Summary and recommendation
Personio user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Personio is an HRIS built for companies with 10–5,000 employees, and every app in your stack that treats it as the HR source of truth depends on the accuracy of its employee records.
Access control is role-based: Employee Roles define which HR attributes, sections (e.g., Salary, Documents, Absences), and employee subsets a user can view or edit. Administrators sit outside this role system entirely and hold global access managed separately under Settings → Administrators.
Quick facts
| Admin console path | Settings → Employee Roles (for role/permission management); Settings → Administrators (for admin access) |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Essential ($2.96+) to Enterprise (custom) |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Full access to all Personio settings, employee data, payroll, reporting, and integrations. Can manage other administrators and employee roles. | Cannot be restricted to a subset of data by default; administrator access is global. | All plans | Counted as an employee seat; no separate admin seat cost documented. | Personio distinguishes between 'Administrator' (full system access) and employees with elevated role-based permissions. Admins are managed separately under Settings → Administrators. |
| Employee (with custom role/access rights) | Access determined by assigned Employee Role(s). Can be scoped to view/edit specific employee attributes, sections, or subsets of employees (e.g., own team only). | Cannot access settings or data outside their assigned role permissions. Cannot manage other users unless explicitly granted. | All plans; granular custom roles available on Professional and above. | Each active employee profile consumes a billable seat. | Roles are assigned per employee profile. An employee can hold multiple roles. Access rights are attribute-level, not just module-level, which requires careful configuration to avoid unintended data exposure. |
| Employee (no system access / HR data only) | Profile exists in Personio for HR record-keeping but the employee has no login credentials or system access. | Cannot log in, view self-service portal, or submit requests. | All plans | Still counts as a billable employee seat. | Seat is billed regardless of whether the employee has system login access. |
Permission model
- Model type: role-based
- Description: Personio uses Employee Roles to control access. Each role defines which employee attributes (fields), sections (e.g., salary, documents, absence), and employee subsets (e.g., own department) a user can view or edit. Multiple roles can be stacked on one employee. Administrators have a separate, globally elevated access level managed outside the role system.
- Custom roles: Yes
- Custom roles plan: Available on all plans, with more granular controls (e.g., salary visibility, custom attribute access) documented as part of Professional and above features.
- Granularity: Attribute-level (individual HR fields), section-level (e.g., Documents, Absences, Salary), and employee-subset-level (e.g., own reports, specific departments). Read vs. edit permissions are set independently per attribute/section.
How to add users
- Log in as an Administrator and navigate to the main employee list.
- Click 'Add Employee' (top right of the employee list).
- Enter required fields: First Name, Last Name, Email Address, Start Date, and at minimum one organizational attribute (e.g., Department or Position).
- Save the profile. Personio will send an invitation email to the employee's email address if system access is enabled.
- Assign an Employee Role under the employee's profile → Access Rights tab, or configure globally under Settings → Employee Roles.
- To grant Administrator access, go to Settings → Administrators and add the employee.
Required fields: First Name, Last Name, Email Address, Start Date, At least one organizational attribute (e.g., Department or Position, depending on account configuration)
Watch out for:
- The invitation email is sent automatically upon profile creation if the employee is set to have system access; there is no separate 'send invite' step.
- If an employee's email domain does not match expectations, the invite may land in spam or be blocked by corporate email filters.
- Custom mandatory fields configured by the account admin must also be filled before saving.
- Employees added without a role assignment default to self-service access only (own profile data).
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Settings → Import → Import Employees (CSV template downloadable from the same page) |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (Microsoft Entra ID provisioning via SCIM-compatible integration; Okta integration also available) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Personio supports both deactivation (offboarding/termination, which retains the employee record and historical data) and full deletion of an employee profile. Deletion permanently removes the profile and associated data and is irreversible. Deletion is typically used for profiles created in error. Terminated employees are normally offboarded (deactivated), not deleted, to preserve HR records and comply with data retention requirements.
- Navigate to the employee's profile.
- Click the three-dot menu (⋮) or 'Offboard Employee' option.
- Enter the termination/leaving date and reason.
- Confirm offboarding. The employee's status changes to 'Inactive' and their system access is revoked on the leaving date.
