Summary and recommendation
Pardot user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Pardot (now Marketing Cloud Account Engagement) is a Salesforce-native B2B marketing automation platform. Unlike every app that manages users independently, Pardot user management is fully coupled to Salesforce: since the mandatory Salesforce User Sync rollout in 2021, every Pardot user must have a corresponding active Salesforce user record.
There is no standalone Pardot-only user creation path for modern orgs.
Five built-in roles cover the full access spectrum: Administrator, Marketing, Sales, Sales Manager, and a CRM-enabled Marketing variant. Custom roles with granular per-feature toggles are available only on Advanced ($4,000/mo) and Premium ($15,000/mo) plans. Growth and Plus customers are limited to the five built-in roles regardless of team structure.
Quick facts
| Admin console path | Pardot Account Engagement app → Account Engagement Settings → User Management → Users (or via Salesforce Setup → Marketing Setup → Account Engagement) |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Growth ($1,250/mo) to Premium ($15,000/mo) |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Full access to all Pardot features: user management, account settings, connectors, all marketing assets, reporting, and billing information. | Cannot exceed the number of licensed user seats; cannot delete users (only deactivate). | All plans (Growth, Plus, Advanced, Premium) | Counts against licensed user seats; pricing is per-org not per-user seat for most plans | Pardot Administrator role is separate from Salesforce System Administrator. A Salesforce admin is not automatically a Pardot admin. |
| Marketing | Create, edit, and send emails; manage lists, forms, landing pages, automation rules, and campaigns. Can view reports. | Cannot manage users, account settings, or connectors. Cannot access billing. | All plans | Counts against licensed user seats | Default role for most marketing team members. Cannot modify account-level settings. |
| Sales | View prospect activity, send individual emails (1:1), and manage their own prospect assignments. Read-only access to most marketing assets. | Cannot create or edit marketing assets, automation rules, or lists. Cannot access account settings. | All plans | Counts against licensed user seats | Intended for sales reps who need prospect visibility. Very limited write access. |
| Sales Manager | All Sales role permissions plus ability to view all prospects (not just assigned ones) and access team-level reporting. | Cannot create or edit marketing assets or account settings. | All plans | Counts against licensed user seats | Visibility scope is broader than Sales but still read-heavy for marketing functions. |
| Marketing (with CRM access) | Marketing role permissions plus ability to sync and view Salesforce CRM data within Pardot. | Cannot manage users or account settings. | All plans (requires Salesforce CRM connector to be active) | Counts against licensed user seats | Requires the Salesforce-Pardot connector to be configured; user must also have a corresponding Salesforce user record. |
| Custom Role | Granular permissions configured by an Administrator; can combine or restrict any subset of standard role permissions. | Cannot grant permissions beyond what the Administrator role itself holds. | Advanced ($4,000/mo) and Premium ($15,000/mo) only | Counts against licensed user seats | Custom roles are only available on Advanced and Premium plans. Growth and Plus customers are limited to the five built-in roles. |
Permission model
- Model type: hybrid
- Description: Pardot uses five built-in role-based roles (Administrator, Marketing, Sales, Sales Manager, and a CRM-enabled Marketing variant) for all plans. Advanced and Premium plans additionally support custom roles with granular permission toggles. Since the Salesforce User Sync migration, Pardot users must have a corresponding active Salesforce user record; Salesforce profiles and permission sets control Salesforce-side access, while Pardot roles control Pardot-side access.
- Custom roles: Yes
- Custom roles plan: Advanced ($4,000/mo) and Premium ($15,000/mo)
- Granularity: Role-level for Growth/Plus; per-feature permission toggles within custom roles for Advanced/Premium. Permissions cover areas such as prospect management, email sending, list management, reporting, automation, and account settings.
How to add users
- Ensure the person has an active Salesforce user record in the connected Salesforce org (required since Salesforce User Sync).
- In Salesforce Setup, assign the user a Salesforce profile that includes the 'Account Engagement' (Pardot) permission set or equivalent access.
- Navigate to the Pardot/Account Engagement app → Account Engagement Settings → User Management → Users.
