Is your HubSpot account growing, and are more teams starting to use it? Granting unrestricted access to each user may seem convenient, but this approach can quickly lead to mistakes, accidental data loss, and unnecessary exposure of sensitive information.
Setting up clear user roles and permissions ensures teams have the exact level of access they need to do their work effectively. It builds accountability, reduces security risks, and keeps your CRM running smoothly across departments.
In this guide, we’ll walk you through setting up user roles in HubSpot. You’ll learn how to manage user permissions, understand the difference between roles and permission sets, and see how these options vary by HubSpot plan.
What Are User Roles and Permissions in HubSpot
Before creating roles, you should understand what roles and permissions mean in HubSpot and why they are important.
A user permission is a setting that controls what a user can do, i.e., create, edit, or delete content or records. Permissions exist across modules such as CRM records (contacts, deals), marketing tools (emails, forms), sales tools, service features, and admin areas.
A user role (or permission set in Enterprise plans) is a collection of permissions grouped. Instead of assigning each permission one by one for every user, you define a role and then assign users to it. This makes permission management scalable and consistent.
Permissions and roles allow you to control sensitive data, reduce risk, and simplify onboarding. As HubSpot states, you can “control and manage user access in one central location” to safeguard customer data and keep teams organized.
Why is Proper Role Setup Important?
Many HubSpot portals run with too many Super Admins or over-permissioned users. That leads to accidental deletions, unauthorized data access, and a general lack of auditability. Without clear roles, the system becomes fragile over time.
Correct role setup provides you with:
- Security: Limit who can change settings, delete records, or import data
- Clarity: Each user knows their access boundary
- Scalability: When new people join, you assign them a role rather than build permissions from scratch
- Accountability: You can track which actions come from which role
Roles also reduce support burden. Instead of “why can’t I see this asset?” tickets, you build the right access.
HubSpot Permission Architecture: Core Domains
To build roles intelligently, first understand how HubSpot organizes permissions. HubSpot divides access into major areas:
1. CRM / Records Permissions
These control access to contacts, companies, deals, tickets, and custom objects. You can grant view, edit, delete, or none. You can also restrict to “records they own”, “team only”, or “all records” (where your subscription allows).
2. Marketing Permissions
This area includes access to lists, emails, forms, landing pages, blog tools, ad tools, CTAs, and file management. You toggle marketing access on before more granular controls appear.
3. Sales & Service Permissions
These cover features like templates, sequences, calling, meetings, ticket tools, and service tools. You can allow publishing, editing, or limited access.
4. Admin / Settings Permissions
This domain covers account settings, billing, integrations, authentication, domain settings, and user management itself. Only users with high-level admin privileges should have many of these.
5. Record-Level Access Rules
For CRM records, you can limit access according to team or ownership levels. You can restrict access to team-owned records for accounts with Professional or Enterprise plans.
6. Permission Sets / Roles (Enterprise Only)
In Enterprise plans, you can build permission sets (roles) and assign multiple users. Users with “Add and edit users” access can only assign permission sets that don’t include permissions they themselves lack.
Read More: HubSpot Reporting 2025: Best Practices & Mistakes to Avoid
How to Set Up User Roles in HubSpot (Step-by-Step)
Now, let’s go through how to create roles and assign permissions in HubSpot.
Step 1: Confirm Access Requirements
Before you start, you must be a Super Admin or have the “Add and edit users” permission in your HubSpot account. Only such users can modify or create user permissions.
Also, if the permissions you want to assign require paid feature seats, make sure you have available seats. Otherwise, HubSpot may prompt an upgrade.
Step 2: Navigate to Users & Teams
- Log into HubSpot.
- Click the Settings icon in the top navigation bar.
- In the left sidebar, go to Users & Teams.
This is your control center to manage all users, teams, and permission sets.
Step 3: Create a Permission Set (if Available)
If your subscription supports permission sets (Enterprise-level), you can create a role definition.
