MediaMath — Update User Access, Roles & Scopes | OpsBlu Docs

MediaMath — Update User Access, Roles & Scopes

Adjust MediaMath user roles, organization scopes, and approval workflows for existing team members and agency partners.

Update Access & Roles

Use this checklist when MediaMath roles or advertiser scopes need to change. Updating access allows you to adjust permissions without removing and re-adding users, which preserves their login history and activity audit trails.

Role and scope changes take effect immediately in MediaMath. Users don't need to log out and back in - permissions update on their next page load or action.

When to Update Access

Update user access when:

  • A role changes: A trader is promoted to Admin, or an Admin steps down to a trader role.
  • Advertiser scope expands or contracts: An agency wins a new brand or loses a client; an internal team member takes on additional advertisers.
  • Billing visibility changes: Finance needs invoice access added, or a user who previously handled billing transitions to a media-only role.
  • Temporary elevation: A user needs Admin access for a one-time task (e.g., pixel deployment, API token generation) and should be downgraded afterward.
  • Security or compliance requirement: An audit reveals a user has more access than their job requires, necessitating a role downgrade.
  • Agency contract amendment: The scope of work changes mid-contract, requiring advertiser list adjustments without full offboarding.

Pre-Update Assessment

Before making any changes, answer these questions to ensure the update is appropriate and won't disrupt operations:

Clarify the change

  • Role change or advertiser scope change? Determine if you're adjusting the role (e.g., Trader → Reporting) or the advertiser list (e.g., adding 3 new advertisers to an existing trader).
  • Is this permanent or temporary? If temporary (e.g., covering for a colleague), document the planned revert date.
  • Does the user still need billing access? Review whether the user's new role requires billing visibility or if it should be toggled off.

Review current state

  1. Go to Admin → User Management and open the user's profile.
  2. Note their current role, advertiser assignments, and billing status.
  3. Screenshot this page for your "before" record in the access log.

Identify owned assets

If you're reducing permissions (e.g., downgrading Admin to Trader, removing advertisers):

  • Check if the user owns any campaigns, pixels, audiences, or API tokens that will become inaccessible after the change.
  • If reducing advertiser scope, ensure campaigns under removed advertisers are transferred to another user first.
  • If downgrading from Admin, audit their API tokens and decide whether to revoke them or transfer ownership.

Obtain approval

For role elevations (e.g., Trader → Admin) or billing additions, obtain approval from:

  • The user's manager or the seat owner.
  • Finance or security if adding billing access or Admin rights.
  • Save the approval email or ticket reference for compliance.

Change Execution

Once you've completed the assessment, follow these steps to update the user:

Step 1: Access user management

  1. Sign in to MediaMath as an Admin.
  2. Go to Admin → User Management from the top navigation.
  3. Locate the user in the table using the search box or by scrolling.

Step 2: Open user profile

  1. Click the user's name or the Edit icon to open their profile.
  2. Review their current role, advertiser list, and billing toggle one more time before making changes.

Step 3: Adjust advertiser list (if needed)

If the user needs access to more or fewer advertisers:

  1. In the Advertisers section, check or uncheck the relevant advertisers.
    • Adding advertisers: Check the boxes for the new advertisers they should manage.
    • Removing advertisers: Uncheck the boxes for advertisers they should no longer see.
  2. Avoid granting "All advertisers" unless the user truly needs seat-wide visibility.

Best practice: Always edit the advertiser list before changing the role. This prevents a scenario where you accidentally grant Admin access to too many advertisers.

Step 4: Change role (if needed)

If the user's responsibilities have changed:

  1. In the Role dropdown, select the new role:
    • Admin: Full control over the seat including users, billing, and API tokens.
    • Standard/Trader: Campaign management without billing or user administration.
    • Reporting: Read-only access to reports and dashboards.
    • Billing: Invoice and payment access without campaign editing.
  2. Consider the impact:
    • Upgrading to Admin: The user will immediately gain access to billing settings, user management, and API token generation. Ensure this is intentional.
    • Downgrading from Admin: The user will lose the ability to invite users, manage billing, and create API tokens. Revoke any orphaned tokens they created.
    • Downgrading to Reporting: The user will lose all editing rights and can only view data. Confirm they don't have active campaigns that need management.

Step 5: Toggle billing access (if needed)

If billing visibility should change independently of the role:

  1. Toggle the Billing option to "On" or "Off."
    • On: The user can view invoices, payment history, and billing contacts.
    • Off: The user has no billing visibility.
  2. Adding billing: Record a second approval if your organization requires finance sign-off for billing access.
  3. Removing billing: Confirm another Admin or Billing user can handle invoice downloads and payment reconciliation.

Step 6: Save and verify

  1. Click Save to apply the changes.
  2. Refresh the User Management page and verify the user's updated role, advertisers, and billing status appear correctly in the table.
  3. Screenshot the updated state for your "after" record in the access log.

Step 7: Notify the user

  1. Email or message the user to inform them of the change:
    • New role and what it allows or restricts.
    • Updated advertiser list (if changed).
    • Billing access status (if changed).
    • Any updated procedures or guidelines for their new role (e.g., escalation path for traders who can no longer create API tokens).
  2. Provide a contact for questions or issues.

Post-Update Validation

After saving the changes, complete these validation tasks:

User confirmation

  • Ask the user to log in and confirm they can access the expected advertisers and no others.
  • If they were downgraded, verify they cannot access features of their old role (e.g., a former Admin should not see User Management in the menu).
  • If they were upgraded, verify they can access new features (e.g., a new Admin should see billing and user management options).

