Account Access Controls

The LinkedIn Campaign Management APIs enable business account administrators to assign roles and functions to specific users. This gives admins the flexibility for granting access to campaign and creative data and other associated campaign collateral.

Permissions

You need the following scope permissions along with the one of the listed Ad Account roles:

Scope permissions:

  • rw_ads (Read/Write)
  • r_ads (Read-Only)

Ad Account Roles:

  • ACCOUNT_BILLING_ADMIN
  • ACCOUNT_MANAGER
  • CAMPAIGN_MANAGER
  • CREATIVE_MANAGER
  • VIEWER (Read-Only, even with rw_ads scope)

For more information on Ad Account roles and permissions:

Grant User Access

Each user account can be described by the AccountUser object. For more details please refer to Create and Manage Account Users.

This object consists of the following field types:

Field Type Description
account URN The Ad Account URN to which access is being granted
user URN The user URN that you intend to grant access to
role AccountUserRole The access type that is granted to the user. Valid values include:
  • VIEWER
  • CREATIVE_MANAGER
  • CAMPAIGN_MANAGER
  • ACCOUNT_MANAGER
  • ACCOUNT_BILLING_ADMIN
  • You will note that type URN is expected for both user and account. These URNs map to the person IDs and account IDs that are returned by other APIs. However, in the case of managing users for an ads account, you must format the subject and object as URNs using the IDs of persons and/or ads account. For example, the account ID 777999 would be formatted as urn:li:sponsoredAccount:777999 Similarly, the person ID 12345 is formatted as urn:li:person:12345.

    Setting up new account users as well as editing existing account users can be accomplished via a PUT call against the Ad Account Users API. In either case, the account user resource to be created/edited can be identified by a key composed of a combination of user and account. In this example, we're granting a member read-only access to the ads account. The body of the PUT request is an adAccountUser object with VIEWER for the role field.

    Sample Request

    PUT https://api.linkedin.com/v2/adAccountUsersV2/account=urn:li:sponsoredAccount:123456789&user=urn:li:person:qZXYVUTSR
    
    Sample Response
    {
        "account": "urn:li:sponsoredAccount:12345...",
        "role": "VIEWER",
        "user": "urn:li:person:56789..."
    }
    

    Remove User Access

    Use the DELETE method to remove an AdAccountUser resource.

    DELETE https://api.linkedin.com/v2/adAccountUsersV2?account=urn:li:sponsoredAccount:12345&user=urn:li:person:56789
    

    Ad Account User Role Definitions

    The following table describes in detail what each role provides:

    Control Name Description
    VIEWER View campaign data and reports for the account. No ability to create or edit any campaigns or ads
    CREATIVE_MANAGER View campaign data and reports for the account. Ability to create and edit ads
    CAMPAIGN_MANAGER View campaign data and reports for the account. Ability to create and edit campaigns and ads
    ACCOUNT_MANAGER View campaign data and reports for the account. Ability to create and edit campaigns and ads. Edit account data and manage user access to the account.
    ACCOUNT_BILLING_ADMIN View campaign data and reports for the account. Ability to create and edit campaigns and ads. Edit account data and manage user access to the account. Can also access billing data and will be billed for this account. Note: there should be exactly one user with this role in an account.

    Fetch Existing Ad Account Users

    When making a GET call to fetch existing users on an account, the authenticated user can only view themselves unless they are an account manager.

    GET https://api.linkedin.com/v2/adAccountUsersV2?accounts=urn:li:sponsoredAccount:123456789&q=accounts
    

    Sample Response

    {
        "paging": {
            "start": 0,
            "count": 2147483647,
            "links": [],
            "total": 1
        },
        "elements": [
            {
                "role": "ACCOUNT_BILLING_ADMIN",
                "changeAuditStamps": {
                    "created": {
                        "time": 1619111821000
                    },
                    "lastModified": {
                        "time": 1619111821000
                    }
                },
                "user": "urn:li:person:userId",
                "account": "urn:li:sponsoredAccount:123456789"
            }
        ]
    }
    

    Fetch a Specific User

    GET https://api.linkedin.com/v2/adAccountUsersV2/account=urn:li:sponsoredAccount:123456789&user=urn:li:person:eEM1Em1em
    

    Sample Response

    {
        "role": "CAMPAIGN_MANAGER",
        "changeAuditStamps": {
        ...
        "user": "urn:li:person:eEM1Em1em",
        "account": "urn:li:sponsoredAccount:123456789"
    }
    

    Verify Access to Create a Video Ad

    Use this endpoint to verify if the user has permission to create a Video Ad Dark post. You need rw_ads permission to use this resource.

    GET https://api.linkedin.com/v2/organizationalEntityCreateShareAuthorizations/owner=urn:li:company:5590506&loggedInMember=urn:li:person:LBSWch4wcA&agent=urn:li:sponsoredAccount:517753843
    

    You get a response similar to one of the following with status code = 200

    Denied Response Sample

    {
        "status": {
            "com.linkedin.sharingauth.Denied": {}
        }
    }
    

    Approved Response Sample

    {
        "status": {
            "com.linkedin.sharingauth.Approved": {}
        }
    }