Hi all 🙂
Our IT-department manages all our user-accounts within the company tools via ADFS. Currently we don't have Hubspot connected for SSO to our ADFS environment (this requires the enterprise edition and for us that's too big a step. Still, our IT department is the perfect team to manage all users and their rights within Hubspot. They can restrict or manage access (for example when employees leave the company or switch roles within the company.
So I was looking for a way to add them as users within Hubspot in order to have them manage users, teams, rights and roles in the future. However, Hubspot currently allows users to only assign the rights they own themselves to another user. As a result this requires an IT-user to have all rights (or even be a super admin), which from a security perspective is not desirable. it results in mulitple super-users (or even super-admins) capable of (potentinally) messing with the entire system.
NOTE: I noticed that assigning rights for specific features is often not only assigned to IT but also to a specific user within the business as IT not always has the in-depth knowledge to oversee the consequences or desirablility of assigning a specific set of rights to a certain user. I consider the 'head of marketing' the owner of the CRM/Inbound process and as such the super admin of our Hubspot environment. Assigning IT to manage accounts in this situation functions as a fail-save and back-up to the super-admin and is also the structured place where accounts are set up when new employees enter the company or colleagues leave the company, etc. Howeve, having multiple super-admin accounts results in a bigger security risk.
In order to minimize that security risk within a single hubspot account in our environment, as a super admin I would like to be able to split the functional rights from the capability to create, manage, invite and (de-)activate users, group them into teams, configure roles and assign rights or roles to users or teams. the ideal scenario here is that an IT-user can be configured with no functional rights assigned other than the rights to manage users (etc.).
Does that make sence? I look forward to hearing more ideas about this (or suggestions on how to make it work.