Summary and recommendation
UKG user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
UKG Pro is a mid-enterprise HRIS serving organizations with 350–10,000 employees, recognized as a 2025 Gartner Magic Quadrant Leader for Cloud HCM Suites.
User management lives under Menu > Administration > Security > Users (UKG Pro) or Menu > System Configuration > Security (UKG Ready).
Every app that connects to UKG for identity data depends on the accuracy of security role assignments and org-hierarchy configuration - both of which require deliberate setup and ongoing maintenance.
Quick facts
| Admin console path | Menu > Administration > Security > Users (UKG Pro); or Menu > System Configuration > Security (UKG Ready) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| System Administrator | Full access to all modules, security configuration, user management, and system settings. Can create and assign security roles, manage integrations, and access all employee data. | System Administrator accounts are typically limited in number per contract. Granting this role broadly is discouraged by UKG due to audit and compliance implications. | |||
| Manager Self-Service (MSS) User | Access to direct-report employee data, approval workflows, time and attendance management for their team, and HR action initiation (e.g., job changes, pay changes) within defined security scope. | Cannot access employees outside their defined org hierarchy. Cannot modify system-level security settings. | Manager access scope is controlled by the security role AND the org structure (position/department hierarchy). Misconfigured org trees can inadvertently expose or hide employee records. | ||
| Employee Self-Service (ESS) User | Access to personal HR data, pay statements, benefits enrollment, time-off requests, and personal profile updates within permitted fields. | Cannot view other employees' data. Cannot approve workflows or access administrative menus. | ESS access is typically auto-provisioned when an employee record is created, but the user account must still be activated with login credentials separately. | ||
| HR Administrator / HR Practitioner | Access to employee lifecycle management (hire, change, terminate), benefits administration, compensation management, and reporting within assigned business units. | Scope is limited to assigned business units or company codes unless explicitly expanded. Cannot modify security role definitions without System Administrator access. | Data access is filtered by the security role's assigned business units; HR admins may not see all employees if multi-company or multi-BU configurations are in place. | ||
| Payroll Administrator | Access to payroll processing, tax configuration, garnishments, and payroll reporting. Can run and submit payroll cycles. | Typically cannot modify HR-only fields (e.g., performance records) unless dual role is assigned. | Payroll module access is a separately licensed component in some UKG configurations; confirm module entitlement before assigning this role. |
Permission model
- Model type: role-based
- Description: UKG Pro uses a security role model where each user is assigned one or more security roles. Each security role defines which menus, pages, fields, and actions are accessible. Roles also control data visibility through Business Unit (company code) and org-level filters. Field-level security can be configured within roles to allow read-only or edit access on individual data fields. UKG Ready uses a similar role-based model with predefined and configurable roles.
- Custom roles: Yes
- Custom roles plan: Not documented
- Granularity: Menu/page level, field level (read vs. edit), and data scope level (business unit, org hierarchy). Administrators can clone existing roles and modify permissions to create custom roles.
How to add users
- Navigate to Menu > Administration > Security > Users in UKG Pro.
- Click 'Add' or 'New User' to open the user creation form.
- Enter required fields: employee record association (if applicable), username, and email address.
- Assign one or more security roles to define the user's access level.
- Set the user's status to 'Active'.
- Configure password settings or trigger a system-generated welcome email with login instructions.
- Save the record. The user can then log in at the tenant URL.
Required fields: Username, Email address, Security role assignment, Employee record linkage (for employee users)
Watch out for:
- Users must be linked to an employee record for most HR data access; standalone system-only accounts (e.g., integration service accounts) may be created without an employee record but have limited use cases.
- Security role assignment is required at creation; a user with no role assigned will have no meaningful access.
- Welcome/activation emails may go to spam; advise new users to check junk folders.
- SSO-enabled tenants may require the username to match the identity provider's user principal name (UPN) exactly.
- In UKG Pro, the user account and the employee record are separate objects; creating an employee record does not automatically create a login account.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Menu > Administration > Import/Export or via the UKG Pro Data Import tool; specific template available in the UKG Community document library. |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (requires SSO configuration; SCIM-based provisioning available for Okta and Microsoft Entra ID integrations) |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: UKG Pro does not support permanent deletion of user accounts or employee records through the standard UI. The standard workflow is to deactivate (terminate) the user, which removes login access while preserving all historical records for audit, payroll, and compliance purposes. Employee records are retained indefinitely per UKG's data retention model.
