Summary and recommendation
Deel user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Deel is a global HR and payroll platform that manages contractors, EOR employees, global payroll, and US payroll from a single dashboard. User management lives at Settings → Team (https://app.deel.com/settings/team) and covers two distinct populations: team members (admins, managers, finance roles) and workers (contractors, employees), each managed through entirely separate flows.
Getting every app in your stack aligned with Deel's access state matters because worker accounts are created automatically via contract generation, not through the standard invite flow-a distinction that trips up most HR and IT teams on day one.
Quick facts
| Admin console path | Settings → Team (within the Deel web app) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Owner | Full access to all Deel features including billing, contracts, payroll, integrations, and user management. Can add/remove admins and team members. | Cannot be removed or demoted by other admins; only the account owner can transfer ownership. | All plans | No additional seat cost; included in base plan | Only one Owner per organization. Ownership transfer requires contacting Deel support. |
| Admin | Can manage contracts, workers, payroll runs, integrations, and invite/remove team members. Access to most organization-level settings. | Cannot transfer ownership or access billing settings unless explicitly granted. Cannot exceed permissions of the Owner. | All plans | No additional seat cost | Admins can invite other admins, which can lead to unintended privilege escalation if not monitored. |
| Employee/Worker | Access to their own profile, contracts, pay slips, time-off requests, and expense submissions. Cannot view other workers' data. | Cannot access organization settings, other workers' contracts, or payroll data. | All plans | Included as part of the per-worker pricing (EOR, contractor, payroll fees) | Worker accounts are created automatically when a contract is generated; they are not manually invited as team members. |
| Manager / Limited Admin | Can view and manage a defined subset of workers or departments. Scope is restricted to assigned direct reports or teams. | Cannot access workers outside their assigned scope. Cannot manage billing or organization-wide settings. | All plans (granular scope controls may require higher tiers) | No additional seat cost | Scope of access must be explicitly configured per manager; default is no access until assigned. |
| Finance / Payroll Manager | Access to payroll runs, invoices, payment approvals, and financial reporting. Can approve and process payments. | Cannot manage contracts or worker onboarding unless also granted Admin role. | Available on paid plans; specific availability depends on product module (Global Payroll, US Payroll, etc.) | No additional seat cost | Role scope is tied to specific payroll modules; a Finance Manager on US Payroll may not have access to Global Payroll data. |
Permission model
- Model type: hybrid
- Description: Deel uses a combination of predefined roles (Owner, Admin, Manager, Finance) and granular permission scopes that can be customized per team member. Admins can restrict a team member's access to specific workers, departments, legal entities, or countries. This creates a hybrid model where base roles define capability categories and scope settings define data visibility.
- Custom roles: Yes
- Custom roles plan: Available on paid plans; full custom role granularity (e.g., per-entity or per-country scoping) is more fully featured on higher-tier or Enterprise plans.
- Granularity: Permissions can be scoped by: individual worker, department, legal entity, country, and product module (e.g., EOR, Contractor, Payroll). Admins can grant view-only or edit access per section.
How to add users
- Log in to Deel and navigate to Settings → Team.
- Click 'Invite team member' or the equivalent invite button.
- Enter the invitee's email address.
- Select the appropriate role (Admin, Manager, Finance, etc.).
- Configure permission scope: assign access to specific workers, departments, legal entities, or countries as needed.
- Click 'Send invite'. The invitee receives an email to create or link their Deel account.
- The new team member appears as 'Pending' until they accept the invitation.
Required fields: Email address, Role selection
Watch out for:
- Invitations expire if not accepted within a set period; admins must resend if the link lapses.
- Worker (contractor/employee) accounts are created via contract generation, not via the team member invite flow.
- Permission scope defaults to broad access if not explicitly restricted at invite time; admins should configure scope before sending.
- SSO-enforced organizations may require the invitee to authenticate via the configured IdP before accessing Deel.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (requires SSO to be enabled as a prerequisite) |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Deel does not permanently delete team member (admin/manager) accounts. Removing a team member deactivates their access to the organization. Worker accounts tied to active or historical contracts are retained for compliance and audit purposes and cannot be deleted. Deactivated team members lose login access but their activity history and associated records are preserved.
- Navigate to Settings → Team in the Deel web app.
- Locate the team member to be removed.
- Click the options menu (three dots or similar) next to their name.
- Select 'Remove' or 'Deactivate'.
- Confirm the action in the dialog prompt.
- The team member's access is revoked immediately; they receive no further access to the organization's Deel account.
| Data impact | Behavior |
|---|---|
| Owned records | Contracts, payroll records, and documents associated with the removed team member's actions are retained and remain accessible to remaining admins. |
| Shared content | Any approvals, comments, or workflow actions taken by the removed user remain in the audit log and are not deleted. |
| Integrations | If the removed user was the integration owner (e.g., HRIS or accounting sync), the integration may need to be re-authenticated by an active admin. |
| License freed | Removing a team member (admin/manager role) does not directly reduce per-worker billing costs. Worker seat costs are tied to active contracts, not admin user count. |
Watch out for:
- Removing an admin who is the sole owner of a critical integration (e.g., QuickBooks, BambooHR sync) will break that integration until re-authenticated.