- In Users & Teams, click the Permission Sets tab.
- Click Create Permission Set.
- Name the permission set and choose which permissions it includes.
- Use the Review tab to confirm selected permissions.
- On the Users tab, optionally assign users now or later.
- Click Create to finalize.
Note: Permission sets override individual user permission settings.
Step 4: Assign or Edit a Role / Permission Set for a User
- In the Users tab under Users & Teams, find the user you want to modify.
- Click on their name.
- In the user detail pane, go to the Access tab or similar area where permissions are shown.
- If using permission sets, you will see a dropdown to assign a set.
- If not using permission sets, you manually toggle each permission area (CRM, Marketing, Sales, Admin).
- Save changes when done.
Remember, after changing permissions, the user must log out and log back in for changes to take effect.
Step 5: Configure Record-Level Access
To control which records a user or team can see:
- Still inside Users & Teams, select the user(s).
- Click Edit permissions.
- Find CRM to CRM Objects section.
- Set for each object (contacts, deals, etc.) whether the user sees All records, Team only, Owned only, or None.
- Save changes.
With Professional or Enterprise, you can restrict records by team ownership.
Step 6: Bulk Edit Permissions If Needed
To change permissions for multiple users at once:
- In Users & Teams, use the checkboxes next to usernames.
- Click Edit permissions at the top.
- In the editing interface, adjust permissions for all selected users.
- Save.
Note: Bulk editing works only if the users share the same seat type.
Step 7: Compare Permissions (Professional and Enterprise)
In some tiers, HubSpot allows you to compare permissions between users or permission sets:
- In the Users tab or Permission Sets tab, select users or sets to compare.
- Click Compare access.
- HubSpot shows side-by-side permission differences.
This helps you identify gaps or overlaps before making changes.
Differences by HubSpot Plan
Not all HubSpot plans include the same capabilities around user roles and permissions. How much control you get depends on your subscription level. Understanding these differences ensures you don’t try to use features your plan does not support.
Seat Types and Access Requirements
HubSpot now uses a seat-based model for many features. Each user in Starter, Professional, or Enterprise must occupy a “seat.” Seats come in types:
- View-Only Seat: The user can view the account but cannot make changes. Some tools or features will be disabled.
- Core Seat: Allows normal access to features included in your subscription. Users with core seats can work in the modules they have permission.
- Hub-Specific Paid Seats: For Sales Hub, Service Hub, or Commerce Hub, users need a paid seat to access advanced tools. Features locked behind paid seats won’t be available to users with only core or view-only seats.
Because of this, even if your account is on a paid tier, a user without a paid seat may lack access to key features unless seats are assigned properly.
Permission Sets and Role Granularity (Enterprise Only)
One of the biggest differences is the availability of permission sets (sometimes called custom roles). This is only available in Enterprise-tier plans.
- Permission sets allow you to create a custom bundle of permissions and then assign many users to it. This simplifies large-scale access management.
- In lower plans, you typically assign permissions individually per user rather than using reusable sets.
- The Enterprise plan also allows comparing permissions across users or sets. You can select multiple users or sets and see side-by-side permission differences, which helps audit and adjust access.
Without permission sets, managing larger teams becomes more laborious and error-prone.
Record-Level Access Controls
HubSpot’s control over record visibility changes depending on your plan.
- In all plans, you can set a user to view, edit, or delete records they own or none.
- In Professional and Enterprise plans, you get team-level access or record access by pipeline stage, meaning users can see records owned by their team.
- Lower plans (Free, Starter) do not support team-based record restrictions. Their users must either have full record access or only their own records.
Thus, you must be on Professional or Enterprise if you run region-based teams or want users to see only objects within their team lines.
Limits and Feature Differences That Influence Permissions
Because plans differ in features, your role setup options will differ. Some examples:
- Number of permission sets (or roles): Enterprise offers more flexibility to create many custom roles.
