account team before bulk-provisioning.

An approximately 5% annual uplift is commonly reported, so unreviewed inactive seats compound cost over time.

There is no built-in license usage dashboard. Identifying unused seats requires filtering Setup > Users by Status = Active, exporting the list, and cross-referencing last login timestamps via a custom report - a manual process with no shortcut.

Practitioners consistently flag three friction points in Coupa user management. First, approval chains are not automatically reassigned when a user is deactivated, causing purchase orders and invoices to stall in pending state - this must be remediated before or immediately after offboarding.

Second, activation emails expire without warning, generating repeat support tickets for new hires who never completed setup.

Third, Business Group and Content Group misconfiguration is a frequent audit finding: users either see no transactional data or far more than intended, because scope is configured separately from role assignment and defaults are rarely correct out of the box.

Common complaints:

• No native SCIM endpoint; user provisioning via IdP requires Okta Group Linking or custom API development, adding implementation complexity.
• Approval chain reassignment is not automated when a user is deactivated, causing transactions to stall.
• Activation email expiry causes repeated support tickets for new user onboarding.
• Business Group and Content Group configuration is complex and frequently misconfigured, leading to users seeing incorrect data scopes.
• No built-in license usage dashboard makes it difficult to identify inactive seats without custom reporting.
• Role assignment UI can be slow and cumbersome when managing large user populations.
• CSV bulk load for users requires strict template adherence and provides limited error messaging on failure.
• JIT provisioning via SAML does not always sync role changes from the IdP without additional configuration.

Coupa is appropriate for organizations that need granular, module-level procurement access control across large user populations.

The hybrid role model - predefined system roles plus configurable custom roles - covers most enterprise procurement structures, but every app of that complexity carries administrative overhead: role scoping, approval chain maintenance, and Business Group configuration all require ongoing attention.

If your team lacks a dedicated Coupa admin or an IdP integration (Okta is the most documented path), manual user lifecycle management will scale poorly. Overly permissive custom roles are a common audit finding; plan for periodic access reviews from day one.

Bottom line

Coupa gives procurement teams precise, layered access control across roles, Business Groups, and Content Groups, but that precision comes with real administrative weight.

There is no native SCIM, no automated approval-chain reassignment on offboarding, and no built-in seat usage dashboard - meaning every app of user lifecycle management from onboarding to deactivation requires deliberate process design.

Teams that invest in IdP integration and structured access review cycles will get the most out of the platform; those relying on ad hoc manual administration will accumulate stalled approvals, expired activations, and unreviewed seats.