User Management Overview
AdRoll organizes users at the organization level with role-based access to individual advertisers (brands or business units). Proper user management ensures marketing teams, agencies, and stakeholders have appropriate access while maintaining security and billing control. User roles determine capabilities from campaign creation to billing management and API access.
AdRoll Access Model
Organizational structure:
Organization (Company/Agency)
└─ Advertiser A (Brand 1)
└─ Campaigns, Audiences, Pixels
└─ Advertiser B (Brand 2)
└─ Campaigns, Audiences, Pixels
└─ Advertiser C (Brand 3)
└─ Campaigns, Audiences, Pixels
Users → Invited to Organization → Scoped to specific Advertisers
Key concepts:
- Organization: Top-level account representing your company or agency
- Advertiser: Individual brand, business unit, or client under the organization
- User roles: Admin, Marketer, Analyst (different permission levels)
- Advertiser scope: Which brands a user can access
- Finance access: Optional billing/payment visibility (Admin only)
User Roles & Permissions
Admin
Full control over organization and advertiser settings:
Permissions:
- ✓ Create, edit, pause, and delete campaigns
- ✓ Create and manage audiences
- ✓ Install and configure pixels
- ✓ Invite, edit, and remove users
- ✓ Manage billing and payment methods
- ✓ Generate and manage API keys
- ✓ View all reports and analytics
- ✓ Configure organization settings
- ✓ Access advertiser-level settings
Best for:
- Internal marketing directors
- Agency account managers (during onboarding)
- IT/operations teams (for pixel implementation)
- Finance teams (billing access only)
Security considerations:
- API access: Admins can generate API keys with full account access
- Billing exposure: Can add/change payment methods and view invoices
- Pixel control: Can modify tracking code affecting attribution
- Recommendation: Downgrade to Marketer after onboarding complete
Marketer
Campaign and audience management without billing or user controls:
Permissions:
- ✓ Create, edit, pause, and delete campaigns
- ✓ Create and manage audiences
- ✓ Adjust budgets and bids
- ✓ View and download reports
- ✓ Edit ad creative and targeting
- ✗ Cannot invite or remove users
- ✗ Cannot access billing or payment methods
- ✗ Cannot generate API keys
- ✗ Cannot modify pixel settings
Best for:
- Marketing managers running day-to-day campaigns
- Agency media buyers
- Campaign specialists
- Content marketing teams
Typical use case:
- Agency granted Admin during initial setup (pixel installation, audience creation)
- After launch, downgraded to Marketer to prevent billing changes
- Maintains full campaign optimization control
Analyst
Read-only access for reporting and monitoring:
Permissions:
- ✓ View campaigns, audiences, and reports
- ✓ Download performance data
- ✓ See ad creative and targeting settings
- ✗ Cannot create or edit campaigns
- ✗ Cannot modify audiences
- ✗ Cannot change budgets or bids
- ✗ Cannot access billing
- ✗ No user management or API access
Best for:
- Finance teams monitoring ad spend
- Executive stakeholders reviewing performance
- Data analysts building reports
- External auditors or consultants
Typical use case:
- CFO wants visibility into ad spend without editing capabilities
- Client stakeholder monitors agency-managed campaigns
- BI team exports data for cross-platform dashboards
Finance Access (Admin Add-On)
Optional permission for Admin role only:
Grants access to:
- Payment method management
- Invoice history and downloads
- Billing contact updates
- Spend alerts and limits
When to enable:
- Accounting teams processing invoices
- Finance approvers validating spend
- Billing admins (non-marketing)
When to disable:
- Agency partners (prevent seeing other clients' invoices)
- Media buyers (don't need billing access)
- External contractors
Access Management Workflows
Adding New Users
Common scenarios:
1. Onboard new employee:
Role: Marketer (if campaign manager) or Analyst (if reporting only)
Advertiser scope: Brands they support
Finance access: No (unless in finance department)
2. Grant agency access:
Initial role: Admin (for pixel setup, audience creation)
After onboarding: Downgrade to Marketer
Advertiser scope: Only client brands (not internal brands)
Finance access: No (prevent seeing other clients' billing)
3. Add client stakeholder:
Role: Analyst (read-only)
Advertiser scope: Their brand only
Finance access: Optional (if they approve invoices)
4. Enable finance team:
Role: Admin
Advertiser scope: All (to see consolidated billing)
Finance access: Yes
Campaign permissions: Not needed (they won't touch campaigns)
