Summary and recommendation
Oyster user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Oyster is a global employment platform covering Employer of Record (EOR), contractor management, global payroll, and Agent of Record services. Internal platform access is managed through Settings → Team Members at app.oysterhr.com/settings/team. Roles are fixed at three tiers - Admin, Manager, and Member - with no custom or field-level permission options documented.
Member accounts (employees and contractors) are created automatically through the hiring and onboarding workflow, not through the Team Members invite flow. Only Admin and Manager roles are manually provisioned via invitation. SSO via Okta is available but must be configured separately.
Quick facts
| Admin console path | Settings → Team Members (or Settings → Users) |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Unknown |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Admin | Full platform access: invite/remove users, manage all employees and contractors, configure integrations, view billing, approve expenses and time off, manage company settings. | All plans | No additional seat cost documented; platform access is included with active employee/contractor subscriptions. | At least one Admin must remain active on the account at all times; you cannot remove the last Admin. | |
| Manager | Can view and manage direct reports, approve time off and expenses for assigned team members, view employee profiles within their scope. | Cannot access billing, company-wide settings, or manage users outside their assigned team. | All plans | No additional seat cost documented. | Manager scope is limited to explicitly assigned direct reports; cross-team visibility requires Admin role. |
| Member (Employee/Contractor) | Self-service access: view own profile, submit expenses, request time off, access documents and payslips. | Cannot manage other users, view company-wide data, or access settings. | All plans | Seat cost is the underlying employment/contractor subscription fee (e.g., $29/mo per contractor, $599-699/mo per EOR employee). | Member accounts are created automatically when an employee or contractor is onboarded; they are not separately provisioned. |
Permission model
- Model type: role-based
- Description: Oyster uses a fixed set of predefined roles (Admin, Manager, Member). Permissions are assigned by role and cannot be individually customized per user. Manager scope can be configured by assigning direct reports.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Role-level only; no field-level or object-level permission customization documented.
How to add users
- Log in to Oyster at app.oysterhr.com.
- Navigate to Settings → Team Members.
- Click 'Invite Team Member' or equivalent invite button.
- Enter the invitee's email address.
- Select the appropriate role (Admin or Manager).
- Optionally assign direct reports if the role is Manager.
- Send the invitation; the invitee receives an email to set up their account.
Required fields: Email address, Role (Admin or Manager)
Watch out for:
- Employee and contractor accounts are created through the hiring/onboarding workflow, not through the Team Members invite flow.
- Invitations expire if not accepted within a set period; the exact expiry window is not publicly documented.
- SSO must be configured separately via Okta integration; invited users will use SSO if it is enabled for the organization.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | SSO (Okta) available; specific plan requirement not publicly documented. Webhook-based deprovisioning only; no SCIM provisioning. |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Oyster does not expose a hard-delete option for platform users in the admin UI. Admins can deactivate or revoke access for internal team members (Admins/Managers). Employee and contractor records are retained for compliance and payroll audit purposes and cannot be deleted.
- Log in to Oyster at app.oysterhr.com.
- Navigate to Settings → Team Members.
- Locate the user to be removed.
- Select the option to remove or revoke access for that user.
- Confirm the action; the user loses platform access immediately.
| Data impact | Behavior |
|---|---|
| Owned records | Employee and contractor records, documents, and payroll history are retained after a user's access is revoked, in line with compliance requirements. |
| Shared content | Shared documents and contracts remain accessible to Admins after the user is deactivated. |
| Integrations | Webhook-based deprovisioning via Okta SSO can trigger downstream access revocation in connected IdP; no native SCIM deprovisioning. |
| License freed | Removing an internal team member (Admin/Manager) does not directly reduce billing. Billing is tied to active employee/contractor subscriptions, not to internal user seats. |
Watch out for:
- Offboarding an employee or contractor is a separate workflow from removing an internal platform user (Admin/Manager); both may be required when an HR team member departs.