Asset review

If the user's advertiser scope was reduced:

  • Confirm any campaigns, pixels, or audiences under the removed advertisers were transferred to another user.
  • Verify the user can no longer edit those assets.

If the user was downgraded from Admin:

  • Review and revoke any API tokens they created if those tokens are no longer needed.
  • Confirm they can no longer access Admin → User Management or Admin → API Management.

Documentation

  • Update your access log with the following details:
    • User email and name
    • Date of change
    • Role: old → new
    • Advertisers: old list → new list
    • Billing: old status → new status
    • Reason for change (e.g., "Promoted to team lead," "Agency lost client X")
    • Approver name
  • Update internal rosters or SSO groups to reflect the new role.
  • Add a note to your ticketing system or change log for audit purposes.

Monitoring

  • Set a follow-up reminder for 1-2 weeks to check if the user is experiencing any issues with their new permissions.
  • If the change was temporary (e.g., elevated for a one-time task), set a calendar alert to revert the change on the planned date.
  • Include this user in your next quarterly access review to ensure the updated permissions are still appropriate.

Troubleshooting

User can't see new advertisers after update:

  • Verify the advertisers were checked and saved in the User Management page.
  • Ask the user to log out and back in, or clear their browser cache.
  • Check if the user is logging in to the correct seat (if your organization has multiple seats).

User still has old role permissions after downgrade:

  • Refresh the User Management page to confirm the role change was saved.
  • Have the user log out and back in to force a session refresh.
  • If the issue persists, contact MediaMath support.

User lost access to campaigns they were managing:

  • This happens when you remove an advertiser from their scope and forget to transfer campaign ownership.
  • Edit the user and re-add the advertiser temporarily.
  • Transfer campaign ownership to another user, then remove the advertiser again.

User was downgraded from Admin but their API tokens still work:

  • API tokens are independent of user roles and remain active after role changes.
  • Go to Admin → API Management, find the token(s), and manually revoke them.
  • Inform any integrations relying on those tokens that credentials have changed.

User was upgraded to Admin but can't see billing:

  • Some MediaMath seats have granular permissions that separate Admin from billing visibility.
  • Verify the Billing toggle is set to "On" for the user.
  • If still blocked, contact MediaMath support to review seat-level permission settings.

Best Practices

  • Edit advertiser list before changing role to avoid accidentally granting a new Admin access to too many advertisers.
  • Always revoke API tokens when downgrading a user from Admin. Orphaned tokens are a security risk.
  • Screenshot before and after every change for compliance and audit trails.
  • Document the reason for each change in your access log. This is critical during security audits.
  • Set revert reminders for temporary elevations (e.g., a trader who needs Admin for one day to deploy a pixel).
  • Notify the user immediately after making changes so they aren't surprised by permission shifts.
  • Run a quarterly review of all users to catch roles that should have been downgraded but weren't.

Common Use Cases

Promoting a trader to Admin (permanent):

  1. Obtain approval from the seat owner or finance team.
  2. Edit the user and change role from Standard/Trader to Admin.
  3. Verify they can now access Admin → User Management and billing.
  4. Document the promotion in your access log with approver name.
  5. Notify the user of their new responsibilities (e.g., onboarding new users, managing API tokens).

Downgrading an Admin to Trader (permanent):

  1. Confirm the user no longer needs billing or user management access.
  2. Review and revoke any API tokens they created.
  3. Edit the user and change role from Admin to Standard/Trader.
  4. Toggle Billing to "Off" if they no longer need invoice visibility.
  5. Save and verify they cannot access Admin menu options.
  6. Document the downgrade and notify the user.

Temporarily elevating a trader to Admin (for pixel deployment):

  1. Obtain approval with a planned revert date (e.g., "Admin for 24 hours to deploy pixel").
  2. Edit the user and change role to Admin.
  3. Notify the user and ask them to complete the task within the time window.
  4. Set a calendar reminder to downgrade them back to Standard/Trader on the revert date.
  5. After reverting, revoke any API tokens they created during the elevation.

Expanding advertiser scope (agency wins new client):

  1. Confirm the new client is covered by the agency's contract.
  2. Edit the agency user(s) and check the box for the new advertiser.
  3. Leave their role unchanged (likely Standard/Trader).
  4. Save and notify the agency that they now have access to the new advertiser.
  5. Document the change in your access log.

Reducing advertiser scope (agency loses client):

  1. Confirm the client is leaving or the contract is ending.
  2. Transfer any campaigns under that advertiser to an internal user or new agency.
  3. Edit the agency user(s) and uncheck the box for the advertiser.
  4. Save and notify the agency of the access reduction.
  5. Document the change and update your vendor contact list.

Adding billing access to finance team member:

  1. Confirm the finance team member needs invoice visibility.
  2. Edit the user and toggle Billing to "On."
  3. Leave their role as Billing or Reporting (do not upgrade to Admin unless they need user management rights).
  4. Save and notify the finance user they can now access invoices.
  5. Document the change with finance approval reference.

Removing billing access after role change:

  1. Confirm the user no longer handles billing tasks.
  2. Edit the user and toggle Billing to "Off."
  3. Verify another user can handle invoice downloads and payment reconciliation.
  4. Save and notify the user they no longer have billing visibility.
  5. Document the change in your access log.
Nach oben