AdRoll Remove User Access

Complete offboarding procedure for revoking AdRoll access when users leave, contracts end, or security incidents occur.

Remove Access Overview

Removing user access from AdRoll is critical for security, compliance, and cost control. Access should be revoked immediately when employees depart, agency contracts end, or security incidents occur. Proper offboarding includes removing the user, transferring ownership of API keys and pixels, exporting final reports, and documenting the removal for audit trails.

When to Remove Access

Employee departure: Termination, resignation, or role change
Agency contract ends: Client relationship concludes
Contractor project complete: Temporary engagement finished
Security incident: Suspicious activity or policy violation
Inactive users: Quarterly audit identifies unused accounts
Organizational restructure: Department eliminated or merged
Access no longer needed: User's responsibilities changed

Prerequisites

Before removing access:

1. Verify authority:

You must have Admin role to remove users
Check your permissions: Settings → Users & Roles

2. Get approval:

Employee offboarding ticket (HR notification)
Manager or executive approval
Contract termination documentation
Security incident report (if applicable)

3. Plan for continuity:

Who will take over user's campaigns?
Are there API keys to transfer?
Does user own pixels?
Any automated processes tied to this user?

4. Document before removal:

Screenshot of user's current access
List of advertisers user had access to
Role and Finance access status
Date of original access grant

Removal Impact Assessment

Check User Dependencies

Before removing, verify:

1. API key ownership:

Settings → API Access
→ Filter by user
→ List all API keys created by this user
→ Document which applications use these keys

Impact if not addressed:

Applications using API keys will fail
Automated reporting breaks
Integration errors
Campaign management interruptions

Solution: Transfer API keys to another Admin before removal

2. Pixel ownership:

Settings → Pixels
→ Check which Admin owns each pixel
→ If this user: Pixel tracking may break

Impact if not addressed:

Pixel becomes orphaned (no owner)
Tracking may stop working
Cannot modify pixel settings
Audience building breaks

Solution: Transfer pixel ownership or ensure 2+ Admins exist

3. Active campaigns:

Review campaigns user created/managed:
- Are campaigns actively running?
- Who will take over optimization?
- Any automated rules tied to this user?

Impact if not addressed:

Campaigns continue but no one monitoring
Budget overspend possible
Performance degradation
No one to adjust bids/creative

Solution: Assign campaign ownership to another user

4. Audiences:

Check audiences created by this user:
- Are they used in active campaigns?
- Will they continue to update?
- Any custom segments important to preserve?

Impact if not addressed:

Audiences continue to function
But no one owns/maintains them
May be accidentally deleted later

Solution: Document important audiences, assign ownership

Removal Scenarios

1. Employee Departure (Standard Offboarding)

Timeline: Day of departure or last working day

Checklist:

Pre-departure (if advance notice):

Document all campaigns user manages
Identify API keys and pixels user owns
Export final reports user may need
Assign replacement for ongoing campaigns
Transfer knowledge to team members

Day of departure:

Remove user from AdRoll organization
Delete or transfer API keys
Verify pixel ownership transferred
Update internal access logs
Notify team of access removal

Post-departure (within 7 days):

Audit recent user activity for anomalies
Confirm campaigns transitioned smoothly
Archive user documentation
Update disaster recovery contacts

Steps:

Export user activity:

Before removal, capture:
- Screenshot of user profile (role, advertisers, finance access)
- Recent campaign changes (last 30 days)
- API key list (if Admin)
- Audience ownership

Transfer dependencies:
- API keys: Generate replacements under different Admin
- Pixels: Contact AdRoll support or have another Admin reinstall
- Campaigns: Document which campaigns need new owner
Remove user:
- Settings → Users & Roles
- Find user → Click ⋯ (three dots) or Edit
- Click Remove from organization or Delete
- Confirm removal
Verify removal:
- User no longer appears in Users & Roles list
- User cannot log in (test if possible)
- API keys no longer work (if not transferred)

Document removal:

Date: 2025-01-15
User: john.doe@company.com
Action: Removed from AdRoll
Reason: Employment terminated
Last working day: 2025-01-14
Removed by: IT Admin
API keys transferred: Yes (2 keys to admin@company.com)
Pixels transferred: Yes (pixel ownership to admin@company.com)
Campaigns affected: 5 campaigns reassigned to sarah.jones@company.com
Final reports exported: Yes
Audit trail: Attached screenshots and export

2. Agency Contract Termination

Timeline: Contract end date or transition period

Scenarios:

