Summary and recommendation
SAP Concur user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
SAP Concur user management lives under Administration > Company > User Administration at concursolutions.com.
A Company Administrator role is required and must be explicitly assigned - it is not granted automatically to the account owner.
Concur uses a role-based permission model where roles (called Permission Sets) map to licensed modules: Expense, Travel, Invoice, and Request.
Custom roles are not supported;
administrators assign users to predefined role sets only.
Five role types cover most provisioning needs: Company Administrator, Expense User, Approver, Processor/Auditor, and Delegate.
Each role is scoped to its functional area - an Approver cannot touch company policy, and a Delegate cannot approve unless the delegating user explicitly grants that right.
Role assignments are configured per user record by an administrator, with one exception: Delegate configuration is controlled by the individual user in their own profile settings.
Every app in a manually managed environment requires this kind of per-user configuration to be tracked and maintained by hand.
Quick facts
| Admin console path | Administration > Company > User Administration |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Company Administrator | Full access to company configuration, user management, policy setup, reporting, and all modules enabled for the company. | Cannot access SAP backend ERP configuration directly; cannot modify SAP Concur platform-level settings reserved for SAP support. | Company Administrator role must be explicitly assigned; it is not automatically granted to the account owner. Multiple admins can be designated. | ||
| Expense User | Can create, submit, and manage own expense reports. Can view own travel itineraries if Travel module is enabled. | Cannot access other users' reports, company configuration, or approval queues unless additional roles are assigned. | Users are only active for billing purposes when they submit an expense report or use a billable feature within the billing period, depending on contract terms. | ||
| Approver | Can approve or reject expense reports and travel requests submitted by employees in their approval chain. | Cannot modify company policies or access administration panels unless also assigned an admin role. | Approver assignment is configured per user record; a user must be explicitly set as an approver and linked to direct reports. | ||
| Processor / Auditor | Can review, audit, and process expense reports on behalf of the finance or AP team. Can send reports back for correction. | Cannot submit expense reports on behalf of employees unless also assigned a delegate role. | Processor access is granted via permission sets in the User Administration panel; it is not a self-service role. | ||
| Delegate | Can prepare and submit expense reports, travel requests, or invoices on behalf of another user who has granted delegation. | Cannot approve reports on behalf of the delegating user unless the delegating user explicitly grants approval delegation. | Delegation is configured by the individual user in their profile settings, not by the administrator. Admins can view but not always force-configure delegation. |
Permission model
- Model type: role-based
- Description: SAP Concur uses a role-based permission model where roles (called 'Permission Sets' or 'Roles') are assigned to users by a Company Administrator. Roles map to functional areas such as Expense, Travel, Invoice, and Reporting. Administrators assign one or more roles per user. Some roles are module-specific and only appear if the corresponding module is licensed.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Role-level granularity per module (Expense, Travel, Invoice, Request). Individual feature-level permissions are not independently configurable outside of predefined role assignments.
How to add users
- Log in to SAP Concur as a Company Administrator.
- Navigate to Administration > Company > User Administration.
- Click 'Add User' or 'Create New User'.
- Enter required fields: Login ID (email format), First Name, Last Name, Email Address, Employee ID.
- Set the user's default expense policy, reimbursement currency, and locale as applicable.
- Assign one or more roles/permission sets under the Roles section.
- Assign an approver to the user if required by company policy.
- Click 'Save' to create the user. The user receives an activation email if password-based login is used.
Required fields: Login ID (must be in email format), First Name, Last Name, Email Address, Employee ID
Watch out for:
- Login ID must be unique across the SAP Concur platform globally, not just within the company. If an email is already registered in another Concur company, it cannot be reused as a Login ID.
- If SSO is enabled, the Login ID must match the identity provider's NameID/attribute exactly or the user will not be able to authenticate.
- New users are not automatically assigned to any expense policy or approval chain; these must be configured manually or via import.
- Users created manually will not be automatically synced back to an IDP; SCIM provisioning is one-directional from IDP to Concur unless bidirectional sync is configured.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Administration > Company > User Administration > Import Users (CSV template downloadable from the same page) |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (requires SSO configuration; SCIM v4 API available for Okta and Entra ID integrations) |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: SAP Concur does not support permanent deletion of user accounts through the administrator UI. Users can only be deactivated (set to Inactive status), which prevents login and removes them from active user counts for billing purposes. Historical transaction data, expense reports, and audit trails associated with the user are retained. This is consistent with financial record-keeping requirements.