- If SCIM provisioning is active, deprovisioning the user in the IdP will automatically revoke Deel access; manual removal in Deel is redundant but not harmful.
- Worker accounts (contractors, EOR employees) cannot be deactivated via the team member removal flow; their access is managed through contract termination.
- There is no bulk deactivation option in the UI; each team member must be removed individually unless using SCIM.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| EOR Employee | Employer of Record services, local compliance, benefits administration, payroll processing | $599/month per employee (standard rate; volume discounts available on Enterprise) |
| Contractor | Contract management, invoicing, payment processing, compliance documents | $49/month per contractor |
| Global Payroll Employee | Payroll processing for employees in supported countries where the client is the legal employer | $29/employee/month |
| US Payroll Employee | US domestic payroll processing, tax filings, direct deposit | $19/employee/month |
| US PEO Employee | Professional Employer Organization co-employment, benefits, HR support in the US | $89/employee/month |
| Deel HR (Free) | Core HR features: org chart, time-off tracking, document storage, basic people management. No payroll or EOR. | Free (up to a stated headcount limit; verify current limit with Deel) |
| Admin/Manager Team Member | Access to Deel platform to manage workers, contracts, and payroll. Not a billable worker seat. | No additional cost; included in the organization's plan |
- Where to check usage: Settings → Billing or the Deel dashboard overview shows active worker counts by contract type. Detailed usage can be reviewed under Reports → Contracts.
- How to identify unused seats: Review the Team section (Settings → Team) for pending invitations that have not been accepted. For worker seats, run a contract status report under Reports → Contracts and filter by 'Active' to identify workers with no recent activity or upcoming contract end dates.
- Billing notes: Billing is per active worker contract, not per admin user. Costs are incurred when a contract is active; terminating a contract stops the associated billing at the next billing cycle. EOR and contractor fees are charged monthly. Deel HR (free tier) does not include payroll or EOR and has no per-seat cost. Enterprise pricing is custom and negotiated directly with Deel sales.
The cost of manual management
Billing in Deel is per active worker contract, not per admin seat. Admin and manager team members carry no additional per-seat cost; costs are incurred only when a worker contract is active and stop at the next billing cycle after termination.
The free Deel HR tier covers core people management with no payroll or EOR capability and no per-seat charge. Paid tiers are priced by contract type: US Payroll at $19/employee/month, Global Payroll at $29/employee/month, Contractor at $49/month, US PEO at $89/employee/month, and EOR at $599/month.
Enterprise pricing is negotiated directly with Deel sales; SCIM provisioning is gated to the Enterprise plan.
What IT admins are saying
The most consistent pain point reported by admins is silent integration breakage: removing an admin who owns a third-party integration (e.g., QuickBooks, BambooHR) breaks that sync with no automated alert to remaining admins.
Permission scope configuration is a close second-the UI makes it easy to grant broader access than intended, and the default at invite time is wide-open unless explicitly restricted.
Teams also flag that pending invitations show no visible expiry date, making it unclear when a resend is needed. Bulk deactivation of admin users is not available in the UI; each removal is a manual, one-by-one action.
Common complaints:
- Users report that removing an admin who owns integrations silently breaks those integrations with no automated notification to other admins.
- Some admins note that the permission scope configuration UI is not intuitive, making it easy to accidentally grant broader access than intended.
- HR teams report confusion between the 'team member invite' flow (for admins/managers) and the 'contract creation' flow (for workers), as they are entirely separate processes.
- Users on lower-tier plans report that granular per-entity or per-country permission scoping is limited compared to what is available on Enterprise.
- Community feedback indicates that bulk deactivation of admin users is not available in the UI, requiring manual one-by-one removal for offboarding multiple admins simultaneously.
- Some users report that pending invitations do not have a clearly visible expiry date in the UI, leading to confusion about whether to resend.
- Admins note that SCIM provisioning requires both Enterprise plan and SSO to be active, making automated lifecycle management inaccessible on lower tiers.
The decision
Manual user management in Deel is workable for small teams but does not scale cleanly. The hybrid permission model-predefined roles plus granular scope settings per entity, country, or department-gives precise control, but that precision requires deliberate configuration at every invite.
Worker offboarding is the highest-risk step: SCIM deactivation (on Enterprise) disables login but does not terminate contracts, and contract termination is a separate action that must be taken explicitly.
Teams without SCIM should build a checklist that covers both the Settings → Team removal and the contract termination flow to avoid leaving payroll obligations running after an employee departs.
Bottom line
Deel's access model is purpose-built for global workforce complexity, but that complexity surfaces directly in day-to-day administration. Every app that depends on Deel as an HR source of truth-your IdP, your HRIS integrations, your finance tools-is only as current as your offboarding discipline.
The split between the team member invite flow and the contract creation flow is the single most common source of access gaps; understanding which flow governs which population, and building removal checklists that cover both, is the baseline requirement for keeping access state accurate across your stack.
Automate Deel workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
