cPanel Team / Sub-Accounts for Delegated Access

You need to give a contractor access to your hosting for a specific task — uploading files, managing email, running a database migration. The wrong approach: hand over your main cPanel password. The right approach: cPanel’s Manage Team feature lets you create sub-users with limited permissions, optional expiration dates, and full audit trail. This guide walks through creating team users, picking the right permissions, and the practical use cases.

Why never share your main credentials

• If contractor’s machine is compromised, attacker gets your hosting.
• Disputes or staff turnover require changing your password — disruptive.
• No audit trail — you can’t see who did what.
• Contractor can change your password, your email, lock you out.

Team users solve all four — limited permissions, easy revocation, separate audit, can’t change account-wide settings.

Where to find Manage Team

cPanel → User Management section → Manage Team.

If you don’t see this option, your plan or server version may not support it. Older cPanel versions or some restricted plans lack this feature. Open a ticket if you need it enabled.

Creating a team user

1. Manage Team → Create Team User.
2. Username — pick something descriptive (e.g. contractor, developer).
3. Email — their actual email, where they’ll receive credentials and notifications.
4. Contact Email — separate from above if you want notifications going elsewhere.
5. Password — strong unique password. Or generate one — they can change it on first login.
6. Expiration date (optional) — auto-disable after specified date. Use for project-based contractors.
7. Description — note about what this user is for.
8. Roles — granular permissions (see below).
9. Save.

User gets credentials email. They log in at the same cPanel URL with username teamusername@cpanel-username (or similar — depends on cPanel version).

Permission roles

Manage Team uses role-based access. Common roles:

• Administrator — Almost everything except creating other team users / changing payment info. Closest to root for that account.
• Database — phpMyAdmin, MySQL Databases, MySQL Users.
• Email — Email Accounts, Forwarders, Filters, Webmail.
• Web — File Manager, FTP, domains, subdomains, SSL.

Pick only the roles needed. Web developer? Web role. Database administrator? Database. Email manager? Email role.

Default to minimum permissions. Easier to grant more later than to recover from a careless action by someone with too much access.

Common use cases

Web developer (short-term)

• Role: Web.
• Expiration: project end date.
• Can: upload files, manage subdomains, work with SSL.
• Can’t: read email, change billing, create other users.

Database consultant

• Role: Database.
• Expiration: 30 days.
• Can: access phpMyAdmin, run queries, export data.
• Can’t: change site files.

Email administrator (staff)

• Role: Email.
• Expiration: none (or annual review).
• Can: manage mailboxes, forwarders, filters.
• Can’t: anything else.

Backup operator

• Role: Web (to access File Manager and JetBackup).
• Expiration: rolling.
• Can: trigger backups, download archives.

Managing existing team users

• Edit — Change roles, contact info, password, expiration.
• Suspend — Temporary disable without deleting (for staff on leave, suspicious activity investigation).
• Delete — Permanent removal. Their access stops immediately.
• Reset Password — Force a password change.

Review team users quarterly. Remove anyone no longer needed.

Limits and constraints

• User count — cPanel typically allows up to 7-9 team users per account, varying by version.
• Permission boundaries — Team users can never:
  • Create or manage other team users.
  • Change the main cPanel account password.
  • Access billing / WHM (only the main account holder does).
  • Cancel the hosting.
• Logging — Most actions logged with the team username, not the parent account.

Alternatives to Manage Team

FTP-only access

For “just file uploads”, a dedicated FTP account is simpler and more granular (limited to a specific folder). cPanel → FTP Accounts → Create. FTP guide.

Database-only user

For “database access only”, create a dedicated MySQL user with permissions on just one database. cPanel → MySQL Databases. Limits damage from compromise.

WordPress role

For “content management only”, create a WordPress Editor or Author role user, not a cPanel user at all. They can edit content without touching server-level things.

Use Manage Team specifically when someone needs cPanel UI access beyond what’s possible via FTP/database/CMS-only paths.

Common questions

“Can a team user see my main account password?” No. They have only their own credentials.

“If I delete a team user, what happens to files they uploaded?” Files stay; they’re owned by the parent account (your cPanel account). Only the user’s access is revoked.

“Can a team user create email accounts under a different domain on my account?” Depends on their roles. Email role lets them manage email across all your domains. If you want isolation, you’d need separate cPanel accounts (which is what resellers do).

“I don’t see Manage Team in my cPanel.” Either cPanel version is older, or the feature isn’t enabled on your plan. Open a ticket; we’ll check.

“Can team users have 2FA?” Yes — and they should. Each team user can enable 2FA on their account independently. Encourage all team users to enable it.

What’s next

• FTP-only access alternative: FTP/SFTP setup.
• SSH key access for developers: SSH keys.
• 2FA on team users: 2FA setup.

Sharing passwords is yesterday’s collaboration model. Team users give scoped access, expirable, auditable. Five minutes setting one up beats hours of password resets and account audits after a contractor relationship ends.