Update Access Overview
User access in AdRoll may need updates when roles change, responsibilities shift, or project scopes adjust. Common updates include downgrading Admin to Marketer after onboarding, expanding advertiser scope when users support additional brands, or enabling Finance access for budget approvers. Proper access updates maintain security while ensuring users have appropriate permissions.
When to Update Access
- Agency onboarding complete: Downgrade Admin to Marketer
- Role promotion/change: Analyst → Marketer or Marketer → Admin
- Scope expansion: User now supports additional brands/advertisers
- Scope reduction: User no longer supports certain brands
- Finance access needed: User now approves invoices or manages billing
- Security incident: Temporarily restrict to read-only (Analyst)
- Project transition: Contractor moves from one brand to another
Prerequisites
Before updating access:
1. Verify authority:
- You must have Admin role to modify other users
- Check your permissions: Settings → Users & Roles
2. Gather information:
- What needs to change? (role, advertiser scope, finance access)
- Why is change needed? (business justification)
- Who approved the change? (manager, executive)
- Effective date of change
3. Assess dependencies:
- If demoting Admin: Do they own API keys? Transfer first
- If demoting Admin: Do they own pixels? Ensure another Admin exists
- If changing scope: Will existing campaigns be affected?
- If removing Finance access: Is anyone else handling billing?
4. Document change:
- Create ticket in access management system
- Attach approval email or documentation
- Note before/after access states
Common Update Scenarios
1. Downgrade Admin to Marketer (Post-Onboarding)
When: Agency or team member no longer needs Admin privileges
Before state:
Role: Admin
Advertiser scope: Brand A
Finance access: No
Reason: Pixel installation and initial campaign setup
After state:
Role: Marketer
Advertiser scope: Brand A (unchanged)
Finance access: No
Reason: Ongoing campaign management only
Steps:
Verify Admin dependencies:
Check: - Does user own any API keys? → Transfer or delete - Does user own pixels? → Ensure other Admins exist - Are automated processes tied to this user? → DocumentUpdate role:
- Settings → Users & Roles
- Find user → Click Edit or ⋯ (three dots)
- Change Role dropdown from Admin to Marketer
- Keep advertiser scope unchanged
- Save changes
Verify permissions:
- User can still create/edit campaigns
- User cannot access Settings → Users & Roles
- User cannot see billing information
- User cannot generate API keys
Notify user:
Subject: AdRoll Access Updated Hi [Name], Your AdRoll role has been updated from Admin to Marketer. What you can still do: ✓ Create and edit campaigns ✓ Manage audiences and budgets ✓ View reports and analytics What changed: ✗ No longer can invite/manage users ✗ No access to billing or payment settings ✗ Cannot modify pixel settings or generate API keys Your advertiser access remains the same: [Brand A] Questions? Let me know. Thanks, [Your name]
Why downgrade:
- Security: Reduces billing exposure
- Compliance: Follows least privilege principle
- Safety: Prevents accidental user management or pixel changes
- Maintains: Full campaign management capabilities
2. Promote Analyst to Marketer (Role Change)
When: User promoted from reporting to campaign management
Before state:
Role: Analyst (read-only)
Advertiser scope: Brand A
Finance access: No
After state:
Role: Marketer
Advertiser scope: Brand A (unchanged)
Finance access: No
Steps:
Confirm training completed:
- User has AdRoll campaign training
- User understands budget management
- User knows creative best practices
Update role:
- Settings → Users & Roles → Edit user
- Change Role from Analyst to Marketer
- Save changes
Verify new permissions:
- User can now create campaigns
- User can edit budgets and bids
- User can modify audiences
- User still cannot access billing
Provide training resources:
- Campaign creation checklist
- Budget management guidelines
- Internal approval workflows
- Contact for questions
3. Expand Advertiser Scope
When: User now supports additional brands
Before state:
Role: Marketer
Advertiser scope: Brand A only
Finance access: No
After state:
Role: Marketer
Advertiser scope: Brand A + Brand B
Finance access: No
Steps:
Verify user should access additional brands:
- User's responsibilities expanded
- Manager approved multi-brand access
- No conflict of interest between brands
Update advertiser scope:
- Settings → Users & Roles → Edit user
