Summary and recommendation
SugarCRM user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
SugarCRM's Admin > User Management panel handles day-to-day provisioning for most deployments, but cloud instances on Enterprise or Premier plans route identity operations through SugarIdentity
a separate portal that controls passwords, SSO, and SCIM.
Knowing which path applies to your deployment before touching users saves significant rework.
If SugarIdentity is active, changes made only in the CRM-side UI may not propagate to the IdP, and vice versa.
Quick facts
| Admin console path | Admin > User Management (top-right user menu → Admin → User Management) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Regular User | Access to CRM modules as permitted by assigned roles and teams. Can create, edit, view, and delete records within their access scope. | Cannot access the Admin panel or manage other users. Cannot modify system-wide settings. | All paid plans | $19–$115+/user/month depending on plan tier | Each Regular User consumes a named license seat. Seat count is fixed at contract time; exceeding it requires a contract amendment. |
| Administrator | Full access to all modules and the Admin panel. Can manage users, roles, teams, system settings, and integrations. | Administrator access does not bypass team-based record visibility in all configurations; team rules still apply unless the admin is also a member of the relevant team. | All paid plans | Consumes a regular named license seat | Admins are also counted as regular license seats. There is no separate 'admin-only' license type. |
| System Administrator (Super Admin) | Highest privilege level. Can manage all users including other admins, configure SugarIdentity (where applicable), and access all data regardless of team assignments. | All paid plans | Consumes a regular named license seat | Designating a user as System Administrator grants them the ability to bypass team-based visibility restrictions. | |
| Portal User (Sugar Portal) | Limited external-facing access to a self-service portal. Can view and submit cases, bugs, or knowledge base articles as configured. | Cannot access the main CRM interface or internal modules. | Requires Sugar Serve or plans that include the Portal module | Portal users are typically licensed separately or included in specific plan tiers; exact cost depends on contract | Portal users are managed separately from internal CRM users and do not consume standard named-user seats. |
Permission model
- Model type: hybrid
- Description: SugarCRM uses a hybrid model combining role-based access control (RBAC) with team-based record visibility. Roles define what actions a user can perform on which modules (view, edit, delete, import, export) at both the module and field level. Teams control which records a user can see. Multiple roles can be assigned to a single user; the most permissive role wins by default, but this can be changed to 'most restrictive' via the Roles settings. Field-level security (FLS) is available to restrict visibility or editability of individual fields.
- Custom roles: Yes
- Custom roles plan: Available on Standard, Advanced, and Premier plans; not confirmed available on Sell Essentials ($19/user/mo tier)
- Granularity: Module-level (view/edit/delete/import/export per module) and field-level (visible/read-only/hidden per field per role)
How to add users
- Log in as an Administrator or System Administrator.
- Navigate to the top-right user menu and select 'Admin'.
- Under the 'Users' section, click 'User Management'.
- Click the 'Create User' button (or select 'Create User' from the Actions dropdown).
- Enter required fields: First Name, Last Name, User Name, and Email Address.
- Set a password or configure the user to receive a system-generated password via email.
- Assign a License Type if prompted (varies by deployment).
- Optionally assign Roles and Teams.
- Click 'Save' to create the user.
Required fields: First Name, Last Name, User Name (must be unique), Email Address, Password (or trigger email invitation)
Watch out for:
- User Name must be unique across the instance and cannot be changed after creation in some versions.
- If SugarIdentity is enabled (cloud deployments on Enterprise/Premier), user creation and password management are handled through the SugarIdentity portal, not the standard Admin > User Management screen.
- Adding a user beyond the contracted seat count may be blocked or trigger a billing event depending on the contract terms.
- Roles and Teams must be configured separately before they can be assigned during user creation.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Admin > User Management > Import (uses the standard SugarCRM import framework with a CSV template) |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise or Premier (requires SugarIdentity and an SSO/SCIM-capable IdP such as Okta, Azure AD/Entra, or OneLogin) |
How to remove or deactivate users
- Can delete users: Unknown
- Delete/deactivate behavior: SugarCRM supports both deactivation-oriented access control and delete-style user operations depending on deployment path and admin workflow. Public documentation should be treated as deployment-specific until verified in the tenant.
