Paychex User Management Guide

• Model type: role-based
• Description: Paychex Flex uses a role-based permission model. Predefined roles (Primary Administrator, Administrator, Manager, Employee) are assigned to users. Administrators can configure which modules and data sets each Administrator or Manager role can access, providing some granularity within roles, but fully custom role creation is not documented as a self-service feature.
• Custom roles: No
• Custom roles plan: Not documented
• Granularity: Module-level and employee-group-level permissions can be toggled per Administrator or Manager user. Granularity is limited to predefined permission categories (e.g., payroll, HR, benefits, time & attendance, reporting) rather than individual action-level permissions.

1. Log in to Paychex Flex at myapps.paychex.com.
2. Navigate to Admin (top navigation bar) → User Management.
3. Click 'Add User' or navigate to the Employees section to add a new employee record.
4. Enter required employee information (first name, last name, email address, employee ID, hire date, job title, department).
5. Assign the appropriate role (Employee, Manager, Administrator).
6. Configure module-level permissions if assigning an Administrator or Manager role.
7. Save the record. The system sends an email invitation to the user's provided email address to complete account registration.
8. For Administrator users, confirm access scope and module permissions before saving.

Required fields: First name, Last name, Email address, Employee ID (or system-generated), Hire date, Employment type (full-time, part-time, etc.), Pay frequency, Department (if applicable)

Watch out for:

• The email invitation to complete registration expires; if the employee does not register in time, an Administrator must resend the invitation manually.
• Adding a user as an employee record and granting them Administrator access are two separate steps; simply creating an employee record does not grant admin access.
• SSO (SAML 2.0) must be configured at the account level before users can authenticate via an identity provider; this is not enabled per-user.
• There is no documented native SCIM provisioning; automated user provisioning requires a third-party connector (e.g., Okta provisioning app or RoboMQ Hire2Retire for Entra ID).
• Paychex Flex does not support Google Workspace SSO as a documented IdP option.

• Can delete users: No
• Delete/deactivate behavior: Paychex Flex does not permanently delete employee or user records due to payroll tax compliance and record-retention requirements. Users are terminated/deactivated, which removes their login access and moves them to an inactive status. Historical payroll, tax, and HR records are retained indefinitely per compliance requirements.

1. Log in to Paychex Flex at myapps.paychex.com.
2. Navigate to Admin → Employees (or HR → Employees depending on plan).
3. Search for and select the employee record to deactivate.
4. Select 'Terminate Employee' or 'Deactivate User' from the employee record actions menu.
5. Enter the termination date and reason (required fields).
6. Confirm the termination. The user's login access is revoked as of the termination date entered.
7. For Administrator users, separately remove their Administrator role under Admin → User Management before or after termination to immediately revoke admin access.

Watch out for:

• Terminating an employee in Paychex Flex does not automatically revoke SSO sessions if the user is currently logged in; session expiry depends on session timeout settings.
• If the employee has a future-dated payroll run already scheduled, termination does not automatically cancel those payroll entries; Administrators must manually review and adjust.
• Rehired employees can be reactivated from the terminated employee list, but their original employee ID and record history are retained.
• Administrator access must be revoked separately from employee termination; terminating the employee record alone may not immediately remove admin portal access depending on session state.
• Final paycheck processing (including accrued PTO payout) must be handled manually by an Administrator before or at termination; the system does not automate final pay calculations in all states.

• Where to check usage: Admin → Reports → User Access Report (or Admin → User Management to view active user count); billing summary available under Admin → Account → Billing
• How to identify unused seats: Administrators can review the User Management section to identify employees in 'Pending Registration' status (invitation sent but not accepted) or employees who have not logged in recently. Paychex Flex does not provide a built-in 'last login date' report in all plan tiers; this may require contacting Paychex support for an access audit.
• Billing notes: Billing is per active employee per month. Terminated employees are removed from billing in the cycle following their termination date. Plan base fees are charged monthly regardless of employee count. Pricing shown is published list pricing as of early 2025; contracted enterprise pricing may differ. Adding or removing employees mid-cycle may result in prorated charges depending on contract terms.

Every app in your stack that lacks automated provisioning creates a manual gap, and Paychex is no exception. Paychex Flex has no native SCIM endpoint, so every joiner, mover, and leaver requires hands-on action from an Administrator. Key friction points compound the overhead:

• Changing the Primary Administrator requires a support call - it cannot be done self-service.
• Employee self-service invitations expire and frequently land in spam, requiring manual resends.
• There is no built-in last-login report on all plan tiers, making dormant account audits difficult without contacting Paychex support.
• Administrator access must be revoked separately from employee termination; the two actions are not linked.
• Terminated employees are not automatically synced to connected identity providers without a third-party provisioning connector (e.g., Okta's Paychex app or RoboMQ Hire2Retire for Entra ID).

Recurring themes in community feedback center on offboarding gaps and permission limitations.

Administrators consistently flag that terminating an employee in Paychex Flex does not revoke SSO sessions or sync to upstream identity providers without a separate provisioning connector in place - creating a window where terminated employees may retain access.

Permission granularity is a second common complaint: granting an Administrator access to only one department's payroll without broader access is difficult within the current model. Support response times for account-level changes (Primary Administrator transfers, billing corrections post-termination) are frequently cited as slow.

Common complaints:

• Users report that changing the Primary Administrator requires calling Paychex support rather than being self-service, causing delays during offboarding or ownership transitions.
• Multiple users report that the employee invitation email for self-service registration frequently lands in spam folders, requiring manual follow-up.
• Administrators report difficulty identifying which employees have never completed self-service registration, as there is no clear dashboard view of pending/inactive self-service accounts.
• Users report that terminating an employee in Paychex Flex does not automatically sync to connected IdPs (e.g., Okta) without a provisioning connector, creating a gap where terminated employees may retain SSO access temporarily.
• Users report that Paychex Flex's permission model lacks granularity for complex organizations - for example, it is difficult to grant an Administrator access to only one specific department's payroll without broader access.
• Users report slow response times from Paychex support when requesting account-level changes (e.g., Primary Administrator transfers, billing corrections after terminations).
• Users on lower-tier plans report that SSO configuration is not available without upgrading, and the upgrade path is not clearly communicated in the admin console.
• Community reports indicate that bulk employee imports via CSV can fail silently or produce unclear error messages, requiring multiple attempts or support intervention.

Paychex Flex is a capable HR and payroll platform, but its access management story has meaningful gaps for IT and security teams. No native SCIM means every app connected to Paychex for identity data requires a third-party bridge or manual process.

The permission model works for straightforward org structures but becomes limiting as departmental or role-level access needs grow more granular. Teams that need tight joiner/mover/leaver automation should plan for a provisioning connector (Okta or Entra-based) as a required dependency, not an optional add-on.

Bottom line

Paychex Flex covers payroll and HR administration well, but it places the full burden of access lifecycle management on Administrators when no provisioning connector is in place.

Every app that relies on Paychex as its source of truth for employee status will reflect changes only as fast as a human acts on them - or as fast as a polling-based connector detects them.

For organizations where timely deprovisioning and access accuracy matter, the absence of native SCIM and the separation of employee termination from admin access revocation are the two gaps most worth addressing before relying on Paychex as an identity source.