- Click 'Add User' (or 'Invite User' in some UI versions).
- Enter the user's email address (must match their Salesforce user email), first name, last name, and select a Pardot role.
- If using Salesforce User Sync (default for all orgs post-2021), the user is created via the Salesforce side and synced automatically; manual Pardot-only user creation is deprecated.
- Save. The user receives an email invitation to activate their Pardot account if they have not previously logged in.
Required fields: Email address (must match Salesforce user email), First name, Last name, Pardot user role, Active Salesforce user record in the connected org
Watch out for:
- Since Salesforce User Sync became mandatory, users cannot be created in Pardot without a corresponding Salesforce user. Attempting to add a non-Salesforce email will fail.
- If the Salesforce user's email does not exactly match the Pardot invitation email, sync errors occur.
- Users added in Salesforce do not automatically appear in Pardot; an Administrator must assign them a Pardot role or the Salesforce profile must include the correct Account Engagement permission set.
- Pardot enforces a licensed user seat limit. Adding users beyond the contracted seat count requires a license upgrade.
- SSO users (via Salesforce identity) cannot set a separate Pardot password; authentication is handled entirely through Salesforce login.
- Business units (available on Advanced/Premium) require separate user role assignments per business unit.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Provisioning is handled via Salesforce's SCIM/SSO layer. Salesforce supports SCIM 2.0 for user provisioning from Okta, Microsoft Entra ID, and OneLogin. Pardot users are then synced from Salesforce. No separate Pardot-specific SCIM endpoint exists. |
How to remove or deactivate users
- Can delete users: Verify in tenant
- Delete/deactivate behavior: This app exposes delete operations in its API documentation, but the admin-console path may present removal as deactivation, archiving, or deletion depending on tenant configuration. Confirm whether the UI action is reversible before treating removal as recoverable.
- Navigate to Account Engagement Settings → User Management → Users.
- Locate the user to deactivate using search or the user list.
- Click the user's name to open their profile.
- Click 'Edit' and uncheck the 'Active' checkbox (or click 'Deactivate User' if that button is present in your UI version).
- Save the changes. The user is immediately prevented from logging in.
- Optionally, in Salesforce Setup, also deactivate the corresponding Salesforce user to prevent any Salesforce-side access and ensure the Pardot sync reflects the deactivation.
| Data impact | Behavior |
|---|---|
| Owned records | Prospects, lists, and assets previously owned or created by the deactivated user remain in Pardot and retain the deactivated user as the record owner. Administrators can reassign ownership manually. |
| Shared content | Emails, landing pages, forms, and automation rules created by the deactivated user remain active and functional unless manually archived or deleted by an Administrator. |
| Integrations | If the deactivated user was the Salesforce connector user or had API-only access, connector sync may break. Administrators should reassign the connector user before deactivating. |
| License freed | Deactivating a Pardot user frees up a licensed seat, making it available for a new user. The seat count is based on active users. |
Watch out for:
- Deactivating the Pardot user without also deactivating the Salesforce user may cause the Salesforce User Sync to re-activate the Pardot user on the next sync cycle.
- If the deactivated user was the sole Administrator, another user must be promoted to Administrator before deactivation to avoid losing admin access.
- Prospect ownership is not automatically reassigned on deactivation; orphaned records require manual bulk reassignment.
- If the user was the designated connector user for the Salesforce-Pardot sync, the connector will error until a new connector user is assigned.
- Deactivated users still appear in historical audit logs and activity records, which is by design for compliance.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Pardot/Account Engagement User Seat | Access to the Pardot/Account Engagement platform with an assigned role (Administrator, Marketing, Sales, Sales Manager, or Custom). All active users consume one seat regardless of role. | Included within the per-org plan price (Growth $1,250/mo, Plus $2,500/mo, Advanced $4,000/mo, Premium $15,000/mo). Seat limits vary by plan; additional seats may require plan upgrade or add-on purchase. |
- Where to check usage: Account Engagement Settings → User Management → Users - the user list shows all active and inactive users. Active user count can be compared against contracted seat limit visible in Account Engagement Settings → Account Settings → Subscription.