- Log in as an Administrator or System Administrator.
- Navigate to Admin > User Management.
- Locate and open the user's record.
- In the user detail view, click 'Edit'.
- Change the 'Status' field from 'Active' to 'Inactive'.
- Click 'Save'.
| Data impact | Behavior |
|---|---|
| Owned records | Records assigned to the deactivated user remain assigned to them. Administrators must manually reassign records to active users if needed. The deactivated user's name continues to appear in the 'Assigned To' field on those records. |
| Shared content | Shared reports, dashboards, and other content created by the deactivated user remain in the system and are still accessible to users with appropriate permissions. |
| Integrations | API tokens or OAuth credentials associated with the deactivated user may continue to function until explicitly revoked. If SugarIdentity is in use, the IdP session should also be terminated. |
| License freed | Setting a user to Inactive status frees the named-user license seat, making it available for reassignment. The exact timing of seat release may depend on contract terms and billing cycle. |
Watch out for:
- Deactivated users still appear in user lists and 'Assigned To' dropdowns unless filtered out, which can cause confusion.
- If the deactivated user was the only member of a team, records assigned to that team may become inaccessible to other users.
- In SugarIdentity-enabled deployments, deactivating the user in SugarCRM does not automatically deactivate them in the IdP; both systems must be updated.
- There is no automated record-reassignment workflow triggered by deactivation; reassignment must be done manually or via a bulk update.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named User – Sell Essentials | Core CRM features for small teams; limited module access compared to higher tiers | $19/user/month |
| Named User – Standard | Full CRM suite with sales automation, reporting, and custom roles; minimum 10 users | $79/user/month |
| Named User – Advanced | Standard features plus advanced forecasting, enhanced support SLAs, and additional customization; minimum 10 users | $115/user/month |
| Named User – Premier | Full platform access including advanced AI features, dedicated support, and custom contract terms | Custom pricing |
- Where to check usage: Admin > User Management - the user list shows all Active and Inactive users. Active user count reflects consumed seats. There is no dedicated 'license usage dashboard' in the standard Admin UI; seat counts are tracked against the contract.
- How to identify unused seats: Filter the User Management list by Status = Active, then sort by 'Last Login' date to identify users who have not logged in recently. There is no built-in 'unused seat' report; admins must manually review last-login data.
- Billing notes: SugarCRM uses named-user licensing; each Active user consumes one seat. Seats are purchased in blocks per contract. Exceeding the contracted seat count requires a contract amendment. Implementation and onboarding costs ($15,000–$150,000 additional) are separate from per-user licensing fees. Portal users (Sugar Serve) are licensed separately from internal CRM users.
The cost of manual management
SugarCRM uses named-user licensing, so every active seat counts against a fixed contract block. Exceeding that block requires a contract amendment - there is no self-serve overage. Seats run from $19/user/month (Sell Essentials) to $115/user/month (Advanced, 10-user minimum), with Premier on custom terms.
Implementation and onboarding carry a separate cost of $15,000–$150,000 depending on scope. Portal users (Sugar Serve) are licensed independently and do not consume internal CRM seats.
The decision
Manual provisioning in SugarCRM is viable for teams with stable headcount and infrequent user changes, particularly on Standard or Advanced plans where role and team configurations are fully available.
The workflow breaks down at scale: no automated record reassignment on deactivation, no built-in license utilization dashboard, and a CSV bulk-import process with limited error feedback make every app lifecycle event - onboarding, role change, offboarding - a multi-step manual effort.
Organizations running SugarIdentity must also maintain two systems in sync, which adds operational surface area. Teams with frequent joiner/mover/leaver activity or audit requirements will find the manual approach increasingly difficult to sustain without tooling.
Bottom line
SugarCRM's manual user management works for small, stable teams but accumulates operational debt quickly as headcount grows. The split between in-app User Management and SugarIdentity means offboarding in particular requires coordinated action across two systems, and neither system automates record reassignment or flags unused seats.
Every app in your stack that requires this level of manual coordination compounds the administrative load - SugarCRM is not uniquely difficult, but it is not self-maintaining either.
Automate SugarCRM workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