- Check boxes for additional advertisers:
- ✓ Brand A (existing)
- ✓ Brand B (new)
- Save changes
Confirm access:
- Ask user to log in
- User should see advertiser dropdown with both brands
- User can switch between brands in top navigation
- Campaigns from both brands visible
Document scope expansion:
Date: 2025-01-15 User: sarah.jones@company.com Change: Advertiser scope expanded Before: Brand A only After: Brand A + Brand B Reason: User now supports both product lines Approved by: Marketing Director
4. Reduce Advertiser Scope
When: User no longer supports certain brands
Before state:
Role: Marketer
Advertiser scope: Brand A + Brand B + Brand C
Finance access: No
After state:
Role: Marketer
Advertiser scope: Brand A only
Finance access: No
Steps:
Confirm scope reduction is appropriate:
- User transferred to different team
- Agency lost client contract
- Project completed
Export data before scope reduction:
- User may need final reports from Brand B/C
- Download campaign performance data
- Save audience configurations if needed
Update advertiser scope:
- Settings → Users & Roles → Edit user
- Uncheck boxes for advertisers to remove:
- ✓ Brand A (keep)
- ☐ Brand B (remove)
- ☐ Brand C (remove)
- Save changes
Verify restricted access:
- User can only see Brand A in advertiser dropdown
- User cannot view/edit Brand B or C campaigns
- Historical data from B/C no longer accessible
5. Enable Finance Access
When: User needs billing/invoice access
Before state:
Role: Admin
Advertiser scope: All brands
Finance access: No
After state:
Role: Admin (unchanged)
Advertiser scope: All brands (unchanged)
Finance access: Yes
Steps:
Confirm Finance access is necessary:
- User manages payment methods
- User approves monthly invoices
- Accounting team processes AdRoll bills
- Executive reviews ad spend
Enable Finance access:
- Settings → Users & Roles → Edit user
- Check Enable Finance access
- Save changes
Verify Finance permissions:
- User can access Settings → Billing
- User sees payment methods
- User can download invoices
- User can view spend history
Provide Finance training:
- How to download invoices
- Payment method update process
- Spend alert configuration
- Budget limit settings
Note: Finance access only available for Admin role
6. Disable Finance Access
When: User no longer needs billing visibility
Before state:
Role: Admin
Advertiser scope: Brand A
Finance access: Yes
After state:
Role: Admin or Marketer
Advertiser scope: Brand A (unchanged)
Finance access: No
Steps:
Confirm Finance access should be removed:
- User changed roles (no longer in finance)
- Agency partner (shouldn't see billing)
- Security best practice (least privilege)
Verify billing continuity:
- Other users have Finance access
- Payment method updates won't be blocked
- Invoice downloads still possible via other users
Disable Finance access:
- Settings → Users & Roles → Edit user
- Uncheck Enable Finance access
- Optional: Downgrade from Admin to Marketer if appropriate
- Save changes
Verify restricted access:
- User cannot access Settings → Billing
- User cannot see payment methods or invoices
- User retains campaign management access
7. Temporary Restriction (Security Incident)
When: Suspicious activity requires immediate access restriction
Before state:
Role: Marketer or Admin
Advertiser scope: Various
Finance access: Possibly yes
After state:
Role: Analyst (read-only)
Advertiser scope: Unchanged or restricted
Finance access: No
Steps:
Immediate restriction:
- Settings → Users & Roles → Edit user
- Change role to Analyst (read-only)
- Disable Finance access
- Optional: Reduce advertiser scope
- Save changes immediately
Investigate incident:
- Review user's recent activity
- Check campaign changes in last 30 days
- Audit API calls (if Admin)
- Interview user about suspicious activity
Resolution:
- If cleared: Restore original access
- If violated policy: Remove access entirely
- If compromised account: Force password reset, then restore
Document incident:
- Security ticket with timeline
- Actions taken (restriction, investigation)
- Resolution (access restored or removed)
- Lessons learned / policy updates
Update Execution Workflow
Step-by-Step Update Process
1. Navigate to user management:
- Log in to AdRoll: https://app.adroll.com
- Settings (gear icon) → Users & Roles
2. Find user to update:
- Scroll through user list
- Or use search/filter if available
- Click on user name or Edit button
3. Make changes:
To change role:
Role dropdown: Admin / Marketer / Analyst
→ Select new role
