HubSpot Role Based Access Control

HubSpot introduced roles & permissions about 4 years ago. In doing so, they enabled their customers to provide role based access control to application functionality.

What they do well:


They’ve done a nice job of clearly documenting the permissions assigned to each role.

Integration with user invitation flow

As an account admin you select the role of the user as step 2 of the invite flow:

enter image description here

Sane defaults

Account permissions that would potentially give the user full access are separated from the standard roles and are defaulted to non-admin status (reducing the likelihood of just moving ahead with defaults and making many admins).

enter image description here

Role names & more info

Standard account roles (ie “Marketing”) have been given fairly descriptive names & the link to the full documentation provided for more details.

enter image description here


Within roles there are sub-permissions for various types of application actions. Ultimately they’ve selected 3 different permission types for each. Write & Publish, Write Only, Read Only.

enter image description here

Integrated into the user list

The user list clearly illustrates the role of each user at a glance. The list can be filtered by role types. Admins can easily edit permissions of users anytime.

enter image description here

Overall - Simplicity

They’ve accomplished a fairly complex task of defining roles/permissions and made it a native and intuitive process.

Where they’ve missed the mark.

Lack of flexibility & control

The simplicity of predefined roles makes it incredibly easy to get started, but it also lacks the power and flexibility of a system that allows admins to create custom roles. In fact, this is the most popular “Help & Settings” request from their customers.

Permission enforcement messaging

There are also issues with the implementation of how permissions are enforced. Users without the permission to add users can still visit the page (however they see a users list).

enter image description here

They can even begin the flow to add users, but since they can’t select roles they can’t make it further.

enter image description here

Similar issues come up when trying to access a section for creating a blog post. Except this time, the user can take the action but then gets an error message.

enter image description here

At no point are any of these users shown messaging that would indicate that they don’t have the required permissions to accomplish the task they’re attempting. Alerts with this message are lacking and will likely end up with confused users.

This was published on Nov. 22, 2016.

Content Contributors

Is a feature of your app EnterpriseReady?

We'd love to work with you to breakdown your implementation and share it with the EnterpriseReady community.

Request a breakdown

Subscribe for the latest EnterpriseReady tips.