Infor HCM User Management Guide

• Model type: role-based
• Description: Infor HCM uses a role-based access control (RBAC) model administered through Infor OS Security. Security roles are assigned to users and control access to application features, data classes, and actions. Data security is further controlled through Security Groups and Organization Unit (OU) filtering, which restrict which employee records a user can view or modify.
• Custom roles: Yes
• Custom roles plan: Enterprise (CloudSuite); custom role creation is available to Security Administrators within the platform.
• Granularity: Role-level access to application features combined with data-level filtering via Security Groups and OU assignments. Field-level security is available in some HCM modules.

1. Log in to the Infor OS Admin Console (IFS) as a System Administrator or Security Administrator.
2. Navigate to User Management within IFS.
3. Select 'Create User' and enter required identity fields.
4. Assign the user to the appropriate Infor OS tenant and application.
5. Assign one or more Security Roles appropriate to the user's function.
6. Assign the user to relevant Security Groups and Organizational Units for data-level access.
7. If SSO is configured, ensure the user's identity provider account is linked or will be federated via SAML/SCIM.
8. Save and notify the user of their access credentials or SSO login path.

Required fields: First Name, Last Name, Email Address, Username (typically email or employee ID), Tenant assignment, Security Role(s)

Watch out for:

• Users must be provisioned in both Infor OS (IFS) and the specific HCM application layer; a gap between the two causes authentication errors.
• If SCIM provisioning is active, manual user creation in IFS may conflict with IdP-driven provisioning and cause duplicate or inconsistent records.
• Security Group and OU assignments are separate from role assignment and are frequently missed during onboarding, resulting in users with correct roles but no visible data.
• Infor HCM does not publicly document a self-service user invitation flow; provisioning is administrator-driven.

• Can delete users: No
• Delete/deactivate behavior: Infor HCM follows standard HCM/ERP data retention practices where employee and user records are typically deactivated (inactivated) rather than permanently deleted, to preserve audit trails, historical payroll records, and compliance data. Hard deletion of user records is generally not supported through the standard admin UI and may require Infor Professional Services or a database-level operation under specific contractual terms.

1. Log in to the Infor OS Admin Console (IFS) as a System Administrator or Security Administrator.
2. Navigate to User Management and locate the user record.
3. Set the user's status to 'Inactive' or 'Disabled'.
4. Remove or revoke assigned Security Roles to prevent any residual access.
5. If the user is provisioned via SCIM/IdP, deprovision the user in the identity provider to trigger automatic deactivation in Infor OS.
6. In the HCM application layer, terminate or inactivate the associated employee record per HR workflow (if applicable).

Watch out for:

• Deactivating a user in Infor OS does not automatically terminate their employee record in the HCM application; both actions must be performed independently.
• If SSO/SCIM is in use, deprovisioning must occur in the IdP to fully block access; disabling only in Infor OS may leave the IdP session active.
• License seat reclamation is not always immediate and may require manual confirmation with Infor support or account management.
• Orphaned workflow tasks or approval chains assigned to a deactivated user can stall business processes; reassignment of pending tasks is recommended before deactivation.

• Where to check usage: Infor OS Admin Console > License Management (availability and path vary by tenant version and contracted modules; some organizations rely on Infor account management reports for usage data).
• How to identify unused seats: Infor OS may provide last-login timestamps within User Management. Identifying unused seats typically requires cross-referencing active user accounts against last-login data or requesting a usage report from Infor support.
• Billing notes: Pricing is contract-based and negotiated directly with Infor or via AWS Marketplace for CloudSuite deployments. Implementation costs are separate from license fees and typically range from $500K to $5M+ depending on scope. Per-user pricing is not publicly disclosed. License true-ups and seat adjustments are handled through contract amendments with the Infor account team.

Manual provisioning in Infor HCM carries a compounding overhead that most teams underestimate. Every app requires two separate provisioning actions: one in Infor OS/IFS to create the login identity, and one in the HCM application layer to create or activate the employee record.

Missing either step produces login failures or blank-screen experiences with no clear error.

Security Group and OU assignments are a third, frequently skipped step. Users provisioned with correct roles but no Security Group assignments will authenticate successfully but see no data - a gap that typically surfaces only after the user reports the issue.

Identifying unused license seats adds further overhead, as built-in visibility is limited and usage data often requires a manual report request from Infor support.

Administrators consistently flag the dual-layer provisioning requirement - IFS plus the HCM application - as the leading source of onboarding errors. The failure mode is subtle: the user can log in, but modules or data are missing because one layer was not completed.

Security Group and OU configuration is widely described as complex and under-documented, with many teams requiring Infor Professional Services to get it right.

SCIM setup with Okta and Entra ID is reported as sensitive to attribute mapping errors, and detailed admin documentation is largely behind authenticated tenant portals, limiting self-service troubleshooting.

Offboarding carries its own compliance risk: deactivating a user in Infor OS does not terminate their HCM employee record. Teams that complete only one step may leave payroll or benefits active after access is revoked.

Common complaints:

• Users report that the dual-layer provisioning requirement (Infor OS/IFS plus the HCM application layer) is a frequent source of onboarding errors, with users able to log in but seeing no data or modules.
• Security Group and Organizational Unit configuration is described as complex and poorly documented, often requiring Infor Professional Services engagement to configure correctly.
• Administrators report difficulty identifying unused license seats without requesting manual reports from Infor support, as built-in license usage visibility is limited.
• The separation between deactivating a user in Infor OS and terminating an employee record in the HCM application is a common source of compliance risk, as organizations may complete one step but not the other.
• SCIM provisioning setup with Okta and Entra ID is reported to require significant configuration effort and is sensitive to attribute mapping errors that cause provisioning failures.
• Community members note that detailed admin documentation for Infor HCM is largely behind authenticated tenant portals, making it difficult for new administrators to self-serve.

Manual administration is viable for organizations with a stable, low-turnover workforce and a dedicated Infor administrator who understands both the IFS and HCM application layers. The RBAC model is expressive, and Security Groups provide fine-grained data access control when configured correctly.

For organizations with frequent onboarding and offboarding, the dual-layer provisioning requirement and the separation between IFS deactivation and HCM termination create meaningful compliance exposure. SCIM provisioning via an IdP reduces IFS provisioning overhead but does not eliminate the need to manage HCM employee records separately.

Teams should confirm Security Group and OU assignment ownership before going live with any provisioning workflow.

Bottom line

Infor HCM's access model is powerful but layered: every app in the suite depends on IFS identity, RBAC roles, and data-level Security Group assignments all being correct simultaneously.

Manual administration works at small scale with experienced operators, but the dual-layer provisioning requirement - IFS plus HCM application - and the independent offboarding steps for login and employment records create compounding risk as headcount or turnover grows.

Organizations should treat Security Group and OU configuration as a first-class provisioning step, not an afterthought, and establish a clear offboarding checklist that covers both IFS deactivation and HCM termination workflow completion.