HubSpot Roles and Permissions
HubSpot provides predefined roles with specific permissions to control what users can access and modify. Understanding these roles is critical for secure and efficient team management.
Permission Model Overview
HubSpot uses a role-based access control (RBAC) system:
- Roles define a set of permissions
- Users are assigned one or more roles
- Permissions control access to tools and data
Permission Levels
- View - Can see data but not edit
- Edit - Can modify existing records
- Create - Can create new records
- Delete - Can remove records
- Publish - Can make content live (CMS specific)
- Access - Can use specific tools or settings
Standard HubSpot Roles
Super Admin
Description: Full access to everything in the portal
Best for: Account owners, technical administrators
Permissions:
- ✅ All HubSpot tools and features
- ✅ All content (create, edit, publish, delete)
- ✅ All settings (account, integrations, billing)
- ✅ User management (add, edit, remove users)
- ✅ Design tools (templates, modules)
- ✅ API access and integrations
- ✅ Billing and subscription management
- ✅ Domain and DNS settings
- ✅ Delete portal (critical action)
CMS Specific:
- Full access to Site Header/Footer HTML
- Can modify templates and modules
- Can publish and unpublish any content
- Can manage domains and URLs
Caution: Only assign to trusted administrators. Super Admins can:
- Delete all portal data
- Remove other admins
- Change billing
- Access all customer data
Marketing
Description: Comprehensive marketing tool access
Best for: Marketing managers, campaign managers
Permissions:
- ✅ Email campaigns
- ✅ Landing pages
- ✅ Forms and CTAs
- ✅ Blogs
- ✅ Social media tools
- ✅ Marketing analytics
- ✅ Workflows
- ✅ Lists and contacts
- ❌ Cannot delete portal
- ❌ Cannot manage billing
- ❌ Limited user management
CMS Specific:
- Can create and edit pages
- Can publish pages
- Can edit blog posts
- Can manage website files
- Cannot access Site Header/Footer HTML
- Cannot modify templates (view only)
Use case: Team member who creates campaigns and content but doesn't need full admin access.
Sales
Description: Sales tools and CRM access
Best for: Sales representatives, account executives
Permissions:
- ✅ Contacts and companies
- ✅ Deals and pipelines
- ✅ Sales activities
- ✅ Sequences
- ✅ Sales analytics
- ✅ Calling and meeting scheduler
- ❌ Limited marketing tools
- ❌ No CMS access
- ❌ No settings access
CMS Specific:
- No page editing capabilities
- No blog access
- May view published content
Use case: Sales team members who need CRM access but not website/content management.
Service
Description: Customer service tools access
Best for: Support representatives, customer success
Permissions:
- ✅ Tickets and conversations
- ✅ Knowledge base
- ✅ Customer feedback
- ✅ Service analytics
- ✅ Help desk tools
- ❌ Limited marketing/sales tools
- ❌ No CMS editing access
CMS Specific:
- Can view knowledge base articles
- Can create/edit KB content
- No website page access
Website Editor
Description: CMS content management without settings
Best for: Content editors, marketing coordinators
Permissions:
- ✅ Create and edit website pages
- ✅ Create and edit landing pages
- ✅ Create and edit blog posts
- ✅ Manage files and images
- ✅ Edit HubSpot forms and CTAs
- ✅ View page analytics
- ❌ Cannot access Site Header/Footer HTML
- ❌ Cannot edit templates or modules
- ❌ Cannot manage domains
- ❌ Cannot access settings
- ❌ Cannot manage users
CMS Specific:
- Full content editing capabilities
- Can publish content
- Can organize files in File Manager
- Can use Design Tools (view only)
- Cannot modify tracking codes
Use case: Content manager who creates and publishes pages but doesn't need access to technical settings.
