Account Access Controls
Warning
Deprecation Notice
The Marketing Version 202311 (Marketing November 2023) and earlier versions (excluding 202306 and 202307) have been sunset. Additionally, the unversioned APIs will be sunset soon. We recommend that you migrate to the versioned APIs as well as migrate to the new Content and Community Management APIs to avoid disruptions. See the Migration page for more details.
If you haven’t yet migrated and have questions, submit a request on the LinkedIn Developer Support Portal.
The LinkedIn Campaign Management APIs enable business account administrators to assign roles and functions to specific users. This gives admins the flexibility for granting access to campaign and creative data and other associated campaign collateral.
Permissions
You need the following scope permissions along with the one of the listed Ad Account roles:
Scope permissions:
rw_ads
(Read/Write)r_ads
(Read-Only)
Ad Account Roles:
ACCOUNT_BILLING_ADMIN
ACCOUNT_MANAGER
CAMPAIGN_MANAGER
CREATIVE_MANAGER
VIEWER
(Read-Only, even with rw_ads scope)
For more information on the Ad Account roles and permissions:
- Refer to the Ad Account User Role Definitions
- See also: Create and Manage Ad Account Users
Grant User Access
Each user account can be described by the AccountUser
object. For more details please refer to Create and Manage Account Users.
This object consists of the following field types:
Field | Type | Description |
---|---|---|
account | URN | The Ad Account URN to which access is being granted |
user | URN | The user URN that you intend to grant access to |
role | AccountUserRole | The access type that is granted to the user. Valid values include: |
You will note that type URN is expected for both user and account. These URNs map to the person IDs and account IDs that are returned by other APIs. However, in the case of managing users for an ads account, you must format the subject and object as URNs using the IDs of persons and/or ads account. For example, the account ID 777999 would be formatted as urn:li:sponsoredAccount:777999 Similarly, the person ID 12345 is formatted as urn:li:person:12345.
Setting up new account users as well as editing existing account users can be accomplished via a PUT
call against the Ad Account Users API. In either case, the account user resource to be created/edited can be identified by a key composed of a combination of user and account. In this example, we're granting a member read-only access to the ads account. The body of the PUT
request is an adAccountUser
object with VIEWER
for the role field.
Sample Request
Sample Request
Sample Response
{
"account": "urn:li:sponsoredAccount:12345...",
"role": "VIEWER",
"user": "urn:li:person:56789..."
}
Remove User Access
Use the DELETE
method to remove an AdAccountUser
resource.
Ad Account User Role Definitions
The following table describes in detail what each role provides:
Control Name | Description |
---|---|
VIEWER | View campaign data and reports for the account. No ability to create or edit any campaigns or ads |
CREATIVE_MANAGER | View campaign data and reports for the account. Ability to create and edit ads |
CAMPAIGN_MANAGER | View campaign data and reports for the account. Ability to create and edit campaigns and ads |
ACCOUNT_MANAGER | View campaign data and reports for the account. Ability to create and edit campaigns and ads. Edit account data and manage user access to the account. |
ACCOUNT_BILLING_ADMIN | View campaign data and reports for the account. Ability to create and edit campaigns and ads. Edit account data and manage user access to the account. Can also access billing data and will be billed for this account. Note: there should be exactly one user with this role in an account. |
Fetch Existing Ad Account Users
When making a GET
call to fetch existing users on an account, the authenticated user can only view themselves unless they are an account manager.
Sample Response
{
"paging": {
"start": 0,
"count": 2147483647,
"links": [],
"total": 1
},
"elements": [
{
"role": "ACCOUNT_BILLING_ADMIN",
"changeAuditStamps": {
"created": {
"time": 1619111821000
},
"lastModified": {
"time": 1619111821000
}
},
"user": "urn:li:person:userId",
"account": "urn:li:sponsoredAccount:123456789"
}
]
}
Fetch a Specific User
Sample Response
{
"role": "CAMPAIGN_MANAGER",
"changeAuditStamps": {
...
"user": "urn:li:person:eEM1Em1em",
"account": "urn:li:sponsoredAccount:123456789"
}
Verify Access to Create a Video Ad
Use this endpoint to verify if the user has permission to create a Video Ad Dark post. You need rw_ads permission to use this resource.
You get a response similar to one of the following with status code = 200
Denied Response Sample
{
"status": {
"com.linkedin.sharingauth.Denied": {}
}
}
Approved Response Sample
{
"status": {
"com.linkedin.sharingauth.Approved": {}
}
}