Table of Contents
Managing a HubSpot portal ain't always easy, and it's important that it's done the right way.

In 2026, keeping your portal secure and your team productive comes down to two things: HubSpot user permissions and the new HubSpot seat-based pricing model. This guide will walk you through exactly how to set up your team, save money on licenses, and lock down your data with confidence.
TL;DR: The "Cheat Sheet" for 2026
- The Big Change: You no longer just add a "User." You assign a Seat (Core, Sales, Service, or View-Only) first, then fine-tune their permissions.
- Cost Saver: Use View-Only Seats for anyone who just needs to look at data. They are free and unlimited.
- AI Control: You must manually toggle Breeze AI permissions. Don't let AI run wild without a "Reviewer" role.
- Security Priority: Check your Security Health Score quarterly. If you have more than 3-5 Super Admins, your score (and security) will drop.
What is a HubSpot Seat?
A seat is a specific license assigned to a user that determines which tools they can use. In the 2026 model, you no longer pay for every person who enters the portal. You only pay for Core, Sales, or Service seats for people who need to create or edit data.
For everyone else, like executives or outside partners, you use View-Only Seats, which are free and unlimited.
Want to try permissions management yourself? Start with HubSpot Free CRM and set up user roles, access levels, and basic reporting.
(Affiliate link: if you sign up, we may earn a commission at no extra cost to you.)
1. Understanding HubSpot Seat-Based Pricing
If you haven't checked your billing lately, the landscape has changed. HubSpot moved away from "unlimited users" and now uses a seat-based model. Think of a "Seat" as a license that determines what a person can actually do.
Definition: Core Seat
The baseline paid seat required for any user who needs to edit data (contacts, workflows, etc.) across any of your purchased Hubs.
The Three Main Seat Types
- Core Seats: These are your "doers." If someone needs to edit a contact, build a workflow, or draft an email, they need a Core Seat.
- Sales & Service Seats: These are for your power users. These seats unlock "heavy hitter" tools like Sales Sequences, Playbooks, and Lead Rotation.
- View-Only & Partner Seats: These are free. Use them for executives who just need to see reports or agencies (like us!) that need to check your settings.
Real-World Example
You hire a freelance SEO consultant for a three-month project. Instead of paying $50–$100/month for a Core Seat they won't fully use, you assign them a View-Only Seat. They can see your blog performance and traffic analytics, but they are blocked from touching your live website code or viewing private sales deals.
Need advanced role-based access control? The HubSpot Starter Customer Platform (Monthly) gives you automation plus scalable security settings.
(Affiliate link: if you purchase, we may earn a commission at no extra cost to you.)
2. Managing Permissions by Hub
Navigate to the Settings icon (sprocket) in the left-hand navigation sidebar and select Users & Teams.
Definition: Permission Set
A pre-defined "template" of access levels that you can apply to multiple users at once. This ensures everyone in the same role (e.g., "SDRs") has the exact same access.
Marketing Hub: Guarding the Brand & AI
With Breeze AI now integrated into everything, you have to decide who gets to play with the robots.
- Breeze AI & Assistants: Toggle "Generative AI" access on or off in the AI settings.
- Draft-Only Publishing: Ensure junior staff can draft social posts and emails, but only a manager can hit "Publish."
Real-World Example
A marketing intern uses Breeze AI to generate 10 social media posts. Because their permissions are set to "Draft Only," the posts stay in the queue. A Senior Manager reviews them for accuracy before they go live, preventing any "AI hallucinations" from reaching your customers.
Sales & Service: Protecting the Pipeline
- Record Ownership: Most organizations should set permissions to "Owned Only." This means a rep can only see the deals they are working on.
- Commerce & Quotes: Restrict "Edit Quotes" to managers to prevent unauthorized discounting.
Real-World Example
A Sales Rep in California shouldn’t be able to see the notes or deal values for a rep in New York. By setting Deals Permission to "Owned Only," you prevent "lead poaching" and keep your sales team focused on their own assigned territory.
3. The Gold Standard: HubSpot Super Admin Permissions
Being a Super Admin is like having the "Master Key" to the entire building. They can see everything, change billing, and even delete the entire portal.
Definition: Super Admin
The highest level of access in HubSpot. Super Admins can manage billing, add/delete users, and override almost every other permission setting in the portal.
Best Practices for Super Admins
- The Power of Two: We recommend having exactly two Super Admins. One is too risky (if they leave), and five is a security nightmare.
- Security Health Score: Found in the Security Center, this score (A-F) assesses risk factors like Super Admin count and 2FA enrollment.
Real-World Example
An employee leaves the company on bad terms. If they had Super Admin permissions, they could theoretically export your entire customer list. Because your other Admin uses the Security Center, they see a "High-Risk Action" alert and revoke access before the export is even finished.
4. Scaling with Audit Logs (The Paper Trail)
If a workflow suddenly stops working, you need to know why. The Audit Log shows exactly who changed what and when.
Definition: Audit Log
A chronological record of all major changes made in the portal, including user logins, permission updates, and record deletions.
Real-World Example
A critical automated email stops sending. You check the Audit Log and see that a new hire accidentally toggled the workflow to "Inactive" at 2:00 PM yesterday. You can see exactly who did it, fix the mistake, and use it as a quick training moment.
5. Security in the Ecosystem: API & App Permissions
Your HubSpot is likely connected to things like Slack, Zoom, or Gmail. Managing these "non-human" users is just as important as your staff.
Definition: Scoped Permissions (Private Apps)
Limiting an API or app integration so it can only access specific parts of your data (e.g., "Read Contacts") rather than the whole portal.
Real-World Example
You build a custom app to sync shipping numbers from your warehouse. Instead of giving that app access to your whole CRM, you create a Private App with a scope limited only to "Deals: Write." If that app is ever compromised, your customer names and email addresses stay safe.
Frequently Asked Questions About HubSpot User Permissions
What are HubSpot user permissions?
HubSpot user permissions control what each person can view, edit, publish, delete, or manage within a HubSpot portal. Administrators can assign permissions based on job responsibilities, helping protect sensitive data while giving employees access to the tools they need.
What is the difference between HubSpot seats and user permissions?
A HubSpot seat determines which features a user can access, while user permissions determine what actions they can perform within those features. For example, a user may have a Core Seat but only have permission to edit records they own, while another user with the same seat may have full administrative access.
How many Super Admins should a HubSpot portal have?
Most organizations should limit their HubSpot portal to two or three Super Admins. Keeping the number of Super Admins low reduces security risks while ensuring the business still has backup administrators if someone leaves or is unavailable.
What are HubSpot permission sets?
HubSpot permission sets are reusable templates that assign the same permissions to multiple users at once. They help organizations standardize access across teams, simplify onboarding, and reduce the risk of inconsistent or overly broad permissions.
How often should you review HubSpot user permissions?
Businesses should review HubSpot user permissions at least once per quarter and whenever employees change roles or leave the company. Regular permission audits improve security, ensure users have appropriate access, and help maintain compliance as teams and systems evolve.