- How to identify unused seats: Filter the Users list by 'Last Login' date. Users who have never logged in or have not logged in within a defined period (e.g., 90 days) can be identified for deactivation. No built-in automated idle-user report exists; this requires manual review of the user list.
- Billing notes: Pardot is priced per organization (not per user seat in the traditional SaaS sense), but each plan tier includes a maximum number of active users. Exceeding the user limit requires upgrading to a higher plan tier or purchasing additional user licenses as an add-on through Salesforce Account Executive. Pricing is annual contract. No self-serve seat purchasing is available.
The cost of manual management
Adding or removing a user requires action in both Salesforce Setup and the Pardot interface - skipping either step causes sync errors or unintended re-activation. There is no bulk CSV import for users; each person must be provisioned individually through the UI or via an IdP.
Deactivation carries its own risk: removing a user as the sole Pardot Administrator locks the account, and prospect ownership is not automatically reassigned. Orphaned records require a separate manual bulk-reassignment step with no native workflow to assist.
For teams onboarding multiple users at once, the two-system requirement means repeated context-switching between Salesforce admin screens and Pardot settings, compounding the time cost of every change.
What IT admins are saying
The most frequently reported pain point is the Salesforce User Sync re-activation loop: deactivating a user in Pardot without also deactivating them in Salesforce causes the next sync cycle to silently restore their access. Administrators report discovering this only after an offboarding audit.
Role confusion between Salesforce Administrator and Pardot Administrator is a recurring onboarding issue. A Salesforce System Admin is not automatically a Pardot admin - the distinction is non-obvious and frequently causes access gaps for new team members.
Plus-tier customers consistently flag the custom roles paywall. Teams that need more granular access control than the five built-in roles allow must either upgrade to Advanced or accept over-permissioned users.
Common complaints:
- Users report that deactivating a Pardot user without simultaneously deactivating the Salesforce user causes the Pardot user to be re-activated on the next Salesforce User Sync, creating a frustrating loop.
- Administrators note that there is no bulk user import via CSV; each user must be added individually through the UI or provisioned via Salesforce/IDP, which is time-consuming for large teams.
- The mandatory Salesforce User Sync (post-2021) is frequently cited as confusing for organizations that previously managed Pardot users independently, as it requires Salesforce admin involvement for every Pardot user addition.
- Custom roles being locked behind Advanced/Premium plans is a common complaint from Plus-tier customers who need more granular access control than the five built-in roles provide.
- Prospect ownership reassignment after user deactivation is manual and lacks a bulk-reassign workflow within the standard UI, requiring workarounds or API use.
- Users report confusion about the distinction between Salesforce Administrator and Pardot Administrator roles, leading to access issues when onboarding new team members.
- The lack of a true user deletion option means deactivated user records accumulate over time, cluttering the user list.
The decision
Every app that requires coordinated action across two admin systems raises the operational bar, and Pardot is no exception. Every user change requires Salesforce admin involvement - organizations without a dedicated Salesforce admin will feel this friction acutely on every onboarding and offboarding cycle.
Custom roles are a meaningful capability gap for Growth and Plus customers. If your team needs role granularity beyond the five defaults, budget for Advanced or accept the limitation before committing to a lower tier.
For organizations running frequent onboarding or offboarding cycles, the absence of bulk provisioning and automated prospect reassignment creates compounding manual work. Automation via the Pardot API or an IdP-driven Salesforce SCIM flow is the practical path to reducing that burden.
Bottom line
Pardot user management is functional but tightly coupled to Salesforce in ways that create real operational overhead.
Every user addition or removal touches two systems, there is no bulk import path, and deactivation requires coordinated action across both platforms to avoid re-activation on the next sync.
Teams on Growth or Plus plans face an additional constraint: custom roles are locked behind Advanced and Premium tiers, leaving limited options for access control granularity. For small, stable teams with a dedicated Salesforce admin, the manual workflow is workable.
For organizations with frequent headcount changes or complex role requirements, the manual process does not scale without automation.
Automate Pardot workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