Website Contributor
Description: Limited CMS access for blog writing
Best for: Guest bloggers, freelance writers, contractors
Permissions:
- ✅ Create blog posts
- ✅ Edit own blog posts
- ✅ Upload images to blog posts
- ✅ View blog analytics
- ❌ Cannot publish blog posts (must submit for review)
- ❌ Cannot create website pages
- ❌ Cannot access settings
- ❌ Cannot manage users
- ❌ Cannot edit other users' posts
CMS Specific:
- Blog-only access
- Submit posts for review workflow
- Cannot access File Manager directly
- Cannot edit templates
Use case: External contributor who writes blog content that needs approval before publishing.
View-Only
Description: Read-only access to portal data
Best for: Executives, stakeholders, auditors
Permissions:
- ✅ View all content
- ✅ View analytics and reports
- ✅ View contacts and deals
- ❌ Cannot edit anything
- ❌ Cannot create content
- ❌ Cannot publish
- ❌ Cannot access settings
CMS Specific:
- Can view published pages
- Can view page analytics
- Cannot edit or create
Use case: Executive who needs to review performance but not make changes.
Hub-Specific Roles
CMS Hub Professional
Additional roles:
- CMS Contributor - Content creation with approval workflow
- CMS Editor - Content editing and publishing
Marketing Hub Enterprise
Additional roles:
- Marketing Administrator - Settings access without Super Admin
- Campaign Manager - Campaign-specific permissions
Sales Hub Enterprise
Additional roles:
- Sales Administrator - Sales settings management
- Sales Manager - Team oversight capabilities
Service Hub Enterprise
Additional roles:
- Service Administrator - Service settings management
- Service Manager - Team and workflow management
Custom Roles (Enterprise Only)
Enterprise subscriptions allow creating custom roles with granular permissions.
Creating Custom Roles
- Settings → Users & Teams → Permission Sets
- Click Create permission set
- Name the role
- Select specific permissions:
- Tool access (which tools)
- Data access (which records)
- Scope (all teams or specific teams)
Custom Permission Examples
Content Approver:
- View: All content
- Edit: None
- Publish: All content
- Settings: None
SEO Specialist:
- View: All pages
- Edit: Page meta data, URLs
- Publish: None (submit for review)
- Settings: URL redirects
Analytics Viewer:
- View: All analytics reports
- Edit: None
- Publish: None
- Settings: None
Permission Scopes
Account-level:
- All content across portal
- All teams
Team-level:
- Only content owned by specific teams
- Useful for multi-brand or multi-site setups
Individual-level:
- Only content created by that user
- Prevents editing others' work
Permission Matrix
CMS Permissions
| Action | Super Admin | Marketing | Website Editor | Website Contributor |
|---|---|---|---|---|
| Create pages | ✅ | ✅ | ✅ | ❌ |
| Edit pages | ✅ | ✅ | ✅ | ❌ |
| Publish pages | ✅ | ✅ | ✅ | ❌ |
| Delete pages | ✅ | ✅ | ❌ | ❌ |
| Create blog posts | ✅ | ✅ | ✅ | ✅ |
| Edit own blog posts | ✅ | ✅ | ✅ | ✅ |
| Edit others' posts | ✅ | ✅ | ✅ | ❌ |
| Publish blog posts | ✅ | ✅ | ✅ | ❌ |
| Access Design Tools | ✅ | View only | View only | ❌ |
| Edit templates | ✅ | ❌ | ❌ | ❌ |
| Edit Site Header HTML | ✅ | ❌ | ❌ | ❌ |
| Manage domains | ✅ | ❌ | ❌ | ❌ |
| Manage files | ✅ | ✅ | ✅ | Blog only |
Settings Permissions
| Action | Super Admin | Marketing | Sales | Website Editor |
|---|---|---|---|---|
| Account settings | ✅ | ❌ | ❌ | ❌ |
| User management | ✅ | Limited | Limited | ❌ |
| Billing | ✅ | ❌ | ❌ | ❌ |
| Integrations | ✅ | Limited | Limited | ❌ |
| Marketing settings | ✅ | ✅ | ❌ | ❌ |
| Sales settings | ✅ | ❌ | Limited | ❌ |
| CMS settings | ✅ | Limited | ❌ | ❌ |
| API access | ✅ | ❌ | ❌ | ❌ |
Special Permissions
Design Tools Access
Who has access:
- Super Admin: Full (edit, create, delete)
- Marketing: View only
- Website Editor: View only
What you can do:
- Create templates
- Edit modules
- Modify global CSS/JavaScript
- Build custom CMS components
Requirement: Technical knowledge of HTML, CSS, HubL
Site Header/Footer HTML
Who has access:
- Super Admin only
What it controls:
- Global tracking codes (GA4, GTM, Meta Pixel)
- Custom scripts and styles
- Third-party integrations
Why restricted: Critical for analytics; incorrect code can break site.
