Managing a HubSpot portal ain't always easy, and it's important that it's done the right way.
In 2026, keeping your portal secure and your team productive comes down to two things: HubSpot user permissions and the new HubSpot seat-based pricing model. This guide will walk you through exactly how to set up your team, save money on licenses, and lock down your data with confidence.
.png?width=2000&height=2000&name=RPX%20Announcement%20(7).png)
TL;DR: The "Cheat Sheet" for 2026
- The Big Change: You no longer just add a "User." You assign a Seat (Core, Sales, Service, or View-Only) first, then fine-tune their permissions.
- Cost Saver: Use View-Only Seats for anyone who just needs to look at data. They are free and unlimited.
- AI Control: You must manually toggle Breeze AI permissions. Don't let AI run wild without a "Reviewer" role.
- Security Priority: Check your Security Health Score quarterly. If you have more than 3-5 Super Admins, your score (and security) will drop.
1. Understanding HubSpot Seat-Based Pricing
If you haven't checked your billing lately, the landscape has changed. HubSpot moved away from "unlimited users" and now uses a seat-based model. Think of a "Seat" as a license that determines what a person can actually do.
The Three Main Seat Types
- Core Seats: These are your "doers." If someone needs to edit a contact, build a workflow, or draft an email, they need a Core Seat.
- Sales & Service Seats: These are for your power users. These seats unlock "heavy hitter" tools like Sales Sequences, Playbooks, and Lead Rotation.
- View-Only & Partner Seats: These are free. Use them for executives who just need to see reports or agencies (like us!) that need to check your settings.
Real-World Example
You hire a freelance SEO consultant for a three-month project. Instead of paying $50–$100/month for a Core Seat they won't fully use, you assign them a View-Only Seat. They can see your blog performance and traffic analytics, but they are blocked from touching your live website code or viewing private sales deals.
2. Managing Permissions by Hub
Navigate to the Settings icon (sprocket) in the left-hand navigation sidebar and select Users & Teams.
Marketing Hub: Guarding the Brand & AI
With Breeze AI now integrated into everything, you have to decide who gets to play with the robots.
- Breeze AI & Assistants: Toggle "Generative AI" access on or off in the AI settings.
- Draft-Only Publishing: Ensure junior staff can draft social posts and emails, but only a manager can hit "Publish."
Real-World Example
A marketing intern uses Breeze AI to generate 10 social media posts. Because their permissions are set to "Draft Only," the posts stay in the queue. A Senior Manager reviews them for accuracy before they go live, preventing any "AI hallucinations" from reaching your customers.
Ensure your permissions are set up for success with RevPartners’ HubSpot Onboarding Services 👇
Leverage HubSpot Technical Consulting to configure advanced RBAC for optimal security and efficiency.👇
Sales & Service: Protecting the Pipeline
- Record Ownership: Most organizations should set permissions to "Owned Only." This means a rep can only see the deals they are working on.
- Commerce & Quotes: Restrict "Edit Quotes" to managers to prevent unauthorized discounting.
Real-World Example
A Sales Rep in California shouldn’t be able to see the notes or deal values for a rep in New York. By setting Deals Permission to "Owned Only," you prevent "lead poaching" and keep your sales team focused on their own assigned territory.
3. The Gold Standard: HubSpot Super Admin Permissions
Being a Super Admin is like having the "Master Key" to the entire building. They can see everything, change billing, and even delete the entire portal.
Best Practices for Super Admins
- The Power of Two: We recommend having exactly two Super Admins. One is too risky (if they leave), and five is a security nightmare.
- Security Health Score: Found in the Security Center, this score (A-F) assesses risk factors like Super Admin count and 2FA enrollment.
Real-World Example
An employee leaves the company on bad terms. If they had Super Admin permissions, they could theoretically export your entire customer list. Because your other Admin uses the Security Center, they see a "High-Risk Action" alert and revoke access before the export is even finished.
Prefer a self-guided approach to setting up permissions? Our HubSpot DIY service gives you a step-by-step Sales Hub implementation guide right inside your HubSpot portal. Customize your user permissions your way, with expert-backed guidance at your fingertips. 👇
4. Scaling with Audit Logs (The Paper Trail)
If a workflow suddenly stops working, you need to know why. The Audit Log shows exactly who changed what and when.
Real-World Example
A critical automated email stops sending. You check the Audit Log and see that a new hire accidentally toggled the workflow to "Inactive" at 2:00 PM yesterday. You can see exactly who did it, fix the mistake, and use it as a quick training moment.
5. Security in the Ecosystem: API & App Permissions
Your HubSpot is likely connected to things like Slack, Zoom, or Gmail. Managing these "non-human" users is just as important as your staff.
Real-World Example
You build a custom app to sync shipping numbers from your warehouse. Instead of giving that app access to your whole CRM, you create a Private App with a scope limited only to "Deals: Write." If that app is ever compromised, your customer names and email addresses stay safe.
Frequently Asked Questions (FAQ)
Q: Can a user have both a Sales Seat and a Service Seat?
A: Yes. If their role involves closing deals and managing tickets, you can assign both. They still only need one "Core" identity.
Q: Does HubSpot charge for View-Only seats?
A: No. View-Only seats are free and unlimited in Pro and Enterprise tiers.
Q: How often should I audit my permissions?
A: Quarterly is the gold standard. The HubSpot Security Center will actually send you a reminder if your score drops.
-1.png)
.png)
.png)