- Deprovisioning via Okta webhook requires the SSO integration to be active and correctly configured; misconfiguration can leave orphaned sessions.
- The last Admin on an account cannot be removed; a replacement Admin must be assigned first.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Contractor Management | Contractor onboarding, payments, compliance documents, self-service portal. | $29/contractor/month (first 30 days free per contractor) |
| Global Payroll | Payroll processing for employees in supported countries. | $25–$50/employee/month |
| Employer of Record (EOR) | Full EOR employment, benefits, compliance, HR support. | $599/employee/month (annual), $699/employee/month (monthly) |
| Agent of Record (AOR) | Contractor compliance and classification via Oyster as Agent of Record. | $200/contractor/month |
| Scale Plan | Discounted EOR rates for organizations with 3+ employees; dedicated support. | Custom pricing (contact sales) |
- Where to check usage: Settings → Billing or the main dashboard; exact path not publicly documented in detail.
- How to identify unused seats: No documented automated tool for identifying unused seats. Admins should audit active employee/contractor records in the People section and cross-reference with billing.
- Billing notes: Billing is per active employee or contractor subscription, not per internal platform user (Admin/Manager). Removing an internal team member does not reduce the monthly bill. Charges apply per active EOR employee or contractor regardless of how many internal Admins/Managers have access.
The cost of manual management
Billing in Oyster is tied to active employee and contractor subscriptions, not to the number of internal Admin or Manager users. Removing an internal team member does not reduce the monthly bill. Charges apply per active EOR employee or contractor regardless of how many Admins have platform access.
Because there is no documented automated tool for identifying unused seats, Admins must manually audit active records in the People section and cross-reference with billing. Without a routine audit cadence, stale contractor or EOR seats can accumulate unnoticed across every app in the HR stack that mirrors Oyster's headcount data.
What IT admins are saying
Practitioners on G2 and Capterra flag that offboarding an employee or contractor and removing an internal Admin or Manager are two separate workflows, which causes confusion when HR staff depart. Both actions may be required simultaneously, and missing either step leaves access gaps.
Users also note limited role granularity: the Manager role cannot be scoped beyond direct-report assignment, and there is no audit log view prominently surfaced in the UI to identify who holds Admin access.
The absence of native SCIM provisioning is a recurring friction point, with the Okta webhook requiring careful configuration to avoid orphaned sessions.
Common complaints:
- Users report that offboarding workflows for employees and removing internal admin users are separate processes, causing confusion when HR staff leave the organization.
- Some users note that the lack of native SCIM provisioning makes automated user lifecycle management difficult, requiring manual steps or webhook configuration.
- Reviewers on G2 and Capterra mention limited granularity in role permissions, noting that the Manager role cannot be scoped beyond direct-report assignment.
- Users have noted that the Okta SSO integration requires careful webhook configuration and that deprovisioning is not fully automated without additional setup.
- Some customers report difficulty identifying which internal users have Admin access, as there is no dedicated audit log view prominently surfaced in the UI.
The decision
Oyster suits teams that need a managed global employment layer and can tolerate manual provisioning workflows for internal platform users. The fixed role model (Admin, Manager, Member) covers most HR team structures without requiring configuration overhead.
Teams with strict automated lifecycle requirements or multi-IdP environments will find the Okta-only, webhook-based deprovisioning limiting. The lack of native SCIM means every app that depends on Oyster user state requires a manual or webhook-mediated sync rather than a standardized provisioning flow.
At least one Admin must remain active at all times; plan role transitions before removing departing Admins.
Bottom line
Oyster handles global employment complexity well but keeps internal user management deliberately simple - three fixed roles, manual invitations for Admins and Managers, and automated Member creation through onboarding.
The trade-off is limited automation: deprovisioning relies on an Okta SSO webhook rather than native SCIM, and seat auditing is a manual process.
Teams comfortable with that operational model will find the platform straightforward; teams requiring automated, bidirectional identity lifecycle management should factor in the additional configuration and monitoring overhead before committing.
Automate Oyster workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