Domain Management
Who has access:
- Super Admin only
What you can do:
- Connect domains
- Configure DNS
- Set up SSL certificates
- Manage URL redirects
Why restricted: Domain changes can break website access.
Role Assignment Best Practices
1. Start Minimal
Assign the least permissive role:
- Blog writer → Website Contributor
- Content manager → Website Editor
- Only trusted admins → Super Admin
Increase permissions only when necessary.
2. Regular Role Reviews
Quarterly review:
- Is role still appropriate?
- Has user's job changed?
- Do they need more/fewer permissions?
3. Document Role Assignments
Maintain spreadsheet:
User | Role | Reason | Date Assigned | Review Date
John | Super Admin | IT Manager | 2024-01-01 | 2024-07-01
Jane | Website Editor | Content Lead | 2024-02-15 | 2024-08-15
4. Limit Super Admins
Recommended:
- 2-3 Super Admins maximum
- Primary account owner
- Technical administrator
- Backup administrator
Avoid: Giving Super Admin to anyone who "might need it."
5. Use Team Permissions
For large organizations:
- Assign users to teams
- Use team-based permissions
- Content owned by teams, not individuals
Upgrading User Permissions
When to Upgrade
Website Contributor → Website Editor:
- Consistently creates quality content
- Needs to edit pages, not just blog
- Requires self-publishing capability
Website Editor → Marketing:
- Managing campaigns beyond content
- Needs workflow and email access
- Responsible for marketing strategy
Marketing → Super Admin:
- Promoted to admin role
- Needs user management access
- Requires full settings control
How to Upgrade
- Settings → Users & Teams → Users
- Click user name
- Edit → Change role
- Save
- Document change in audit log
Troubleshooting Permission Issues
User Can't Access Feature
Check:
- User's role includes that permission
- Feature available in subscription (Professional, Enterprise)
- Not restricted by team permissions
- Not blocked by custom permission set
User Can't Publish Content
Common causes:
- Website Contributor role (can't publish)
- Content assigned to different team
- Approval workflow enabled
Solution: Upgrade to Website Editor or have authorized user publish.
User Can't See Analytics
Check:
- Role includes analytics access
- Not filtered by team (only see own team's data)
- Sufficient subscription level
User Can Edit But Not Delete
Expected behavior: Some roles can edit but not delete.
Example: Website Editor can edit pages but not delete them (Super Admin only).
Security Recommendations
Critical Permissions
Restrict to Super Admins only:
- Billing and subscriptions
- User management (adding/removing)
- Domain and DNS settings
- Site Header/Footer HTML
- API key management
- Portal deletion
Multi-Factor Authentication
Require for:
- All Super Admins (mandatory)
- Marketing users (recommended)
- Anyone with publishing access (recommended)
Activity Monitoring
Review regularly:
- Settings → Users & Teams → Activity Log
- Track user logins
- Monitor permission changes
- Review data exports
Next Steps
- Adding/Removing Users - Manage users step-by-step
- User Management Overview - General user management
- HubSpot CMS Hub - Platform overview
For official documentation, see HubSpot User Permissions.