Process: See Add User Access for step-by-step guide
Updating User Roles
Common scenarios:
1. Agency onboarding complete:
Before: Admin (for pixel installation)
After: Marketer (ongoing campaign management)
Reason: Remove billing and user management access
2. Role change (promotion/transfer):
Before: Analyst (junior analyst)
After: Marketer (promoted to campaign manager)
Reason: Employee now manages campaigns
3. Expand advertiser scope:
Before: Access to Advertiser A only
After: Access to Advertisers A + B
Reason: Team member now supports additional brand
4. Restrict access after security incident:
Before: Admin with Finance access
After: Analyst (read-only) or Removed entirely
Reason: Suspicious activity detected
Process: See Update Access & Roles for step-by-step guide
Removing User Access
Common scenarios:
1. Employee departure:
Action: Remove from organization (full access revocation)
Timing: Effective date of departure or last day
Follow-up: Rotate API keys if Admin, transfer pixel ownership
2. Agency contract ends:
Action: Remove advertiser scope or full removal
Timing: Contract end date
Follow-up: Export final reports, document campaign settings
3. Scope reduction (not full removal):
Action: Remove specific advertiser access
Timing: When brand support ends
Example: Agency loses Brand A but keeps Brand B
4. Security offboarding:
Action: Immediate removal
Timing: Upon security team notification
Follow-up: Audit recent changes, rotate credentials
Process: See Remove Access for step-by-step guide
Multi-Advertiser Management
Agency Use Case
Scenario: Marketing agency manages 10 client brands
Organization setup:
Organization: "ABC Marketing Agency"
└─ Advertiser: Client A
└─ Advertiser: Client B
└─ Advertiser: Client C
└─ ... (10 total)
User access strategy:
1. Agency account managers:
Role: Marketer (or Admin if they need API access)
Advertiser scope: Only their assigned clients
Example:
- User "John" → Clients A, B, C
- User "Sarah" → Clients D, E, F
2. Agency executives:
Role: Analyst
Advertiser scope: All clients (consolidated view)
Finance access: No (don't need billing details)
3. Agency finance team:
Role: Admin
Advertiser scope: All clients (see consolidated billing)
Finance access: Yes
4. Client stakeholders:
Role: Analyst
Advertiser scope: Their brand only (Client A user can't see Client B)
Finance access: Optional (if they approve invoices)
Benefits:
- Clients can't see other clients' campaigns or data
- Finance team sees consolidated billing across all clients
- Account managers only see their assigned clients
- Prevents accidental cross-client data exposure
Multi-Brand Company Use Case
Scenario: E-commerce company with 3 brands
Organization setup:
Organization: "Retail Corp"
└─ Advertiser: Brand A (outdoor gear)
└─ Advertiser: Brand B (fashion)
└─ Advertiser: Brand C (home goods)
User access strategy:
1. Brand-specific marketers:
Role: Marketer
Advertiser scope: Their brand only
Example:
- User "Emily" (Brand A marketer) → Brand A only
- User "Mike" (Brand B marketer) → Brand B only
2. Corporate marketing director:
Role: Admin
Advertiser scope: All brands (cross-brand strategy)
Finance access: Yes (approves overall budget)
3. Shared services (analytics team):
Role: Analyst
Advertiser scope: All brands (consolidated reporting)
Finance access: No
Benefits:
- Brand managers can't accidentally edit other brands' campaigns
- Corporate team has oversight across all brands
- Analytics team pulls cross-brand performance reports
- Prevents budget conflicts between brands
API Access Management
API Key Considerations
Who can create API keys:
- Only Admin role can generate API keys
- API keys inherit advertiser scope of the Admin who creates them
- Keys have full read/write access to scoped advertisers
Security best practices:
1. Use service accounts for API keys:
Create separate "API Admin" user:
- Email: adroll-api@company.com (service account)
- Role: Admin
- Advertiser scope: Only advertisers needing API access
- Finance access: No
- Purpose: Generate API keys, not used for UI login
2. Rotate keys regularly:
- Generate new key every 90 days
- Update key in applications
- Delete old key after transition period
3. Scope keys minimally:
- Create separate Admins per brand if using API for multiple brands
- Use different API keys for different applications
- Easier to revoke if one application compromised
4. Store keys securely:
// WRONG - Hardcoded in code
const API_KEY = 'adroll_api_abc123xyz';
// CORRECT - Environment variable
const API_KEY = process.env.ADROLL_API_KEY;
// BEST - Secrets manager
const API_KEY = await secretsManager.get('adroll_api_key');