To update advertiser scope:
Advertiser checkboxes:
✓ Check boxes for advertisers to grant access
☐ Uncheck boxes for advertisers to remove access
To modify Finance access (Admin only):
Finance access toggle:
☐ Disabled (no billing visibility)
✓ Enabled (full billing access)
4. Add change note (optional):
Internal note:
"Downgraded from Admin to Marketer after onboarding complete - approved by Marketing Director on 2025-01-15"
5. Save changes:
- Click Save or Update
- Changes take effect immediately
- User may need to refresh browser or re-login
6. Verify changes:
- Check user's new role shows correctly
- Ask user to test new permissions
- Document change in access log
Bulk Updates
When to bulk update:
- Organizational restructure (many users changing roles)
- Agency contract change (scope all users to new advertiser)
- Quarterly access audit (multiple downgrades/removals)
Process:
- Create spreadsheet of all planned changes
- Get executive approval for bulk changes
- Schedule maintenance window (notify users)
- Execute changes one by one (AdRoll has no bulk edit feature)
- Verify each change after execution
- Send summary email to all affected users
Alternative: Contact AdRoll support for assistance with bulk changes
Post-Update Verification
Confirm Update Applied
1. Check user profile in dashboard:
- Settings → Users & Roles → Find user
- Verify role shows new value
- Verify advertiser scope updated
- Verify Finance access matches expectation
2. Ask user to verify:
Email template:
Subject: AdRoll Access Updated - Please Verify
Hi [Name],
Your AdRoll access has been updated. Please log in and verify:
✓ You can log in successfully
✓ You see correct advertisers in dropdown: [Brand A, Brand B, ...]
✓ You can [view/edit/create] campaigns (depending on new role)
If anything doesn't work as expected, let me know immediately.
Thanks,
[Your name]
3. Test permissions:
For Marketer role:
- Can create new campaigns ✓
- Can edit existing campaigns ✓
- Cannot access Settings → Users & Roles ✗
- Cannot see billing information ✗
For Analyst role:
- Can view campaigns and reports ✓
- Can download performance data ✓
- Cannot edit campaigns or budgets ✗
- Cannot create new campaigns ✗
For Admin role:
- Can access all settings ✓
- Can invite/manage users ✓
- Can generate API keys (if needed) ✓
- Can view billing (if Finance enabled) ✓
Document Change
Update internal records:
Access log:
Date: 2025-01-15
User: john.smith@agency.com
Action: Access updated
Change type: Role downgrade
Before: Admin, Brand A, No Finance access
After: Marketer, Brand A, No Finance access
Reason: Agency onboarding complete
Approved by: Jane Doe (Account Director)
Executed by: IT Admin
Verification: User confirmed access working
Next review: 2025-04-15 (quarterly audit)
Ticketing system:
- Update access change request ticket
- Attach before/after screenshots
- Link to approval documentation
- Close ticket with resolution notes
Communication log:
- Email sent to user explaining changes
- User confirmed receipt and understanding
- No issues reported after 48 hours
Special Update Scenarios
API Key Transfer (Admin Downgrade)
Problem: Admin being downgraded owns API keys
Before downgrade:
Inventory API keys:
- Settings → API Access
- List all keys owned by this Admin
- Document which applications use each key
Create replacement Admin:
- Invite new "API Admin" user (service account)
- Grant Admin role with minimal advertiser scope
- No Finance access needed
Generate replacement API keys:
- New Admin creates new API keys
- Update applications with new keys
- Test applications to ensure they work
Delete old keys:
- After 7-day transition period
- Delete API keys from old Admin
- Verify no applications break
Now safe to downgrade:
- Original Admin has no API key dependencies
- Downgrade to Marketer
Alternative: Keep user as Admin but disable Finance access and restrict advertiser scope minimally
Pixel Ownership (Admin Removal)
Problem: Admin owns pixels, must ensure tracking continues
Before downgrade/removal:
Check pixel ownership:
- Settings → Pixels
- Identify which Admin owns each pixel
- If departing Admin owns pixels: Transfer needed
Ensure backup Admins exist:
- At least 2 Admins should have pixel access
- Prevents orphaned pixels if one Admin leaves
Options for transfer:
- Option A: Contact AdRoll support to transfer pixel ownership
- Option B: Have another Admin re-install pixel (new pixel ID)
- Option C: Keep user as Admin but remove other permissions
If re-installing pixel:
Cross-Organization Access