- Custom Objects: Only available in higher tiers, which also affects whether you can assign access to those objects in user roles.
- Field-level permissions, adaptive testing, or advanced workflows are features tied to Enterprise or high-end plans. Users in lower tiers won’t have them; hence, roles cannot grant access to features that don’t exist in your plan.
- Seat limits: As your plan grows, you get more paid seats; lower plans may restrict how many users with full features you can have.
Best Practices for Managing User Roles in HubSpot
Setting up user roles in HubSpot is only effective when managed with a clear plan and regular maintenance. The goal is to balance security, collaboration, and control while keeping your team productive. Following these best practices ensures your account remains secure and easy to scale.
1. Apply the Principle of Least Privilege
Give each user the minimum level of access required to perform their job.
For example, a marketing associate may need permissions to create and send marketing emails but not to delete contacts or modify account settings.
HubSpot allows you to adjust view, edit, and delete rights at a granular level. Keeping permissions tightly scoped reduces accidental data loss and improves security.
2. Limit the Number of Super Admins
Every HubSpot portal needs at least one Super Admin, but too many create unnecessary risk.
Super Admins have unrestricted access, including billing, integrations, and user management.
HubSpot recommends limiting this role to a small, trusted group (usually leadership or operations) and using standard roles for everyone else.
3. Use Permission Sets and Teams for Scalability
Permission sets make management easier by grouping permissions in HubSpot Enterprise accounts. You can create a set once and assign it to multiple users with similar responsibilities.
Pair these with Teams in HubSpot so users automatically inherit access based on department, region, or function. This keeps your structure organized as your company grows.
4. Align Roles with Job Functions
Create roles that mirror how your organization works. For example:
- Marketing Role: Access to forms, email tools, and campaigns
- Sales Role: Access to deals, pipelines, and sequences
- Service Role: Access to tickets, inbox, and knowledge base
- Operations Role: Access to integrations and reporting
Users know where to find what they need without unnecessary overlap when roles reflect real job duties.
5. Audit and Update Permissions Regularly
Roles that made sense last quarter may not fit current responsibilities. Schedule permission reviews at least once every three to six months.
Remove access for users who have changed teams or left the company, and review permissions for new features added to your HubSpot plan. Regular audits maintain accuracy and compliance with internal data policies.
6. Document Role Definitions
Keep a simple reference document listing each role and what it can access. This internal guide helps with onboarding, reduces confusion, and ensures consistency when new admins manage the system later.
You can even export HubSpot’s user permission report and attach it to your documentation for clarity.
7. Communicate Changes Clearly
Whenever you adjust permissions or restructure roles, inform your team. Unexpected access changes can disrupt daily tasks or lead to confusion.
A quick internal update helps users understand why the changes were made and who to contact if they experience issues.
8. Protect Sensitive Information
If your HubSpot portal contains confidential data such as customer payment details, employee records, or financial information, limit that access to authorized users only.
You can use HubSpot’s record-level permissions (All, Team only, or Owned only) to ensure only the right people see sensitive data.
Common Pitfalls to Avoid
Even experienced administrators can make mistakes when managing roles and permissions. Small missteps can lead to data loss, unauthorized changes, or compliance risks. Here are some of the most frequent pitfalls to watch out for, and how to prevent them.
1. Assigning Too Many Permissions Too Quickly
It’s easy to give new users broad access to “save time.” However, this often backfires when someone unintentionally edits records, deletes contacts, or changes workflows.
Always start with essential permissions only, then expand access if truly necessary. HubSpot’s permission structure ensures that additional rights can be granted later without redoing the setup.
2. Having Too Many Super Admins
Many organizations promote users to Super Admin for convenience, which opens the door to critical mistakes.
Super Admins can remove integrations, alter workflows, and modify billing information. Keep this level of access limited to a few people. Everyone else should work under specific roles with restricted privileges.