- The employee profile remains visible under the 'Inactive Employees' filter in the employee list.
| Data impact | Behavior |
|---|---|
| Owned records | All HR data (documents, absence records, salary history, performance reviews) is retained on the inactive profile and remains accessible to administrators. |
| Shared content | Workflow approvals, absence requests, and tasks associated with the employee are retained in historical records. |
| Integrations | Payroll integrations will reflect the termination date; the employee will no longer appear in active payroll runs after the leaving date. |
| License freed | The seat is freed (no longer billed) once the employee is marked as inactive/offboarded, effective from the leaving date. |
Watch out for:
- Deleting a profile is permanent and cannot be undone; Personio recommends offboarding rather than deletion for all genuine terminations.
- If an employee is an approver in absence or expense workflows, those workflows must be reassigned before or after offboarding to avoid broken approval chains.
- Administrators must manually revoke any third-party integration access (e.g., Slack, payroll tools) that Personio does not directly control.
- Inactive employee profiles still count toward data storage but not toward the active seat billing.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Active Employee Seat | One billable seat per active employee profile, regardless of whether the employee has system login access. Includes HR data storage, self-service portal access (if enabled), and role-based permissions. | Essential: ~$2.96–$5/employee/month; Professional: ~$4.56–$15/employee/month; Enterprise: custom pricing. |
- Where to check usage: Settings → Subscription / Billing (exact label may vary by account); active employee count is visible in the employee list by filtering for 'Active' status.
- How to identify unused seats: Filter the employee list by 'Active' status and cross-reference with last login data. Personio does not natively surface a 'last login' report in the standard UI; admins may need to export employee data or use audit log features (availability varies by plan) to identify employees who have never logged in.
- Billing notes: Billing is per active employee profile per month, not per user with system access. Employees without login credentials still consume a seat. Pricing is negotiated annually and scales with headcount bands. Inactive/offboarded employees do not count toward the billable seat total.
The cost of manual management
Adding employees one at a time-each requiring First Name, Last Name, Email, Start Date, and at least one org attribute-creates onboarding delays that ripple into downstream access. Role assignment is per-profile with no bulk tooling, so a 50-person hiring cohort means 50 individual role configurations.
Offboarding carries its own overhead: approval-chain reassignment must happen manually before or after termination, and third-party integrations such as Slack and payroll tools are not touched by Personio's offboarding flow.
What IT admins are saying
Practitioners consistently flag three friction points. First, Personio uses OIDC rather than SAML, which breaks compatibility with identity providers that expect SAML and requires a JumpCloud bridge to close the gap.
Second, there is no native last-login or user-activity report; identifying employees who have never logged in requires a manual data export or audit log review, and audit log availability varies by plan.
Third, CSV bulk import has strict template requirements with limited error feedback, making large-scale employee creation error-prone.
Common complaints:
- No native SAML support; Personio uses OIDC, which limits SSO compatibility with some identity providers.
- Role and access rights configuration is considered complex and time-consuming, especially for large organizations with many departments.
- Lack of a native 'last login' or user activity report makes it difficult to identify inactive system users without manual effort.
- Bulk role assignment is not straightforward; roles must often be assigned individually per employee profile.
- Offboarding workflows require manual reassignment of approvers, which is error-prone when multiple workflows are involved.
- CSV import for bulk employee creation has strict template requirements and limited error messaging, leading to failed imports.
- Seat billing applies to all active profiles regardless of system access, which surprises customers who add employees for record-keeping only.
The decision
Every app downstream of Personio inherits any access configuration lag introduced by manual role management. Personio's role model is genuinely granular-read vs. edit permissions are set independently at the attribute level, and multiple roles can stack on one employee-but that flexibility comes at a configuration cost.
For teams managing access across many departments, the absence of bulk role assignment and the complexity of attribute-level scoping create ongoing administrative burden. Automated provisioning via Microsoft Entra ID is available, but only on the Enterprise plan and only through Personio's own connector, not a standard protocol.
Bottom line
Personio gives HR and IT teams precise, attribute-level control over who sees what, but that precision is manual by default. Every app downstream of Personio depends on timely, accurate employee data-and without automation, that accuracy depends on consistent admin effort.
Teams that stay on Essential or Professional plans have no path to automated provisioning and will need to weigh the operational cost of manual role management against the upgrade investment required to access Entra ID integration.
Automate Personio workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
