Account Access Controls

Warning

Deprecation Notice
The Marketing Version 202310 (Marketing October 2023) and earlier versions (excluding 202306 and 202307) have been sunset. Additionally, the unversioned APIs will be sunset soon. We recommend that you migrate to the versioned APIs as well as migrate to the new Content and Community Management APIs to avoid disruptions. See the Migration page for more details. If you haven’t yet migrated and have questions, submit a request on the LinkedIn Developer Support Portal.

The LinkedIn Campaign Management APIs enable business account administrators to assign roles and functions to specific users. This gives admins the flexibility for granting access to campaign and creative data and other associated campaign collateral.

Permissions

You need the following scope permissions along with the one of the listed Ad Account roles:

Scope permissions:

• rw_ads (Read/Write)
• r_ads (Read-Only)

Ad Account Roles:

• ACCOUNT_BILLING_ADMIN
• ACCOUNT_MANAGER
• CAMPAIGN_MANAGER
• CREATIVE_MANAGER
• VIEWER (Read-Only, even with rw_ads scope)

For more information on the Ad Account roles and permissions:

• Refer to the Ad Account User Role Definitions
• See also: Create and Manage Ad Account Users

Grant User Access

Each user account can be described by the AccountUser object. For more details please refer to Create and Manage Account Users.

This object consists of the following field types:

Field	Type	Description
account	URN	The Ad Account URN to which access is being granted
user	URN	The user URN that you intend to grant access to
role	AccountUserRole	The access type that is granted to the user. Valid values include: VIEWER CREATIVE_MANAGER CAMPAIGN_MANAGER ACCOUNT_MANAGER ACCOUNT_BILLING_ADMIN

You will note that type URN is expected for both user and account. These URNs map to the person IDs and account IDs that are returned by other APIs. However, in the case of managing users for an ads account, you must format the subject and object as URNs using the IDs of persons and/or ads account. For example, the account ID 777999 would be formatted as urn:li:sponsoredAccount:777999 Similarly, the person ID 12345 is formatted as urn:li:person:12345.

Setting up new account users as well as editing existing account users can be accomplished via a PUT call against the Ad Account Users API. In either case, the account user resource to be created/edited can be identified by a key composed of a combination of user and account. In this example, we're granting a member read-only access to the ads account. The body of the PUT request is an adAccountUser object with VIEWER for the role field.

Sample Request

http

PUT https://api.linkedin.com/rest/adAccountUsers/account=urn:li:sponsoredAccount:123456789&user=urn:li:person:qZXYVUTSR

curl

curl -X PUT 'https://api.linkedin.com/rest/adAccountUsers/account=urn:li:sponsoredAccount:123456789&user=urn:li:person:qZXYVUTSR' \
-H 'Authorization: Bearer {INSERT_TOKEN}' \
-H 'Content-Type: application/json' \
--data '{
    "account": "urn:li:sponsoredAccount:12345",
    "role": "VIEWER",
    "user": "urn:li:person:56789"
}'

Sample Response

{
    "account": "urn:li:sponsoredAccount:12345...",
    "role": "VIEWER",
    "user": "urn:li:person:56789..."
}

Remove User Access

Use the DELETE method to remove an AdAccountUser resource.

http

DELETE https://api.linkedin.com/rest/adAccountUsers?account=urn:li:sponsoredAccount:12345&user=urn:li:person:56789

curl

curl -X DELETE 'https://api.linkedin.com/rest/adAccountUsers?account=urn:li:sponsoredAccount:12345&user=urn:li:person:56789' \
-H 'Authorization: Bearer {INSERT_TOKEN}'

Ad Account User Role Definitions

The following table describes in detail what each role provides:

Control Name	Description
VIEWER	View campaign data and reports for the account. No ability to create or edit any campaigns or ads
CREATIVE_MANAGER	View campaign data and reports for the account. Ability to create and edit ads
CAMPAIGN_MANAGER	View campaign data and reports for the account. Ability to create and edit campaigns and ads
ACCOUNT_MANAGER	View campaign data and reports for the account. Ability to create and edit campaigns and ads. Edit account data and manage user access to the account.
ACCOUNT_BILLING_ADMIN	View campaign data and reports for the account. Ability to create and edit campaigns and ads. Edit account data and manage user access to the account. Can also access billing data and will be billed for this account. Note: there should be exactly one user with this role in an account.

Fetch Existing Ad Account Users

When making a GET call to fetch existing users on an account, the authenticated user can only view themselves unless they are an account manager.

http

GET https://api.linkedin.com/rest/adAccountUsers?accounts=urn:li:sponsoredAccount:123456789&q=accounts

curl

curl -X GET 'https://api.linkedin.com/rest/adAccountUsers?accounts=urn:li:sponsoredAccount:123456789&q=accounts' \
-H 'Authorization: Bearer {INSERT_TOKEN}'

Sample Response

{
    "paging": {
        "start": 0,
        "count": 2147483647,
        "links": [],
        "total": 1
    },
    "elements": [
        {
            "role": "ACCOUNT_BILLING_ADMIN",
            "changeAuditStamps": {
                "created": {
                    "time": 1619111821000
                },
                "lastModified": {
                    "time": 1619111821000
                }
            },
            "user": "urn:li:person:userId",
            "account": "urn:li:sponsoredAccount:123456789"
        }
    ]
}

Fetch a Specific User

http

GET https://api.linkedin.com/rest/adAccountUsers/account=urn:li:sponsoredAccount:123456789&user=urn:li:person:eEM1Em1em

curl

curl -X GET 'https://api.linkedin.com/rest/adAccountUsers/account=urn:li:sponsoredAccount:123456789&user=urn:li:person:eEM1Em1em' \
-H 'Authorization: Bearer {INSERT_TOKEN}'

Sample Response

{
    "role": "CAMPAIGN_MANAGER",
    "changeAuditStamps": {
    ...
    "user": "urn:li:person:eEM1Em1em",
    "account": "urn:li:sponsoredAccount:123456789"
}

Verify Access to Create a Video Ad

Use this endpoint to verify if the user has permission to create a Video Ad Dark post. You need rw_ads permission to use this resource.

http

GET https://api.linkedin.com/rest/organizationalEntityCreateShareAuthorizations/owner=urn:li:company:5590506&loggedInMember=urn:li:person:LBSWch4wcA&agent=urn:li:sponsoredAccount:517753843

curl

curl -X GET 'https://api.linkedin.com/rest/organizationalEntityCreateShareAuthorizations/owner=urn:li:company:5590506&loggedInMember=urn:li:person:LBSWch4wcA&agent=urn:li:sponsoredAccount:517753843' \
-H 'Authorization: Bearer {INSERT_TOKEN}'

You get a response similar to one of the following with status code = 200

Denied Response Sample

{
    "status": {
        "com.linkedin.sharingauth.Denied": {}
    }
}

Approved Response Sample

{
    "status": {
        "com.linkedin.sharingauth.Approved": {}
    }
}