Prerequisites
- Account Admin role on the Apple Search Ads account
- The new user's Apple ID email address (they must have an Apple ID)
- Decision on role and campaign group scoping (see role matrix below)
Role Matrix
| Capability | Account Admin | Campaign Manager | Limited Access | Read Only |
|---|---|---|---|---|
| View campaigns and reports | Yes | Yes | Assigned groups | Yes |
| Create and edit campaigns | Yes | Yes | Assigned groups | No |
| Set budgets and bids | Yes | Yes | Assigned groups | No |
| Manage keywords and audiences | Yes | Yes | Assigned groups | No |
| Export data | Yes | