Summary and recommendation
Oracle CX Sales user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Oracle CX Sales user management runs through two separate consoles depending on the task: Navigator > Tools > Security Console handles role assignments and account status, while Navigator > My Team > Manage Users covers basic user creation.
Every app in your stack that touches sales data depends on getting this right, because role assignment alone does not grant data access - territory assignment and resource hierarchy setup are required separately and live in a different part of the UI.
The permission model is role-based, layered across Job Roles (job-function level) and Duty Roles (task level), with row-level data access controlled by Data Security Policies tied to territories and business units. Custom roles are available on all subscription tiers and are created by copying predefined roles in the Security Console.
Quick facts
| Admin console path | Navigator > Tools > Security Console (for roles and users) OR Navigator > My Team > Manage Users (for basic user creation) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Sales Administrator | Full configuration access: manage users, roles, territories, forecasting, product catalog, and system setup. Can access all CX Sales setup and administration tasks. | Cannot perform Oracle Cloud Infrastructure (OCI) tenancy-level administration; that requires a separate OCI IAM administrator role. | Any Oracle CX Sales subscription | Counts as a named user seat; pricing starts at approximately $65/user/month depending on edition. | Sales Administrator is a predefined job role. Assigning it grants broad access; Oracle recommends creating a custom role with only required privileges for least-privilege compliance. |
| Sales Representative | Create and manage leads, opportunities, contacts, accounts, and activities within assigned territories. Access to forecasting and pipeline views. | Cannot access Security Console, manage other users, or modify system configuration. | Any Oracle CX Sales subscription | Named user seat; approximately $65–$300/user/month depending on edition. | Territory assignment controls data visibility; a Sales Rep without a territory assignment may see no records even after provisioning. |
| Sales Manager | All Sales Representative permissions plus visibility into direct reports' pipelines, team forecasting, and coaching tools. | Cannot administer system configuration or manage users outside their reporting hierarchy. | Any Oracle CX Sales subscription | Named user seat; same pricing tier as Sales Representative. | Manager hierarchy must be correctly configured in HCM or the user directory for team visibility to work; mismatched reporting lines cause blank team dashboards. |
| Incentive Compensation Analyst | Manage compensation plans, calculate earnings, and run incentive reports. | Cannot access core sales pipeline or opportunity management without additional roles. | Requires Oracle Incentive Compensation module (add-on or higher-tier subscription). | This is a separate licensed module; assigning the role without the module license will result in access errors. | |
| Read-Only / Partner User | View-only access to assigned records; used for partner portal or limited external access scenarios. | Cannot create or edit records; cannot access administrative functions. | Partner users are managed through Oracle Partner Relationship Management (PRM), which may require a separate subscription. |
Permission model
- Model type: role-based
- Description: Oracle CX Sales uses a role-based access control (RBAC) model built on Oracle Fusion Applications Security. Access is governed by Job Roles (coarse-grained, job-function-level) and Duty Roles (fine-grained, task-level). Job Roles are assigned to users; Duty Roles are inherited through role hierarchies. Data access is further controlled by Data Security Policies that restrict which rows a user can see based on territory, business unit, or resource hierarchy.
- Custom roles: Yes
- Custom roles plan: Available on all Oracle CX Sales subscriptions; custom roles are created in the Security Console by copying and modifying predefined roles.
- Granularity: Function-level (UI actions, REST API access) via Duty Roles and Privileges; row-level data access via Data Security Policies tied to territories, business units, and resource hierarchies.
How to add users
- Navigate to Navigator > Tools > Security Console.
- Click the 'Users' tab.
- Click 'Add User Account'.
- Enter required fields: Last Name, First Name, Email, and User Name.
- Optionally set a password or select 'Send auto-generated password' to email the user.
- Under 'Roles', click 'Add Role' and search for the appropriate Job Role(s) (e.g., 'Sales Representative').
- Click 'Save and Close'.
- If the user needs territory-based data access, separately assign them to a territory via Navigator > Sales > Territories.
Required fields: Last Name, First Name, Email Address, User Name (must be unique; typically email format)
Watch out for:
- User creation in the Security Console creates an Oracle Identity Cloud Service (IDCS) or OCI IAM account; the user must also be associated with a Person record (Worker or Contact) in HCM if HR-linked attributes are needed.
- Role assignment alone does not grant data access; territory assignment and resource hierarchy setup must be completed separately.
- Email delivery of auto-generated passwords depends on the instance's SMTP configuration being active; test before bulk provisioning.
- User names cannot be changed after creation in most configurations; plan naming conventions carefully.
- New users may not appear in CX Sales search or assignment lists until the LDAP synchronization job runs (scheduled or manually triggered via Navigator > Tools > Scheduled Processes > 'Send Pending LDAP Requests').
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Navigator > Tools > Import Management > Import Users (uses File-Based Data Import / FBDI template for users and role assignments) |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Available on all Oracle CX Sales subscriptions that include Oracle Identity Cloud Service (IDCS) or OCI IAM integration; SCIM 2.0 endpoint at /hcmRestApi/scim/Users supports automated provisioning from Okta or Microsoft Entra ID. |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Oracle CX Sales does not support hard deletion of user accounts through the standard UI. Users are deactivated (their account status is set to inactive), which revokes login access and removes them from active user lists. The user record and all associated data are retained. This aligns with Oracle Fusion Applications' audit and data integrity requirements.
- Navigate to Navigator > Tools > Security Console.
- Click the 'Users' tab and search for the user by name or email.
- Click the user's name to open their account.
- Click 'Edit'.
- Change the 'Account Status' field to 'Inactive'.
- Click 'Save and Close'.
- Optionally, remove all role assignments before deactivating to ensure no residual access if the account is ever reactivated.
- Run the 'Send Pending LDAP Requests' scheduled process to propagate the change.
| Data impact | Behavior |
|---|---|
| Owned records | All records owned by the deactivated user (opportunities, leads, accounts, contacts) remain in the system and retain the deactivated user as owner. Administrators must manually reassign ownership using mass-update tools or territory reassignment workflows. |
| Shared content | Shared reports, dashboards, and list views created by the deactivated user remain accessible to users with whom they were shared. The deactivated user's personal (private) content becomes inaccessible. |
| Integrations | SCIM-based provisioning from an IdP will reflect the deactivated status on the next sync cycle. Any API integrations using the deactivated user's credentials will fail; service accounts should use dedicated integration user accounts. |
| License freed | Deactivating a user frees the named user seat for reassignment. Oracle licenses are typically reconciled at contract renewal; confirm with your Oracle account manager whether mid-term seat reallocation is permitted under your agreement. |
Watch out for:
- Deactivated users still appear in historical audit logs and as record owners; this can cause confusion in pipeline reports if ownership is not reassigned.
- If the user was a territory owner or resource hierarchy node, their deactivation can break territory coverage and team visibility for active users below them in the hierarchy.
- Reactivating a previously deactivated user restores their account but does not automatically restore role assignments if those were removed during deactivation.
- Oracle does not provide a bulk deactivation UI; deactivating large numbers of users requires either individual processing in the Security Console or a SCIM API call per user.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Oracle CX Sales Named User | Access to core CX Sales functionality: accounts, contacts, leads, opportunities, activities, forecasting, and standard reporting. Includes Oracle Identity Cloud Service (IDCS) user entitlement. | Approximately $65–$300/user/month depending on edition and contract; exact pricing requires Oracle sales engagement. |
| Oracle CX Sales Plus / Enterprise Named User | All base CX Sales features plus advanced AI-driven features (Oracle Adaptive Intelligence), advanced analytics, and additional API call volumes. | Higher tier within the $65–$300/user/month range; exact pricing requires Oracle sales engagement. |
| Oracle Incentive Compensation Named User (Add-on) | Incentive plan management, earnings calculation, and compensation reporting. |
- Where to check usage: Navigator > Tools > Security Console > Users tab (filter by Active status to count active named users); Oracle also provides license usage reports through the Oracle Cloud Customer Connect portal and your Oracle Universal Credits dashboard.
- How to identify unused seats: Filter the Security Console Users list by 'Last Login Date' to identify accounts that have not logged in within a defined period. Oracle does not provide a native 'unused seat' report in the CX Sales UI; administrators typically export the user list and analyze last-login data externally.
- Billing notes: Oracle CX Sales is sold as a named user subscription, typically on annual or multi-year contracts. Seat counts are reconciled at renewal. Adding users mid-term may require a contract amendment. Deactivating users frees seats contractually only as permitted by your specific agreement; consult your Oracle account manager. Oracle Universal Credits customers may have more flexibility in reallocating seats across services.
The cost of manual management
Oracle does not provide a bulk deactivation tool in the UI. Offboarding large cohorts means processing each account individually in the Security Console or scripting SCIM API calls per user - a significant time cost at scale.
After creating a user, a scheduled LDAP synchronization job ('Send Pending LDAP Requests') must complete before the new account appears in CX Sales assignment fields. This job can be triggered manually via Navigator > Tools > Scheduled Processes, but the dependency is easy to miss and causes provisioning delays.
There is no native 'unused seat' report in the CX Sales UI. Identifying inactive accounts requires exporting the user list from the Security Console and analyzing last-login data externally - a manual step that compounds at renewal time when seat counts are reconciled.
What IT admins are saying
Administrators consistently flag the territory-assignment gap: users provisioned with correct roles still see no records until territory setup is completed separately, and this step is not surfaced during user creation.
The Security Console is reported as slow and difficult to navigate for organizations managing hundreds or thousands of users. Role hierarchy complexity - Job Roles inheriting Duty Roles inheriting Privileges - makes access troubleshooting time-consuming, with no built-in 'effective permissions' view for a given user.
Oracle's licensing structure is a recurring friction point. Understanding which features are included at which tier typically requires direct engagement with an Oracle sales representative rather than self-service documentation.
Common complaints:
- Users report that the LDAP synchronization job ('Send Pending LDAP Requests') must be manually triggered or waited upon after user creation before the new user appears in CX Sales assignment fields, causing delays in provisioning.
- Administrators note that there is no bulk deactivation tool in the UI; deactivating large cohorts of users requires individual manual steps or custom SCIM API scripting.
- Territory assignment being separate from user creation is a frequent source of confusion; newly created users with correct roles still cannot see data until territory setup is completed.
- The Security Console is described as slow and difficult to navigate when managing large user populations (hundreds or thousands of users).
- Customers report that Oracle's licensing model makes it difficult to understand exactly which features are included at which price tier without direct engagement with an Oracle sales representative.
- Role hierarchy complexity (Job Roles inheriting Duty Roles inheriting Privileges) makes troubleshooting access issues time-consuming; there is no simple 'effective permissions' view for a given user.
- Reactivating a previously deactivated user does not restore their previous role assignments, requiring administrators to manually re-add roles.
The decision
Manual management in Oracle CX Sales is viable for small, stable teams where provisioning events are infrequent. The multi-step nature of full provisioning - user creation, role assignment, territory assignment, LDAP sync - means every app touchpoint requires deliberate follow-through, and skipping any step produces a user who can log in but sees no data.
For organizations with regular onboarding and offboarding volume, the absence of bulk operations and the LDAP sync dependency create compounding overhead. The lack of a native unused-seat report also means license hygiene requires recurring manual effort outside the platform.
Teams on Oracle Fusion Cloud CX Sales v11.12.1.0.0 or later with SSO configured have access to native SCIM 2.0, which addresses bulk provisioning and deactivation at the cost of additional integration complexity - particularly around role and territory assignment, which SCIM does not handle.
Bottom line
Oracle CX Sales manual user management is thorough but deliberately multi-step: provisioning a single user correctly requires actions across the Security Console, territory management, and a scheduled sync job.
Every app that relies on sales data visibility is downstream of this setup, so incomplete provisioning produces silent failures - users who exist but see nothing. For small teams, the process is manageable with a documented runbook.
For larger organizations, the absence of bulk tools and native license reporting makes manual management a sustained operational cost that grows with headcount.
Automate Oracle CX Sales workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
