Account Access Controls

LinkedIn's Campaign Management APIs allows administrators of business accounts to assign roles and functions to specified users. This gives admins flexibility on the granularity of access to campaign and creative data, grant read/read access, etc.

Permissions

There are two conditions for successful calls: (1) Scope permissions to rw_ads and/or r_ads, and (2) the user assigning permission holding one of the following roles in the Ad Account.

Scope permissions:

  • rw_ads (Read/Write)
  • r_ads (Read-Only)

Ad Account Roles:

  • ACCOUNT_BILLING_ADMIN
  • ACCOUNT_MANAGER
  • CAMPAIGN_MANAGER
  • CREATIVE_MANAGER
  • VIEWER (Read-Only, even with rw_ads scope)

For more information on Ad Account roles and permissions:

Grant User Access

Every user's relationship to an account can be described by as AccountUser object. For more details please refer to Create and Manage Account Users: /adAccountUsersV2. This object consists of:

Field Type Description
account URN The ad account URN to which access is being granted
user URN The user URN that you intend to grant access
role AccountUserRole The access type being granted to the user. Valid values are:
  • VIEWER
  • CREATIVE_MANAGER
  • CAMPAIGN_MANAGER
  • ACCOUNT_MANAGER
  • ACCOUNT_BILLING_ADMIN

You'll notice that we're expecting type URN for both user and account. These URNs map to the person IDs and account IDs that are returned by other APIs. However, in the case of managing users for an ads account, you'll need to format the subject and object as URNs using the IDs of persons and/or ads account. For example, the account ID 777999 would be formatted as urn:li:sponsoredAccount:777999 Likewise, the person ID 12345 would be formatted as urn:li:person:12345

Setting up new account users as well as editing existing account users can be accomplished via a PUT call against the Ad Account Users API. In either case, the account user resource to be created/edited can be identified by a key composed of a combination of user and account . In this example, we're granting a member read-only access to the ads account. The body of the PUT request is simply an /adAccountUser object with VIEWER for the "role" field.

Sample Request

PUT https://api.linkedin.com/v2/adAccountUsersV2/account=urn:li:sponsoredAccount:123456789&user=urn:li:person:qZXYVUTSR
Sample Response
{
    "account": "urn:li:sponsoredAccount:12345...",
    "role": "VIEWER",
    "user": "urn:li:person:56789..."
}

Remove User Access

Use the DELETE method to remove an AdAccountUser resource.

DELETE https://api.linkedin.com/v2/adAccountUsersV2?account=urn:li:sponsoredAccount:12345&user=urn:li:person:56789

Ad Account User Role Definitions

The following describes in detail what each role provides:

Control Name Description
VIEWER View campaign data and reports for the account. No ability to create or edit any campaigns or ads
CREATIVE_MANAGER View campaign data and reports for the account. Ability to create and edit ads
CAMPAIGN_MANAGER View campaign data and reports for the account. Ability to create and edit campaigns and ads
ACCOUNT_MANAGER View campaign data and reports for the account. Ability to create and edit campaigns and ads. Edit account data and manage user access to the account.
ACCOUNT_BILLING_ADMIN View campaign data and reports for the account. Ability to create and edit campaigns and ads. Edit account data and manage user access to the account. Can also access billing data and will be billed for this account. Note: there should be exactly one user with this role in an account.

Fetch Existing Ad Account Users

When making a GET call to fetch existing users on an account, the authenticated user can only view themselves unless they are an account manager.

GET https://api.linkedin.com/v2/adAccountUsersV2?accounts=urn:li:sponsoredAccount:123456789&q=accounts

Sample Response

{
    "paging": {
        "start": 0,
        "count": 2147483647,
        "links": [],
        "total": 1
    },
    "elements": [
        {
            "role": "ACCOUNT_BILLING_ADMIN",
            "changeAuditStamps": {
                "created": {
                    "time": 1619111821000
                },
                "lastModified": {
                    "time": 1619111821000
                }
            },
            "user": "urn:li:person:userId",
            "account": "urn:li:sponsoredAccount:123456789"
        }
    ]
}

Fetch a Specific User

GET https://api.linkedin.com/v2/adAccountUsersV2/account=urn:li:sponsoredAccount:123456789&user=urn:li:person:eEM1Em1em

Sample Response

{
    "role": "CAMPAIGN_MANAGER",
    "changeAuditStamps": {
    ...
    "user": "urn:li:person:eEM1Em1em",
    "account": "urn:li:sponsoredAccount:123456789"
}

Verify Access to Create a Video Ad

You can use this endpoint to verify if the user has permission to create a Video Ad Dark post. You need rw_ads permission to use this resource.

GET https://api.linkedin.com/v2/organizationalEntityCreateShareAuthorizations/owner=urn:li:company:5590506&loggedInMember=urn:li:person:LBSWch4wcA&agent=urn:li:sponsoredAccount:517753843

You get a response similar to one of the following with status code = 200

Denied Response Sample

{
    "status": {
        "com.linkedin.sharingauth.Denied": {}
    }
}

Approved Response Sample

{
    "status": {
        "com.linkedin.sharingauth.Approved": {}
    }
}