Summary and recommendation
Freshsales user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Freshsales user management is handled entirely through Admin Settings → Users & Permissions → Users. Only Administrators can invite, deactivate, or reassign users - there is no sub-admin or delegated provisioning tier. Every app in your stack that relies on CRM data accuracy depends on this access being current, making timely offboarding especially consequential.
Quick facts
| Admin console path | Admin Settings → Users & Permissions → Users |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Full access to all settings, modules, users, roles, billing, and data. Can invite/deactivate users, configure roles, manage integrations, and access all records. | All plans (including Free) | Counts as a paid seat on Growth and above; free on Free plan up to 3 users | Only Administrators can access Admin Settings; there is no separate super-admin tier distinct from Administrator within Freshsales itself. | |
| Sales Manager (default role) | Can view and manage all records within their team or territory. Can run reports. Cannot access billing or user management settings. | Cannot invite or deactivate users; cannot modify roles or system settings. | Growth and above | Standard paid seat | Default role; permissions can be customized on Pro and Enterprise plans. |
| Sales Representative (default role) | Can create, view, and edit records assigned to them or shared with them. Limited report access. | Cannot view other users' private records; cannot access admin settings or reports beyond their own data. | All plans (including Free) | Standard paid seat on Growth and above; free on Free plan up to 3 users total | Record visibility is controlled by territory and team settings, not just role alone. |
| Custom Role | Admin-defined permissions across modules (contacts, deals, accounts, reports, etc.) with field-level and module-level toggles. | Cannot exceed Administrator-level permissions. | Pro and Enterprise | Standard paid seat | Custom roles are not available on Free or Growth plans; teams on Growth are limited to the default role set. |
Permission model
- Model type: role-based
- Description: Freshsales uses a role-based access control (RBAC) model. Each user is assigned one role. Default roles (Administrator, Sales Manager, Sales Representative) are available on all plans. Custom roles with granular module- and field-level permissions are available on Pro and Enterprise plans. Territory and team settings further restrict record visibility independent of role.
- Custom roles: Yes
- Custom roles plan: Pro
- Granularity: Module-level (contacts, deals, accounts, activities, reports) and field-level visibility/edit controls within custom roles. Record-level visibility further governed by territory and team assignments.
How to add users
- Log in as Administrator.
- Navigate to Admin Settings (gear icon, top-right).
- Select 'Users & Permissions' → 'Users'.
- Click 'Invite User'.
- Enter the user's email address.
- Select a Role from the dropdown.
- Optionally assign to a Team and/or Territory.
- Click 'Send Invite'.
- User receives an email invitation and must accept to activate their account.
Required fields: Email address, Role
Watch out for:
- Invited users consume a seat immediately upon invitation on paid plans, not only after acceptance - verify with current billing terms as this may vary.
- The invitee's email domain does not need to match the account domain; any email address can be invited.
- Users who have not accepted their invitation still appear as 'Pending' and may occupy a seat.
- Free plan is limited to 3 users total; inviting a 4th user requires upgrading.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise |
How to remove or deactivate users
- Can delete users: Verify in tenant
- Delete/deactivate behavior: This app exposes delete operations in its API documentation, but the admin-console path may present removal as deactivation, archiving, or deletion depending on tenant configuration. Confirm whether the UI action is reversible before treating removal as recoverable.
- Log in as Administrator.
- Navigate to Admin Settings → 'Users & Permissions' → 'Users'.
- Locate the user to deactivate.
- Click the options menu (three dots or similar) next to the user.
- Select 'Deactivate'.
- Confirm the action in the dialog prompt.
- The user's status changes to 'Inactive' and they can no longer log in.
| Data impact | Behavior |
|---|---|
| Owned records | Records (contacts, deals, accounts, activities) owned by the deactivated user are retained and remain assigned to that user. Administrators should manually reassign records to active users before or after deactivation. |
| Shared content | Shared reports, sequences, and email templates created by the deactivated user remain in the system and are accessible to Administrators. |
| Integrations | Any personal integrations or OAuth connections tied to the deactivated user (e.g., personal email sync) are disconnected upon deactivation. |
| License freed | The seat is freed upon deactivation and is available for reassignment or reduces the billable seat count at the next billing cycle. |
Watch out for:
- Owned records are not automatically reassigned on deactivation; unassigned or stale ownership can cause records to fall out of active team views.
