Summary and recommendation
Toast user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Toast manages employees through two parallel permission layers: POS Job Roles that govern what staff can do on the terminal, and Web Access Roles that control back-office access at toasttab.com/restaurants/admin.
These layers are independent - assigning a POS role does not grant back-office access, and vice versa.
Every app in your restaurant tech stack that touches employee identity needs to account for this split to avoid access gaps.
Employee records live at the location level.
Multi-location operators must add and configure employees separately per location in standard plans, with no centralized cross-location management available outside enterprise tooling.
Quick facts
| Admin console path | Toast Web (back-office) > Employees > Employee Management |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Owner / Admin | Full access to all Toast back-office settings, payroll, reporting, menu management, hardware configuration, and employee management. | Owner-level credentials are tied to the account holder; transferring ownership requires contacting Toast support. | |||
| Manager | Access to back-office functions scoped by assigned web-access role; typically includes reporting, scheduling, and employee management within their location. | Cannot access billing or account-level settings unless explicitly granted. | Manager web-access permissions must be explicitly assigned; default employee accounts do not have back-office web access. | ||
| Employee (POS only) | POS terminal access only, scoped by assigned POS job role (e.g., Server, Bartender, Host). No back-office web access by default. | Cannot log into Toast Web back-office unless a web-access role is assigned. | POS access is controlled by a numeric passcode or card swipe, not a username/password login. | ||
| Payroll Admin | Access to Toast Payroll module including payroll runs, tax settings, and employee pay configuration. | Scope limited to payroll functions; does not automatically grant full back-office access. | Toast Payroll add-on required | Toast Payroll is a separate add-on product; this role only appears if the restaurant subscribes to Toast Payroll. |
Permission model
- Model type: role-based
- Description: Toast uses two parallel permission layers: (1) POS Job Roles that control what employees can do on the terminal (e.g., apply discounts, void items, access cash drawer), and (2) Web Access Roles that control back-office access. Each employee is assigned one or more job roles. POS permissions are configured per job role and can be customized at the role level.
- Custom roles: Yes
- Custom roles plan: Not documented
- Granularity: Role-level: individual POS permissions (discount, void, refund, clock-in, etc.) are toggled per job role. Web access roles are predefined tiers (e.g., Owner, Manager, Employee) with limited customization.
How to add users
- Log in to Toast Web at https://www.toasttab.com/restaurants/admin.
- Navigate to Employees > Employee Management.
- Click 'Add Employee'.
- Enter required employee details (first name, last name, email, and job role).
- Assign a POS passcode or configure card swipe for terminal access.
- Optionally assign a Web Access Role if back-office access is needed.
- Set wage information if using Toast Payroll.
- Click 'Save' to create the employee record.
- Publish changes to POS terminals if prompted.
Required fields: First name, Last name, Job role (at least one), POS passcode or login method
Watch out for:
- New employee records must be published to POS terminals before the employee can clock in or access the terminal.
- Email address is required only if the employee needs web-access (back-office) login.
- If Toast Payroll is active, wage and tax withholding fields must be completed before the employee can be included in a payroll run.
- Each location in a multi-location group manages employees separately by default; employees must be added to each location individually unless using enterprise-level tools.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Unknown | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | No | Not documented |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Toast does not permanently delete employee records. Employees are archived/deactivated, which removes their ability to clock in or access the system while retaining their historical records (timesheets, sales data, payroll history) for reporting and compliance purposes.
- Log in to Toast Web at https://www.toasttab.com/restaurants/admin.
- Navigate to Employees > Employee Management.
- Locate the employee record.
- Open the employee profile and set their status to 'Archived' or use the archive/deactivate option.
- Save and publish changes to POS terminals.
| Data impact | Behavior |
|---|---|
| Owned records | Historical timesheets, sales transactions, and tip records associated with the employee are retained after archiving. |
| Shared content | Menu items, orders, and other records the employee interacted with are unaffected. |
| Integrations | If the employee was linked to Toast Payroll, archiving them stops future payroll inclusion but retains historical payroll records. |
| License freed | Toast does not charge per-seat fees for employee records; archiving does not affect billing. |
Watch out for:
- Archived employees must be reactivated (unarchived) before they can clock in again; this requires publishing changes to terminals.
- If an employee has an active web-access login, archiving the POS record may not automatically revoke web-access; verify web-access role is also removed.
- Multi-location operators must archive the employee at each location separately if the employee was added to multiple locations.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| POS Software Subscription | Access to Toast POS software for a given location; covers unlimited employee records on that location's subscription. | From $69/mo per location (Point of Sale plan); Starter Kit at $0/mo with higher processing fees. |
| Toast Payroll Add-on | Payroll processing, tax filing, and employee pay management. | Separate add-on; contact Toast for current pricing. |
- Where to check usage: Toast Web > Employees > Employee Management (view active vs. archived employee count per location)
- How to identify unused seats: Filter employee list by 'Active' status and cross-reference with recent clock-in/timesheet activity in the Labor Report (Toast Web > Reports > Labor).
- Billing notes: Toast charges per location, not per employee seat. Adding or removing employee records does not directly change the monthly software subscription cost. Payment processing fees are volume-based and separate from the software subscription.
The cost of manual management
Toast charges per location, not per employee seat, so adding or removing employee records does not directly affect your monthly software subscription.
However, the operational cost of manual provisioning is real: every new hire requires a back-office record, a POS passcode or card-swipe setup, a job role assignment, and a manual publish to terminals before the employee can clock in.
Forgetting to publish changes to POS terminals is the most commonly reported source of confusion - new employees simply cannot clock in until that step completes. If Toast Payroll is active, wage and tax withholding fields must also be completed before the employee can be included in a payroll run, adding another manual checkpoint.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Manual management in Toast is workable for single-location operators with stable staff, where the publish step and dual permission layers are easy to track.
The process becomes error-prone at scale: every app that relies on accurate employee data - scheduling, payroll, tip reporting - is only as current as your last manual sync and terminal publish.
If your environment involves multiple locations, frequent staff turnover, or any HR system of record, the per-location employee silo model creates compounding overhead. The absence of native SCIM means there is no IdP-driven automation path without a custom API integration.
Bottom line
Toast's employee management is purpose-built for restaurant operations, not IT provisioning workflows. The dual-layer permission model (POS roles plus web access roles) gives operators meaningful control, but every step - creation, role assignment, passcode setup, and terminal publish - is manual and location-scoped.
For single-location operators, this is manageable.
For multi-location groups or any team running every app off a central HR system, the lack of cross-location employee management and native SCIM support means provisioning debt accumulates quickly, and offboarding gaps (particularly around web-access revocation) are a real compliance risk.
Automate Toast workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