A. Agency loses client (full removal):

User: agency@example.com
Advertiser access: Client A only
Action: Remove from organization entirely
Reason: Contract ended, no other clients managed

B. Agency loses one client but keeps others (scope reduction):

User: agency@example.com
Advertiser access: Client A, Client B, Client C
Action: Remove Client A scope only
Reason: Client A contract ended, but still managing B and C

C. Transition to client self-management:

User: agency@example.com
Current role: Marketer
Action: Downgrade to Analyst (read-only) for 30-day transition
Then: Remove entirely after transition
Reason: Client taking over, agency provides handoff support

Steps for full removal:

Pre-removal export:

Export for client:
- Campaign performance reports (last 12 months)
- Audience configurations
- Current campaign settings
- Pixel installation guide
- API documentation (if used)

Final client handoff:
- Schedule transition meeting
- Provide export documentation
- Share access credentials if client taking over same account
- Document campaign strategy and optimization notes
Transfer ownership:
- If client continues with AdRoll:
  - Invite client users as Admins/Marketers
  - Client takes over pixel ownership
  - Agency generates final invoice
  - Remove agency users after client confirmed access
- If client discontinuing AdRoll:
  - Pause all campaigns
  - Export final performance data
  - Notify AdRoll support of account closure
  - Agency removes access
Remove agency users:
- Settings → Users & Roles
- Remove agency account managers
- Remove agency analysts
- Remove agency API service accounts
- Confirm no agency users remain in client advertiser

Document contract closure:

Client: Company X
Contract end date: 2025-01-31
Agency users removed: 3 (John Doe, Jane Smith, API Account)
Final reports delivered: 2025-01-28
Client access granted: 2025-01-25 (overlapping transition)
Billing finalized: 2025-02-05
Removal complete: 2025-02-01

3. Temporary Contractor / Project Completion

Timeline: Project end date (pre-planned)

Before project ends:

Set calendar reminder for project end date
Document project deliverables and final reports
Notify contractor of upcoming access removal
Confirm no ongoing dependencies

On project end date:

Export final reports for contractor
Remove user from organization
Document removal in project closure ticket

Steps:

Project: Q4 Campaign Optimization
Contractor: consultant@agency.com
Project dates: 2024-10-01 to 2024-12-31
Access granted: 2024-10-01 (Marketer role, Brand A only)
Access removed: 2025-01-01 (day after project end)

Removal process:
1. Final report exported: 2024-12-30
2. Contractor notified: 2024-12-15 (2 weeks advance notice)
3. Access removed: 2025-01-01
4. Project closed: 2025-01-05

Best practice: Always remove temporary access promptly after project completion. Don't wait for quarterly audit.

4. Security Incident / Policy Violation

Timeline: Immediate removal (within minutes to hours)

Triggers:

Suspicious login activity
Unauthorized campaign changes
Attempt to access restricted advertisers
API key misuse
Policy violation (sharing credentials, etc.)
External security team notification

Immediate actions:

Step 1: Restrict access immediately (5 minutes)

Settings → Users & Roles → Edit user
→ Change role to Analyst (read-only)
→ Remove Finance access
→ Reduce advertiser scope to minimum
→ Save changes

Why restrict first instead of remove:

Preserves audit trail
Allows investigation of recent activity
Can be restored if false alarm
Provides evidence for HR/legal

Step 2: Investigate (1-24 hours)

Review:
- Login history (recent locations, devices)
- Campaign changes (last 30-90 days)
- API usage (if Admin role)
- Financial transactions (if Finance access)
- User communication (Slack, email about AdRoll)

Step 3: Determine resolution

If confirmed incident:
→ Remove user from organization
→ Rotate all API keys
→ Audit all recent changes
→ Notify affected clients
→ File security incident report

If false alarm:
→ Restore original access
→ Document investigation
→ Communicate with user
→ Update alerting thresholds

Step 4: Full removal (if confirmed violation)

Settings → Users & Roles → Remove from organization
→ Export audit log
→ Screenshot all evidence
→ Document in security incident ticket
→ Notify HR/Legal as required

Step 5: Post-incident review (within 7 days)

Actions:
- Review access policies
- Update security procedures
- Identify process improvements
- Communication to team (without naming user)
- Training if needed

5. Inactive User Cleanup (Quarterly Audit)

Trigger: User hasn't logged in for 90+ days

Process:

Generate inactivity report:

Export user list: Settings → Users & Roles → Export
Sort by: Last login date
Filter: Last login > 90 days ago
Review: Each inactive user

Verify inactivity is appropriate:

Check:
- Is user still employed? (Ask HR)
- Have they changed roles? (Ask manager)
- Is account seasonal? (Finance users may only login monthly)
- Should they be removed or retained?