Scenario: User needs different roles in different organizations
Setup:
Organization A (Agency internal):
- User: admin@agency.com
- Role: Admin
- Advertiser scope: Internal brands
Organization B (Client 1):
- User: admin@agency.com (same email)
- Role: Marketer
- Advertiser scope: Client 1 advertiser
Organization C (Client 2):
- User: admin@agency.com (same email)
- Role: Marketer
- Advertiser scope: Client 2 advertiser
Update process:
- Each organization Admin updates user independently
- Changes in Org A don't affect Org B or C
- User switches organizations via avatar menu
Troubleshooting Updates
Update Not Taking Effect
Symptoms:
- User still has old role after update
- Advertiser scope didn't change
- Finance access still visible/hidden
Fixes:
1. User needs to refresh:
- Log out of AdRoll completely
- Clear browser cache
- Log back in
- Changes should now be visible
2. Check update saved:
- Settings → Users & Roles → Find user
- Verify role shows new value
- If still shows old: Re-apply update and save again
3. Browser caching issue:
- Try incognito/private browsing mode
- Or different browser
- If works in incognito: Clear cache in original browser
User Lost Access After Update
Symptoms:
- User can log in but sees "No advertisers available"
- Dashboard completely empty
Cause:
- Advertiser scope accidentally removed during update
Fix:
- Settings → Users & Roles → Edit user
- Re-check advertiser boxes
- Save changes
- User refreshes browser
- Access restored
Can't Change Role
Symptoms:
- Role dropdown grayed out
- "Permission denied" error when trying to save
Causes:
1. Not an Admin:
Only Admins can modify other users
Check your own role: Settings → Users & Roles
Request Admin to make changes
2. Trying to change your own role:
Some platforms prevent self-role-changes
Ask another Admin to update your role
3. Last Admin in organization:
Cannot downgrade last Admin (prevents lockout)
Invite another Admin first
Then downgrade yourself
Best Practices
Regular Access Reviews
Quarterly audit:
- Export all users: Settings → Users & Roles → Export
- Review each user:
Questions: - Still employed/contracted? - Role still appropriate? - Advertiser scope still correct? - Should Admin be downgraded to Marketer? - Finance access still needed? - Execute updates: Downgrade, expand, restrict as needed
- Document reviews: Keep audit trail for compliance
Proactive Downgrades
Don't wait for quarterly audit:
30 days after Admin invitation:
Review: Does user still need Admin?
Common case: Agency onboarding complete
Action: Downgrade to Marketer if pixel setup done
90 days after Finance access enabled:
Review: Does user still manage billing?
Common case: Project budget approved, no longer needs visibility
Action: Disable Finance access
Contract/project end dates:
Calendar reminder: Remove access on end date
Don't wait for user to request removal
Proactive security
Communication Standards
Always notify users when access changes:
Downgrade/restriction email:
Subject: AdRoll Access Updated
Hi [Name],
Your AdRoll access has been updated as of [Date].
Change: [Description]
Reason: [Business justification]
Your new access:
- Role: [Marketer/Analyst/Admin]
- Advertisers: [Brand A, Brand B, ...]
- Finance access: [Yes/No]
What you can still do: [List capabilities]
What changed: [List removed capabilities]
This change was approved by [Name/Title].
Questions? Let me know.
Thanks,
[Your name]
Upgrade/expansion email:
Subject: AdRoll Access Expanded
Hi [Name],
Good news! Your AdRoll access has been expanded.
New access:
- Role: [Admin/Marketer]
- Advertisers: [Brand A, Brand B, Brand C (new)]
- Finance access: [Yes/No]
You can now:
- [List new capabilities]
Getting started:
- [Training resources]
- [Contact for questions]
Welcome to expanded access!
Thanks,
[Your name]
Security-First Updates
Least privilege escalation:
User requests Admin access
↓
Question: Do they truly need Admin?
↓
Alternative: Can they accomplish goal with Marketer?
↓
If yes: Grant Marketer, not Admin
If no: Grant Admin with plan to downgrade later
Time-bound Admin access:
Grant: Admin for pixel installation
Document: "Downgrade to Marketer on [Date] after setup complete"
Calendar reminder: Verify downgrade on that date
Execute: Downgrade as planned
Next Steps
- Add User Access - Invite new users with proper configuration
- Remove Access - Offboard users when access no longer needed
- User Management Overview - Complete access management guide
- Troubleshooting & Debugging - Fix access and tracking issues