- Deactivated users still appear in historical activity logs and audit trails.
- If the deactivated user was the only Administrator, another user must be promoted to Administrator before deactivation to avoid losing admin access.
- Reactivating a previously deactivated user will consume a seat again.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Free | Up to 3 users, limited modules (contacts, accounts, deals, built-in phone, email). No custom roles, limited automations. | $0/month |
| Growth | Unlimited users (paid per seat), AI contact scoring, sales sequences, custom fields, basic reporting. | $11–$18/user/month (billed annually; higher rate monthly) |
| Pro | Everything in Growth plus custom roles, territory management, advanced reporting, multiple sales pipelines, time-based workflows. | $47–$59/user/month (billed annually) |
| Enterprise | Everything in Pro plus SCIM provisioning, SAML SSO, dedicated account manager, custom modules, IP whitelisting, audit logs. | $71–$99/user/month (billed annually) |
- Where to check usage: Admin Settings → Users & Permissions → Users (shows active user count and status); billing seat count visible under Admin Settings → Billing → Subscription
- How to identify unused seats: Filter the Users list by 'Last Active' date to identify users who have not logged in recently. Freshsales does not provide a native 'inactive user' report; admins must manually review last-login timestamps in the user list.
- Billing notes: Seats are billed per active (non-deactivated) user. Deactivating a user frees the seat. Annual plans are invoiced upfront; adding users mid-cycle is prorated. Monthly billing is available at higher per-seat rates. The Free plan supports up to 3 seats at no cost.
The cost of manual management
Every user must be invited individually; there is no bulk CSV import. On paid plans, a seat is consumed at invitation, not at acceptance - pending users may occupy billable seats before they ever log in.
Identifying stale accounts requires manually scanning last-login timestamps in the Users list, since Freshsales provides no native inactive-user report or automated alert. Custom roles - which control module- and field-level permissions - are unavailable on Free and Growth plans, limiting access granularity for teams that have not upgraded to Pro or Enterprise.
What IT admins are saying
Recurring friction reported by Freshsales admins centers on three areas. First, deactivated users' owned records - contacts, deals, activities - are not automatically reassigned, leaving orphaned data in team pipelines after every offboard.
Second, admins on Growth plans consistently flag the Pro-plan paywall for custom roles as a blocker for meaningful permission segmentation.
Third, SCIM-based lifecycle automation (via Okta, Azure AD, or OneLogin) is locked to Enterprise, so every app that could benefit from automated provisioning is out of reach on lower tiers.
Common complaints:
- Users report that there is no bulk user import via CSV; each user must be invited individually, which is time-consuming for large teams.
- Admins note that deactivated users' records are not automatically reassigned, requiring manual cleanup after offboarding.
- Community members report confusion that pending (uninvited but not yet accepted) users may still count against seat limits.
- Users on Growth plan express frustration that custom roles require upgrading to Pro, limiting permission granularity on lower-tier plans.
- Some admins report difficulty identifying inactive users because there is no built-in 'last login' report or automated inactive-user alert.
- Users note that SCIM provisioning (for automated onboarding/offboarding via Okta, Azure AD, or OneLogin) is locked to the Enterprise plan, making automated lifecycle management unavailable on lower tiers.
The decision
Manual management is viable for small, stable teams on Growth or Pro where headcount changes are infrequent. The process becomes operationally expensive as team size grows: one-by-one invites, manual last-login audits, and post-offboard record reassignment all scale poorly.
Teams on Enterprise with an existing IdP (Okta, Azure AD, or OneLogin) should evaluate SCIM provisioning to eliminate the manual invite and deactivation loop. Before committing to Enterprise for SCIM alone, confirm that SAML SSO is already configured - SCIM cannot be enabled without it.
Bottom line
Freshsales manual user management is straightforward for small teams but accumulates real operational overhead at scale: no bulk import, no inactive-user alerts, no automatic record reassignment on deactivation, and permission granularity gated behind plan upgrades.
Every app that touches your CRM data is only as clean as your user roster - teams that offboard frequently or manage large headcounts should treat the Enterprise SCIM integration as a prerequisite, not an upgrade, provided SAML SSO is already in place.
Automate Freshsales workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