API Key Lifecycle
Creation:
- Settings → API Access → Create API Key
- Name key by purpose: "Production API - Brand A" or "Dev Environment"
- Copy key immediately (only shown once)
- Store in secrets manager
- Document in access registry
Rotation:
- Generate new key with different name: "Production API - Brand A - 2025-Q1"
- Update applications with new key
- Monitor for 7 days (ensure old key no longer in use)
- Delete old key
Revocation:
- Immediate: Delete key from Settings → API Access
- Key stops working within minutes
- Monitor API error logs for applications trying to use revoked key
- Update applications with new key
Pixel Ownership & Transfers
Pixel Ownership
- Pixels are owned by Admins
- Losing all Admins can orphan pixels and break tracking
- Always maintain at least 2 Admins with pixel access
When to Transfer Pixel Ownership
1. Employee departure:
Departing employee owns pixel → Transfer to active Admin
Action: Contact AdRoll support to transfer ownership
Alternative: Have another Admin re-install pixel (gets new pixel ID)
2. Agency transition:
Previous agency owns pixel → Transfer to new agency or in-house
Action: Re-install pixel with new advertiser's pixel ID
Update: GTM, website templates, e-commerce integrations
3. Organizational restructure:
Marketing team owns pixel → Transfer to IT/operations
Action: Add IT user as Admin, verify pixel access
Transition: Gradual (overlap before removing marketing Admins)
Compliance & Auditing
Access Reviews
Quarterly access audit:
Export current users:
- Settings → Users & Roles → Export
- Review all active users and their roles
Validate each user:
Questions to ask: - Is user still employed/contracted? - Is advertiser scope still appropriate? - Should role be downgraded (Admin → Marketer)? - Is Finance access still needed?Document changes:
- Spreadsheet with before/after access
- Ticket/approval for each change
- Effective date of change
Execute updates:
- Remove departed users
- Adjust scopes and roles
- Rotate API keys
Triggering events for ad-hoc reviews:
- Contract changes (agency renewals, scope changes)
- Security incidents or suspected breaches
- Organizational restructures or acquisitions
- New privacy regulations (GDPR, CCPA compliance)
Change Control Documentation
For each user change, document:
# Access Change Request
**User:** john.smith@agency.com
**Requestor:** Jane Doe (Account Director)
**Approver:** Sarah Johnson (VP Marketing)
**Date:** 2025-01-15
**Change Type:** Role downgrade
**Before:** Admin with Finance access, Advertisers A, B, C
**After:** Marketer, Advertisers A, B only
**Reason:** Onboarding complete, transitioning to ongoing management
**Business Justification:** Agency no longer needs billing visibility
**Executed by:** IT Admin
**Execution date:** 2025-01-16
**Verification:** Screenshot of updated user role attached
Separation of Duties
Best practices:
1. Campaign management vs. billing:
Campaign managers: Marketer role (no Finance access)
Finance team: Admin with Finance, but don't use for campaigns
→ Prevents unauthorized spending
2. Multi-signature for high-value changes:
Budget increases >$50K: Require Admin approval in ticketing system
New user with Admin role: Require executive approval
API key generation: Require security team review
3. Least privilege principle:
Default new users to: Analyst (read-only)
Upgrade to Marketer: After training completion
Promote to Admin: Only when necessary (pixel setup, API, billing)
Common Scenarios & Solutions
Scenario 1: Agency Onboarding
Initial state: New client signs with agency
Step 1: Agency setup (Week 1):
1. Create Advertiser in agency's Organization
2. Add agency account manager as Admin
3. Agency installs pixel, creates audiences
4. Agency sets up initial campaigns
Step 2: Transition to ongoing (Week 2-4):
1. Downgrade agency account manager to Marketer
2. Remove Finance access
3. Add client stakeholder as Analyst (if requested)
4. Document access in contract/SOW
Step 3: Ongoing management:
1. Agency Marketer manages campaigns daily
2. Client Analyst reviews reports monthly
3. Finance team (both sides) monitors invoices
4. Quarterly access review confirms scope
Scenario 2: Employee Offboarding
Day of departure:
- Remove user from AdRoll Organization
- If user was Admin: Check for API keys and delete
- If user owned pixels: Transfer to another Admin or re-install
- Export audit log of user's recent changes
Week 1 post-departure:
- Review campaigns user managed (ensure continuity)
- Update internal documentation (remove from contact lists)
- Verify replacement has necessary access
