How do I add new users in HubSpot and Salesforce?
Setting up users, roles, and permissions across both platforms.
For companies running both HubSpot and Salesforce, user governance is a very important component in your control system.
Roles, permissions, and visibility rules determine whether your CRM becomes a trusted operating platform or a liability.
If you’re managing a larger HubSpot–Salesforce environment with multiple teams and multiple territories, RevBlack can help you implement the governance framework required to keep both systems stable and aligned. Learn more about our services.
Why you can’t skip user governance
The technical mechanics of your CRM, like the licenses, profiles, roles, and permission sets, determine:
- Which data is visible at each level of the hierarchy
- Which functions a user can perform without escalation
- How reporting, automation, and compliance controls hold together
Misalignment between HubSpot and Salesforce permissions often results in fragmented records, shadow workflows, or inconsistent adoption across departments.
A HubSpot user management framework
HubSpot’s controls are designed to be modular but must be applied with intent:
- Seats
Seats define the scope of functionality. Current options include Core, Sales Hub, Service Hub, View-Only, and Partner. Assignment should be mapped against functional responsibility rather than job title. - Permission Sets
Once a Seat is assigned, Permission Sets configure granular access. Use them to standardize access across functions (e.g., Content Marketer, Sales Manager) and reduce the need for ad hoc adjustments. - Teams
Teams provide structural hierarchy. Nested teams define record visibility and reporting roll-ups. They can also be embedded into workflow logic for routing and assignment.
A Salesforce user management framework
Salesforce provides a more layered control model, requiring tighter design:
- Licenses
Licenses dictate baseline access to features. Standard licenses (Salesforce, Knowledge Only, Integration User, Identity, and External Identity) should be mapped carefully to functional needs. - Roles
Roles define record visibility through a hierarchy. Territory models and manager-subordinate visibility are implemented at this level. - Profiles
Profiles establish default object and field-level permissions. They are a baseline, not a flexible tool. Most scaling companies should create custom Profiles to avoid over-permissioning. - Permission Sets
Permission Sets extend capabilities beyond the Profile baseline. They are additive only. Use them to grant temporary or specialized access without proliferating new Profiles.
Coordinating permissions in the HubSpot–Salesforce integration
Running both platforms often leaves you with two governance structures that rarely map one-to-one.
You need deliberate alignment.
Marketing users
- HubSpot: Core Seat with marketing-specific Permission Sets; grouped into one or more Teams depending on org complexity.
- Salesforce: Salesforce License with the Marketing User Profile or a custom equivalent. Supplement with Permission Sets for campaign management or advanced reporting.
Sales users
- HubSpot: At minimum, View-Only Seat for access to embedded HubSpot data within Salesforce. Assign Teams aligned with Salesforce territory or lead assignment logic.
- Salesforce: Full Salesforce License. Role alignment mirrors the organizational sales structure. Profiles provide baseline capabilities; Permission Sets layer in additional needs (e.g., API access, system configuration).
Principles of deliberate alignment
Map responsibilities before permissions
Start by documenting what each function does in each system. For example, marketing may build campaigns in HubSpot but only report on them in Salesforce.
Sales may prospect and close in Salesforce but need HubSpot visibility to track marketing attribution.
Define system of record by object
One of the most overlooked steps is deciding which system “owns” each type of record.
- Leads and Campaigns → Salesforce usually owns the record, HubSpot passes activity data.
- Emails, workflows, and content → HubSpot owns, Salesforce consumes the results.
- Lifecycle fields (Lead Status, MQL flag, etc.) → pick one source of truth and enforce write access only in that system.
These decisions are easier if you understand how the two platforms structure data differently. For a deeper dive, read our guide on data model differences between HubSpot and Salesforce.
Use permission sets to mirror integration rules
In Salesforce, create Permission Sets that match integration-specific needs (e.g., the “HubSpot Campaign Sync” set granting Campaign object access).
In HubSpot, build custom Permission Sets that align with Salesforce object visibility (e.g., restricting non-sales staff from editing Deal properties if Salesforce is the system of record).
Restrict dual-editing at the source
Never allow both platforms to write to the same field unless conflict rules are explicitly documented. Example: Lead Owner should be editable in Salesforce only. HubSpot users get view-only access to avoid overwrites.
Leverage teams and roles for parallel hierarchies
In HubSpot, Teams can mirror Salesforce territory assignments (e.g., NA East vs. NA West). This ensures workflow routing respects Salesforce’s lead assignment rules.
In Salesforce, Roles should mirror reporting lines (Rep → Manager → Director). Marketing users often sit lower in the hierarchy to restrict cross-territory visibility.
Control API & Integration Users Separately
Don’t assign marketing or sales users broad API permissions.
Instead, create a dedicated Salesforce “Integration User” Profile with the exact object/field permissions needed for HubSpot sync.
This prevents human error from breaking sync rules.
Audit User Activity Quarterly
Alignment drifts fast as teams scale. Run quarterly audits of:
- HubSpot user logs (e.g., who created workflows, who changed lifecycle properties).
- Salesforce login and field history reports.
Cross-check whether users are operating in their intended system or bypassing rules (e.g., marketing editing Opportunities in Salesforce).
Example: Aligning a Marketing Manager Role
For a Marketing Manager, you might set them up with a Core Seat in HubSpot and a permission set that allows full use of workflows, content tools, and reporting but limits deal access.
On the Salesforce side, consider assigning the Marketing User Profile with an added permission set for Campaign access and read-only visibility into Opportunities, placing them under the Marketing Ops Manager in the role hierarchy.
This way, the manager can build and run campaigns in HubSpot and track ROI in Salesforce but won’t have the ability to change Opportunity pipeline records.
Continual integration governance
Continual integration governance goes beyond just setting up users.
To keep the HubSpot–Salesforce connection stable, you’ll need a framework that’s both technical and ongoing:
- Field-level sync rules
Decide which system owns each field before turning the sync on.
For example, make Salesforce the system of record for “Lead Owner” and restrict HubSpot to read-only. Document overwrite rules (who wins if two updates happen at once) and set clear criteria for handling duplicates.
For more detail on handling duplicates across CRMs, see our guide on CRM data quality and duplication.
- Regular audits
Build a cadence (monthly or quarterly) for checking user activity and data quality.
In HubSpot, review who’s creating workflows or changing lifecycle properties. In Salesforce, run login and field history reports to catch permission creep or unexpected edits.
- Compliance controls
Tie user permissions to legal and operational requirements.
Restrict access to fields containing personal data to roles that need it, apply role-based visibility for sensitive territories, and make sure consent management (email opt-ins, GDPR flags) syncs cleanly across both systems.
For a full breakdown of available permissions and how they’re applied, see HubSpot’s user permissions guide.
Finally, if your HubSpot–Salesforce setup feels too complex or fragile, book an audit with us; together we can identify the risks and tighten your controls before they negatively impact your revenue.