- For employee users: Process a termination action via Menu > Personnel > Employee Actions > Terminate Employment, entering the effective termination date and reason.
- The termination action automatically deactivates the associated user account login on the effective date.
- For non-employee system users (e.g., integration accounts): Navigate to Menu > Administration > Security > Users, locate the user record, and set the account status to 'Inactive'.
- Confirm the user can no longer log in by verifying account status shows 'Inactive'.
| Data impact | Behavior |
|---|---|
| Owned records | All employee and transaction records created by or associated with the user are retained. Historical data (pay history, time records, HR actions) remains fully accessible to administrators. |
| Shared content | Reports, dashboards, and saved views created by the deactivated user may remain in the system but could become inaccessible to others if stored under personal user settings rather than shared folders. |
| Integrations | API or integration credentials associated with a deactivated service account will stop functioning. Integration tokens should be rotated to an active service account before deactivation. |
| License freed | Deactivating a user account removes that user from the active user count, which may free a licensed seat depending on contract terms. Confirm with UKG account management for billing impact. |
Watch out for:
- Termination effective date controls when login access is revoked; a future-dated termination will not immediately block access.
- Rehired employees require reactivation of the existing employee record rather than creation of a new one, to preserve historical data and avoid duplicate records.
- Deactivating a user does not automatically reassign their pending workflow approvals; these must be manually reassigned before or after deactivation.
- Service account deactivation can break active integrations immediately; coordinate with IT before deactivating any non-employee system accounts.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Full HCM Employee Seat | Core HR, payroll, benefits, time and attendance, and self-service access for one employee. Specific module access depends on contracted modules. | $27–$37 per employee per month (PEPM) based on available pricing data; exact cost varies by contract and employee count. |
| Manager/Administrator Named User | Elevated access for HR practitioners, managers, and administrators. May be included in base PEPM or separately licensed depending on contract. |
- Where to check usage: Menu > Administration > Security > Users - filter by Active status to view current active user count. Licensing reports may also be available via Menu > Reporting > System Reports depending on tenant configuration.
- How to identify unused seats: Run a user activity or last-login report from the reporting module (Menu > Reporting) to identify accounts with no recent login activity. UKG does not provide a native 'unused seat' dashboard; administrators must build or schedule a custom report.
- Billing notes: UKG Pro is priced on a per-employee-per-month basis covering all active employees in the system, not strictly named user seats. Pricing is negotiated at contract time and typically includes implementation fees of approximately 40–70% of annual software cost. Module add-ons (e.g., Learning, Recruiting, Workforce Management) are licensed separately. Contact UKG account management for seat reconciliation and true-up processes.
The cost of manual management
UKG Pro separates the employee record from the login account; creating one does not automatically create the other, so every new hire requires two distinct actions to gain access.
Termination effective dates control when login access is actually revoked - a future-dated termination leaves the departing employee active in the system until that date arrives, creating a window of unintended access. Pending workflow approvals are not automatically reassigned on deactivation, requiring manual intervention before or after offboarding.
Bulk user imports via CSV are available but poorly documented outside the UKG Community, making large-scale provisioning error-prone without prior experience.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
UKG Pro's role-based permission model supports menu-level, field-level, and data-scope-level controls, with the ability to clone and modify existing roles - giving HR and IT teams meaningful flexibility.
However, that flexibility comes with complexity: multi-company or multi-BU configurations can silently limit what HR admins see, and misconfigured org trees can inadvertently expose or hide employee records. System Administrator accounts are contractually limited in number and should not be granted broadly due to audit and compliance implications.
Teams evaluating manual administration should weigh the depth of control against the operational overhead of maintaining role configurations across every app and user type at scale.
Bottom line
UKG Pro gives mid-enterprise teams a highly configurable permission model, but that configurability is the source of most administrative friction.
The split between employee records and login accounts, future-dated termination gaps, and complex role setup mean that manual provisioning and deprovisioning carry real risk of access errors without disciplined process controls.
Organizations managing more than a few dozen users will find that the overhead of keeping every app's access aligned to current employment status grows quickly without automation.
Automate UKG workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