Week 4 post-departure:
- Final audit of changes made by user
- Archive access documentation for compliance
- Update disaster recovery contacts if applicable
Scenario 3: Client Self-Service
Scenario: Client wants to manage own campaigns, agency provides oversight
Access structure:
Client Marketer (primary):
- Role: Marketer
- Advertiser scope: Their brand only
- Finance access: No (agency handles billing)
Agency Marketer (support):
- Role: Marketer (or Admin if needed for troubleshooting)
- Advertiser scope: Same brand
- Finance access: No
Client Finance (invoice approval):
- Role: Admin
- Advertiser scope: Their brand only
- Finance access: Yes
Workflow:
- Client Marketer creates/edits campaigns
- Agency Marketer provides strategy and optimization guidance
- Client Finance reviews and approves invoices monthly
- Agency retains Admin for escalations (pixel issues, API integrations)
Scenario 4: Multi-Region Setup
Scenario: Global brand with regional marketing teams
Organization setup:
Organization: "Global Brand Inc"
└─ Advertiser: North America
└─ Advertiser: Europe
└─ Advertiser: Asia Pacific
User access:
Regional Marketers:
- Role: Marketer
- Advertiser scope: Their region only
- Example: "EMEA Marketer" → Europe advertiser only
Global Marketing Director:
- Role: Admin
- Advertiser scope: All regions
- Finance access: Yes (global budget oversight)
Regional Analysts:
- Role: Analyst
- Advertiser scope: Their region + consolidated view
- Finance access: No
Benefits:
- Regional teams can't accidentally edit other regions' campaigns
- Global director has full visibility and control
- Regional budgets managed independently
- Consolidated reporting available to executives
Troubleshooting Access Issues
User Can't Log In
Symptoms:
- "Invalid email or password" error
- "User not found" error
Causes & fixes:
1. Invitation not accepted:
Check: Settings → Users & Roles → Look for "Pending" status
Fix: Resend invitation
Note: Invitations expire after 7 days
2. Wrong organization:
Issue: User invited to Org A, trying to access Org B
Fix: Verify user is in correct organization
Click avatar → Switch organization
3. Account locked after failed logins:
Symptoms: "Account locked" message
Fix: Wait 30 minutes, or contact AdRoll support to unlock
Prevention: Use password manager to prevent typos
User Has Access But Can't See Campaigns
Symptoms:
- User logs in successfully
- Dashboard shows "No campaigns" or "No advertisers"
Causes & fixes:
1. No advertiser scope:
Issue: User invited but no advertisers assigned
Fix: Settings → Users & Roles → Edit user → Add advertiser scope
2. Wrong advertiser selected:
Issue: User has access to Advertiser A, but viewing Advertiser B
Fix: Top navigation → Advertiser dropdown → Select correct advertiser
3. Analyst role (read-only):
Issue: User expects to edit campaigns, but has Analyst role
Fix: Upgrade to Marketer: Settings → Users & Roles → Edit role
Can't Invite New Users
Symptoms:
- "Invite" button grayed out or missing
- "Permission denied" error when trying to invite
Causes & fixes:
1. Not an Admin:
Issue: Only Admins can invite users
Fix: Ask an existing Admin to invite, or request Admin promotion
2. Organization seat limit reached:
Issue: Plan has max users (rare, usually unlimited)
Fix: Contact AdRoll support to increase seats
Or remove inactive users to free up seats
Best Practices Summary
Security
- Least privilege: Start users with minimum access (Analyst), upgrade as needed
- Regular audits: Review access quarterly or after major changes
- API key rotation: Rotate keys every 90 days
- Service accounts: Use dedicated accounts for API keys, not personal accounts
- Remove quickly: Offboard users same day as departure
Organization
- Document access: Maintain spreadsheet of users, roles, and advertiser scopes
- Approval workflow: Require manager/executive approval for Admin role
- Change tickets: Track all access changes in ticketing system
- Pixel redundancy: Maintain 2+ Admins with pixel access (prevent orphaning)
Collaboration
- Clear scopes: Advertiser scope matches user's responsibilities
- Role clarity: Document what each role can/can't do
- Client boundaries: Use advertiser scopes to separate client data
- Finance separation: Only enable Finance access when truly needed
Available Guides
- Add User Access - Step-by-step invitation process
- Update Access & Roles - Modify existing user permissions
- Remove Access - Offboard users and revoke access
Next Steps
- Setup & Implementation - Get started with AdRoll pixel
- Integrations - Connect AdRoll with your marketing stack
- Troubleshooting & Debugging - Fix access and tracking issues