Contact user before removal:

Subject: AdRoll Account Inactive - Confirm Access Needed

Hi [Name],

Our records show your AdRoll account hasn't been accessed in 90+ days.

To maintain security, we're reviewing inactive accounts.

Please confirm:
- Do you still need AdRoll access?
- If yes, please log in to confirm account is active
- If no, we'll remove your access on [Date]

Let me know within 7 days if you need to retain access.

Thanks,
[Your name]

Remove if no response:
- After 7-day grace period
- No response = remove access
- Can be restored if user contacts later

Document cleanup:

Quarterly Access Audit: Q1 2025

Inactive users identified: 12
Contacted: 12 (2025-01-15)
Responses:
- Need access: 3 (retained, now active)
- Don't need access: 4 (removed)
- No response: 5 (removed after 7 days)

Removed: 9 total
Retained: 3 total
Audit complete: 2025-01-30

Removal Execution Steps

Navigate to User Management

Log in to AdRoll: https://app.adroll.com
Ensure correct Organization selected
Navigate: Settings (gear icon) → Users & Roles

Remove User

Method 1: Remove from organization (full removal)

Find user in list
Click ⋯ (three dots) or Edit button
Click Remove from organization or Delete
Confirm removal in popup dialog
User immediately removed

Method 2: Remove advertiser scope (partial removal)

Find user → Click Edit
Uncheck advertiser boxes to remove access
If all advertisers unchecked: User can log in but sees nothing
Save changes

Best practice: Use full removal (Method 1) unless user needs to retain access to other advertisers

Verify Removal

Immediately after removal:

Check user list:
- User no longer appears in Settings → Users & Roles
- If still appears: Removal didn't complete, try again
Test login (if possible):
- Try logging in with user's email
- Should see: "User not found" or "No access to this organization"
Verify API keys disabled (if Admin):
- Test API calls with user's old keys
- Should fail with 401 Unauthorized
- If still work: Keys not deleted, remove manually
Check campaigns unaffected:
- Active campaigns continue running
- No errors in campaign status
- Reassigned owner can access/edit

Post-Removal Actions

Transfer Responsibilities

1. Campaign ownership:

Assign campaigns to replacement:
- Document which campaigns user managed
- Share campaign strategy notes
- Provide optimization history
- Set up handoff meeting if complex

2. Audience maintenance:

Review audiences user created:
- Document important audiences
- Note any custom segmentation logic
- Assign ownership to team member
- Update documentation

3. Reporting responsibilities:

If user was data/reporting owner:
- Transfer report templates
- Share dashboard access
- Document custom metrics
- Train replacement

API Key & Pixel Cleanup

API keys (if user was Admin):

List all keys user owned:
- Settings → API Access
- Document applications using each key
Generate replacement keys:
- Another Admin creates new keys
- Update applications with new keys
- Test applications work correctly
Delete old keys:
- After 7-day transition period
- Verify no applications using old keys
- Delete from Settings → API Access

Pixels (if user owned):

Transfer pixel ownership:
- Contact AdRoll support for transfer
- Or have another Admin reinstall pixel
- Update GTM/website templates if new pixel ID
Verify tracking continues:
- Check Settings → Pixels → Pixel Health
- Should show "Active" status
- Test pixel firing on site

Documentation & Compliance

Update records:

1. Access log:

## User Removal Log

Date: 2025-01-15
User removed: john.doe@company.com
Previous role: Marketer
Advertiser access: Brand A, Brand B
Finance access: No
Removal reason: Employment terminated (2025-01-14)
Removed by: admin@company.com
API keys transferred: Yes (2 keys)
Pixels transferred: Yes (pixel ABC123 → admin@company.com)
Campaigns reassigned: 5 campaigns → sarah.jones@company.com
Final reports exported: Yes (attached)
Documentation: See ticket #12345

2. Ticketing system:

Close offboarding ticket
Attach removal screenshots
Link to HR termination ticket
Note completion date

3. Internal documentation:

Update team roster
Remove from email distribution lists
Update disaster recovery contacts
Remove from Slack channels (if applicable)

4. Compliance archives:

Save removal documentation
Retain for audit period (typically 7 years)
Include: Before/after screenshots, approval emails, final reports

Troubleshooting Removal

Cannot Remove User (Grayed Out)

Symptoms:

"Remove" button grayed out or missing
"Permission denied" error

Causes:

1. Not an Admin:

Only Admins can remove users
Check your role: Settings → Users & Roles
Request Admin to perform removal

2. Trying to remove yourself:

Cannot remove your own account (prevents lockout)
Have another Admin remove you
Or remove advertiser scope instead of full removal

3. Last Admin in organization:

Cannot remove last Admin (prevents lockout)
Invite another Admin first
Then remove yourself

User Still Has Access After Removal

Symptoms:

User reports they can still log in
User appears removed but can access campaigns

Causes:

1. Removal didn't save:

Try removal again
Check user list after removal
If still appears: Contact AdRoll support

2. User has access to multiple organizations:

User removed from Org A
But still has access to Org B (different organization)
User can still log in, just can't see Org A
This is expected behavior

3. Browser cache:

User's browser cached old session
Have user clear cache or log out completely
Try incognito/private browsing mode

4. Duplicate accounts:

User has multiple email addresses
You removed john.doe@company.com
But they also have j.doe@company.com
Check for duplicate accounts

API Keys Still Work After Removal

Symptoms:

Removed user's API keys still authenticate
Applications continue working with old keys

Cause:

API keys not deleted, only user account removed
Keys exist independently of user account

Fix:

Settings → API Access
Find keys created by removed user
Delete each key manually
Keys immediately stop working
Update applications with replacement keys

Best Practices

Proactive Removal

Don't wait for access to become a problem:

Set automatic reminders:

Employee departure: Remove same day
Contractor project end: Remove on end date (calendar reminder)
Agency contract: Remove on contract end date
Quarterly audit: Review all users for inactivity

Best practice: Remove within 24 hours of trigger event, not days or weeks later

Principle of Least Access

Before removing, consider downgrade:

Scenario: User no longer manages campaigns but may need reporting

Option A: Remove entirely (restrictive)
Option B: Downgrade to Analyst (preserves reporting access)

Choose B if user legitimately needs continued read-only access
Choose A if no ongoing business need

Graduated removal:

Day 1: Downgrade Admin → Analyst (read-only)
Day 30: Remove entirely if no longer needed
Benefit: Allows for questions/handoff without full access

Communication & Notification

Always notify affected parties:

Internal team:

Subject: Access Removal Notification

FYI: John Doe's AdRoll access was removed on 2025-01-15.

Reason: Employment terminated
Campaigns affected: 5 campaigns reassigned to Sarah Jones
Contact Sarah for questions about:
- Brand A campaigns
- Q4 holiday promotions
- Retargeting audiences

API keys transferred to admin@company.com.

Client (if agency removal):

Subject: Agency Transition Complete

Hi [Client],

As discussed, our agency access to your AdRoll account has been removed as of [Date].

Final deliverables:
- Performance report (attached)
- Campaign documentation (attached)
- Transition notes (attached)

Your new account manager:
- Name: [Name]
- Email: [Email]
- Phone: [Phone]

Thank you for the opportunity to work together.

User being removed (if appropriate):

Subject: AdRoll Access Removed

Hi [Name],

Your AdRoll access was removed on [Date] as part of your offboarding.

Reason: [Employment ended / Contract completed / Project finished]

If you need historical reports, please contact:
- [Name/Email] within 30 days

Thank you for your contributions.

Audit Trail

Document everything:

Minimum documentation:

Who was removed (user email)
When removed (timestamp)
Who performed removal (admin name)
Why removed (business reason)
What was transferred (API keys, pixels, campaigns)

Enhanced documentation (recommended):

Before/after screenshots
Approval chain (manager, HR, security)
Impact assessment
Transition plan
Final reports exported
Post-removal verification

Retain for:

7 years (compliance/legal)
Or per your organization's data retention policy

Security Checklist

Before removal:

Verify approval received (HR, manager, security)
Export audit trail (user activity, campaign changes)
Identify API keys and pixels user owns
Document campaigns and audiences to transfer
Set up replacement access (if needed)

During removal:

Remove user from organization
Delete or transfer API keys
Transfer pixel ownership (if applicable)
Verify removal completed successfully
Screenshot confirmation of removal

After removal:

Test that user cannot log in
Verify API keys disabled
Confirm campaigns unaffected
Update internal access logs
Notify affected teams
Archive documentation for compliance

Ongoing:

Quarterly access audit includes review of removals
Monitor for any unauthorized access attempts
Validate transition completed smoothly
Update disaster recovery documentation

Next Steps

Add User Access - Invite replacement users
Update Access & Roles - Modify existing user permissions
User Management Overview - Complete access management guide
Setup & Implementation - Configure AdRoll for new users