Who Has Super Admin Access? (And Should They?)

Super admins can do anything in HubSpot. Delete 50,000 contacts. Export your entire customer database to a CSV. Disconnect integrations. Modify billing. Remove other users. There's no "are you sure?" for most of these actions.

So how many super admins does your portal have? If you don't know the exact number, that's already a problem. We've audited portals with 3 users total — all three super admins. We've seen portals with 200 users and 40 super admins. Neither is good.

The Right Number of Super Admins

For most companies: 2-3. A primary HubSpot administrator who actively manages the portal. A backup who can step in when the primary is unavailable. Maybe a third from IT or security if your compliance requirements demand it.

That's it. Not "everyone on the ops team." Not "all the managers." Not "anyone who might need to change a setting someday." Two or three people who understand what super admin access means and actively need it for their daily work.

How the Problem Starts

It's always the same story. During initial setup, everyone gets super admin because it's easier than figuring out permissions. Then new people join and get the same access because "just give them what Sarah has." Nobody ever downgrades. People leave the company and their accounts sit there with full access for months.

Or someone needs to change one setting, and instead of granting specific permission, the admin thinks "easier to just make them a super admin." Multiply that decision by 30 people over 3 years and you've got a security problem.

The Real Risks

Accidental damage. A super admin who doesn't know what they're doing can accidentally delete a property used by 15 workflows. We've seen it. One person deleted a custom property they thought was unused — it broke lead routing for two days before anyone noticed.

Data exposure. Every super admin can export your entire database. That's every contact, every deal amount, every note. If that person leaves the company (or their account gets compromised), that's a data breach waiting to happen.

Compliance liability. GDPR, SOC 2, and most security frameworks require the principle of least privilege. "Everyone is an admin" fails every audit.

Configuration chaos. When 15 people can all modify workflows, create properties, and change settings, nobody knows who changed what or why. We've spent days untangling portal configurations where multiple admins made conflicting changes.

How to Audit Your Super Admins

Go to Settings → Users & Teams. Filter by permission set or just scan the list. For each super admin, ask three questions:

1. Does this person actively manage HubSpot as part of their job? (Not "do they use HubSpot" — do they manage it?)

2. When did they last log in? If it's been 60+ days, they probably don't need super admin access. They might not need access at all.

3. Could their work be done with a more limited permission set?

Most people who have super admin access actually need something like "can edit workflows and manage properties" — which is a much narrower permission set.

Building a Permission Structure That Works

HubSpot's permission system is more granular than most people realize. You can control access to specific tools, limit who can delete records, restrict data export, and even control who can modify which pipelines.

Start with these basic roles:

Sales Rep: Can view and edit their own contacts/deals. Can log activities. Can use sequences. Cannot delete records or export data.

Sales Manager: Same as rep, plus can view team data. Can create reports. Can manage their team's pipeline.

Marketing User: Can manage emails, forms, and campaigns. Cannot access deals or financial data.

Admin: Can modify settings, workflows, and properties. Cannot change billing or manage other admins.

Super Admin: Full access. 2-3 people only.

This takes about an hour to set up properly. That hour prevents months of problems. If you want to go deeper, we've written about building this during implementation so it scales from day one.

Quick Wins You Can Do Today

Remove super admin from anyone who hasn't logged in for 90 days. Downgrade anyone who doesn't actively manage the portal to a more appropriate permission set. Enable two-factor authentication for all remaining super admins. Document who has super admin access and why.

Run our free portal audit — it flags excessive super admin access along with other permission issues you might be missing.

Need help cleaning up your HubSpot permissions? Check out our ongoing support services or book a discovery call.