Building a HubSpot Permissions Strategy That Scales

Ricardo Martinez
Ricardo Martinez
· 4 min read

Early-stage companies give everyone full access because it's easier. Five people, everyone knows everyone, nobody's going to break anything. Then you hit 30 users and realize three interns can export your entire customer database, a former employee's account is still active, and nobody knows which permission set does what.

We've cleaned up permissions in portals ranging from 15 to 400+ users. The pattern is always the same: it was fine when we were small, and then it wasn't. Here's how to build a permissions strategy that doesn't need a complete overhaul every time you hire.

Start With Least Privilege

The principle is simple: users get access to what they need for their job. Nothing more. In practice, this means starting from zero and adding permissions up, not starting from "everything" and trying to lock things down. The second approach never works because you'll always miss something.

A sales rep doesn't need to edit workflows. A marketing coordinator doesn't need to see deal amounts. Your finance team doesn't need to send marketing emails. These sound obvious, but in most portals we audit, 40-60% of users have more access than their role requires. That's not just a security problem. It's a "someone accidentally deleted a list of 12,000 contacts" problem. We've seen it happen.

Design Around Roles, Not Individuals

Don't grant permissions to John. Grant permissions to "Sales Rep" and assign John to that role. When John gets promoted to Sales Manager, you change his role assignment. When John leaves and Sarah replaces him, you assign Sarah the same role. No guesswork, no forgotten permissions hanging around.

HubSpot's permission sets make this straightforward. Create a set for each functional role, name them clearly (not "Custom Set 3"), and document what each set includes. When someone asks for extra access, you're making a decision about the role, not the person. That distinction matters more than it sounds.

Build Your Role Structure

Here's a starting framework that works for most B2B companies with 20-100 HubSpot users:

  • Sales Rep: Own contacts, own deals, view reports, no export, no bulk delete, no workflow access
  • Sales Manager: Team contacts, team deals, edit reports, export own team's data, view (not edit) workflows
  • Marketing User: All contacts (view), marketing tools, lists, email, no deal access
  • Marketing Manager: Full marketing access, blog, social, ads, reporting, limited CRM edit
  • Service Rep: Tickets, knowledge base, own contacts, no deals
  • Admin: Settings, properties, workflows, integrations. Not super admin. Can't manage users or billing
  • Super Admin: Everything. Two or three people, max. If you have more than four, you have too many

Adapt this to your org, but resist the urge to create 15 different permission sets. Complexity is the enemy of maintainability. Six to eight roles covers most companies well.

Handle Exceptions Thoughtfully

Exceptions will happen. A product manager needs temporary access to deal data for a pricing analysis. A consultant needs limited portal access for three months. The key is treating these as exceptions, not as reasons to change your whole structure.

For each exception: document why it's needed, grant the minimum specific access required, set a calendar reminder to revoke it, and actually revoke it when the time comes. That last part is where most companies fail. We've found "temporary" elevated permissions that have been active for two years. Good hygiene practices apply to permissions too, not just data.

Review Regularly

Permissions drift. People change roles, leave the company, get temporary access that becomes permanent. Without regular review, your careful structure erodes within months.

Quarterly, spend 30 minutes on this:

  • List all super admins. Can you justify each one?
  • Find users who haven't logged in for 60+ days. Deactivate or investigate
  • Review any permission exceptions still active. Still needed?
  • Check role assignments against actual job titles. Anyone misclassified?

You can also run our free audit tool which flags excessive super admin counts and users with permissions that don't match their activity patterns.

Document Your Structure

Write it down. Not a 40-page policy document nobody reads. A single page that covers: your permission philosophy (least privilege, role-based), your role definitions (what each permission set includes and why), your exception process (how to request, who approves, when it expires), and your review schedule.

Put it somewhere your admins can actually find it. Link it in your HubSpot implementation documentation. When someone asks "why can't I export contacts?", you point them to the document instead of having the same conversation for the twentieth time.

Need help building a permissions strategy? We've designed access structures for companies from startup to 500+ users. See our implementation services or book a discovery call.

Topics

You Might Also Like

B2B team reviewing CRM and pipeline performance

Best HubSpot CRM Implementation Partners for Mid-Sized B2B Companies

 Post-Migration Cleanup: What to Do After Moving to HubSpot

Post-Migration Cleanup: What to Do After Moving to HubSpot

 Team reviewing analytics presentation for pipeline visibility

Top HubSpot CRM Implementation Partners for Sales-Led B2B Pipeline Visibility

Comments