3. Overlooking Record-Level Access
HubSpot allows you to control whether users see all records, only those they own, or only those assigned to their team.
Ignoring this setting can cause cross-team visibility problems, especially in multi-division organizations.
For instance, a regional sales rep should only view deals in their assigned region. Review this setting whenever you create or modify user roles.
4. Failing to Review Permissions After Team Changes
When employees move departments or leave the company, their HubSpot access often remains unchanged. This oversight can expose data to people who no longer need it.
As part of your offboarding process, immediately revoke or adjust permissions to reflect the employee’s current role. Regular audits help prevent this from slipping through the cracks.
5. Mixing Role-Based and Individual Permissions
A common mistake is assigning a user to a role, then manually adjusting individual permissions for exceptions. Over time, this makes it hard to track who has what access.
Stick to standardized roles or permission sets. If a user needs different rights, consider creating a new role instead of adding manual overrides.
6. Ignoring Compliance Requirements
If your company operates under GDPR, CCPA, or similar data regulations, you must know who has access to customer information.
Broad permissions can lead to unauthorized data exports or accidental sharing. Restrict sensitive data access to compliant teams and ensure audit logs are active for accountability.
7. Forgetting to Communicate Changes
Permission updates take effect only after users log out and back in. Failing to inform your team can lead to confusion when they suddenly lose access or see missing tools.
Always communicate upcoming permission changes and provide a quick guide on how to refresh access.
8. Not Testing New Roles Before Applying to Everyone
Before you roll out new permission sets across your organization, test them with a small pilot group.
This allows you to verify that every workflow functions properly and that no critical access is missing. Once confirmed, you can assign the role more widely.
Read More: 5 Common Mistakes to Avoid When Setting Up HubSpot
How the Automation Strategists Group Can Help
As a certified HubSpot partner, Automation Strategists Group specializes in setting up roles and permissions that align with your business needs.
We help you audit existing access, design clean role structures, and implement assignments that grow with your organization.
Our services include:
- Permission audit to find overexposed accounts
- Role structure design (for your subscription tier)
- Implementation of permission sets and user assignments
- Ongoing training and governance policies
- Scheduled audits and updates
Schedule a free consultation call to know how we can help you.
Final Thoughts
You can set up user roles in HubSpot by going to Settings and then Users & Teams, creating permission sets or roles (on applicable plans), assigning permissions across CRM, marketing, sales, and admin modules, and then assigning users to those roles. Always audit and update permissions to maintain security.
Setting up user roles and managing permissions in HubSpot is not a one-time task. When you assign access intentionally, you protect your data, maintain control, and enable your team to work confidently.
Start by confirming admin access, building roles or permission sets that match real job functions, assigning those to your users, and periodically revisiting the setup. With the right role design, your HubSpot portal becomes safer, more efficient, and easier to scale.
Frequently Asked Questions
What is the difference between a role and a permission set in HubSpot?
A role (or permission set in Enterprise) is a named bundle of permissions you define once and assign to multiple users. Permission sets simplify management, so you don’t have to configure each user individually.
Can a non-Super Admin edit user roles?
If a user has “Add and edit users” permission, they can assign or edit roles/permission sets, but only those sets containing permissions they hold. They cannot grant permissions beyond their own scope.
What happens when I assign a permission set to a user?
Assigning a permission set replaces any individual permission settings the user had. To change permissions further, you must either adjust the permission set or remove the user.
How often should I audit permissions?
Regular reviews are essential, so aim for at least every quarter. Also, audit when your team structure changes, when you add features or integrations, or after mergers or acquisitions. This ensures permissions always reflect current roles.
Will permission changes take effect immediately?
Most permission changes in HubSpot take effect within a few minutes. However, users may need to refresh their browser or log out and log back in to see new tools or features reflected in their portal. HubSpot processes these updates in real time, but caching or browser sessions can delay visibility slightly.
