Understand the Google Ads Access Model

There are two types of Google Ads accounts: Google Ads manager accounts and Google Ads advertiser accounts (also known as customer or client accounts). Manager accounts can manage other Google Ads manager accounts or Google Ads advertiser accounts. You can link an advertiser account to a manager account and then manage the advertiser account through the manager account. The overall linked structure is a directed acyclic graph with advertiser accounts at the leaf level.

You can give individual users or service accounts access to Google Ads accounts. There are two ways to give users access to an advertiser account:

• Grant the user direct access to the advertiser account by inviting them to that account.
• Grant the user indirect access to the advertiser account by inviting them to a manager account linked to that account. The user gains access to the advertiser account since the manager account has access to all the accounts linked under it.

You can also assign user roles when you invite a user to manage an account.

Consider the following account hierarchy. Assume that all the users have Standard Access.

The following table summarizes this account structure.

Login customer ID

A user may have access to multiple account hierarchies. When making an API call in such cases, you need to specify the root account to be used to correctly determine the authorization and account access levels. This is done by specifying a login-customer-id header as part of the API request.

The following table uses the account hierarchy from the previous example to show what login customer IDs you can use, and the corresponding list of accounts that you can make calls to.

You can skip providing the login-customer-id header if the user has direct access to the Google Ads account that you are making calls to. For example, you don't need to specify login-customer-id header when using U3 credentials to make a call to A4, since the Google Ads servers can correctly determine the access level from the customer ID (A4).

If you are using one of our client libraries, then use the following settings to specify login-customer-id header.

api.googleads.loginCustomerId=INSERT_LOGIN_CUSTOMER_ID_HERE

GoogleAdsConfig config = new GoogleAdsConfig()
{
    ...
    LoginCustomerId = ******
};
GoogleAdsClient client = new GoogleAdsClient(config);

[GOOGLE_ADS]
loginCustomerId = "INSERT_LOGIN_CUSTOMER_ID_HERE"

login_customer_id: INSERT_LOGIN_CUSTOMER_ID_HERE

Google::Ads::GoogleAds::Config.new do |c|
  c.login_customer_id = 'INSERT_LOGIN_CUSTOMER_ID_HERE'
end

client = Google::Ads::GoogleAds::GoogleAdsClient.new('path/to/google_ads_config.rb')

loginCustomerId=INSERT_LOGIN_CUSTOMER_ID_HERE

-H "login-customer-id: LOGIN_CUSTOMER_ID"

User roles

The Google Ads API doesn't have a separate access model of its own, or use separate OAuth 2.0 scopes to limit functionality. For example, Google Ads API uses the same scopes for readonly versus readwrite operations. Instead, Google Ads API follows the same user roles that Google Ads supports. When a user role is granted to an account at the manager level, the role is inherited by the accounts in the hierarchy. If a user has conflicting roles to a given account, the correct level is resolved by the login-customer-id account specified in the API request.

The following table uses the account hierarchy from the previous example and shows the effect of granting various user roles to users.