- Log in to SAP Concur as a Company Administrator.
- Navigate to Administration > Company > User Administration.
- Search for the user by name, Login ID, or Employee ID.
- Open the user's profile by clicking their name.
- Locate the 'Active' status field and change it to 'Inactive'.
- Click 'Save' to apply the change. The user will immediately lose the ability to log in.
| Data impact | Behavior |
|---|---|
| Owned records | All expense reports, travel bookings, and invoices created by the user are retained in the system and remain accessible to administrators and approvers. Deactivation does not delete or archive these records. |
| Shared content | Delegation relationships are effectively suspended when a user is deactivated. Delegates can no longer act on behalf of the inactive user. |
| Integrations | If the user was provisioned via SCIM/IDP, deactivating in the IDP will send a deactivation signal to Concur via the provisioning API, setting the user to inactive. Existing integration mappings (e.g., ERP employee ID links) are retained on the user record. |
| License freed | Deactivated users are generally not counted toward active user billing in the next billing cycle, but specific contract terms govern this. Administrators should verify with their SAP Concur account representative. |
Watch out for:
- Deactivating a user who is an approver for other employees will leave those employees without an active approver; their approval chain must be reassigned manually before or after deactivation.
- If the user has open, unsubmitted expense reports at the time of deactivation, those reports remain in draft state and may require administrative intervention to close or reassign.
- Reactivating a previously deactivated user restores their profile and historical data; the Login ID cannot be reassigned to a different person.
- Deactivation via SCIM API sets the 'active' attribute to false; this is the supported programmatic method for IDP-driven offboarding.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Expense User | Access to expense report creation, submission, receipt management, and mobile app for expense capture. | |
| Travel User | Access to online booking tool (Concur Travel) for flights, hotels, and car rentals. | |
| Invoice User | Access to accounts payable invoice processing and vendor management workflows. | |
| Request User | Access to pre-trip approval and spend request workflows. |
- Where to check usage: Administration > Company > User Administration - filter by Active status to view active user count. Reporting module may provide additional usage analytics depending on contract.
- How to identify unused seats: Administrators can filter the User Administration list by 'Last Login Date' or run usage reports via the Cognos-based reporting tool (if licensed) to identify users who have not logged in or submitted reports within a defined period.
- Billing notes: SAP Concur pricing is quote-based and modular. Billing is typically based on active users per module per billing period, but exact terms vary by contract. The SAP Finance Premium bundle includes 100 monthly expense reports. Customers should consult their SAP Concur contract or account executive for precise billing triggers and thresholds.
The cost of manual management
User deletion is not supported - deactivated records accumulate indefinitely with no cleanup path. Approver chains are not automatically reassigned on deactivation, meaning broken approval chains surface only when an employee tries to submit a report after their manager has been offboarded.
Bulk user imports via CSV have strict formatting requirements and return limited error messaging, making large-scale onboarding error-prone.
The Login ID uniqueness constraint is global across the entire Concur platform: if a new hire previously used Concur at another employer, their email cannot be reused until the old company releases it - a resolution that requires SAP support involvement and has no self-service path.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Every app managed manually introduces risk proportional to offboarding volume, and Concur's approval chain dependency makes that risk concrete - a deactivated approver silently blocks every direct report's expense submissions until manually corrected. Manual management is viable for small, stable teams with infrequent user changes and a dedicated Concur administrator.
For organizations with regular onboarding and offboarding volume, the absence of automated approver reassignment, the no-delete constraint, and the global Login ID uniqueness issue create compounding administrative overhead. Teams running Okta, Entra ID, or another SCIM-capable IdP should evaluate automated provisioning to reduce exposure to these failure modes.
The SSO prerequisite for SCIM is a hard dependency - confirm SSO is active on the tenant before committing to an automated provisioning path.
Bottom line
SAP Concur's manual user management is functional but carries several structural constraints that scale poorly: no user deletion, no automated approver reassignment on offboarding, a global Login ID uniqueness requirement that requires SAP support to resolve, and a bulk import tool with limited error feedback.
Every app managed manually introduces compounding overhead, and Concur's approval chain dependency makes offboarding failures particularly visible - a deactivated approver silently blocks every direct report's expense submissions until an administrator intervenes.
Organizations with moderate-to-high user churn should treat these constraints as planning inputs, not edge cases.
Automate SAP Concur workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
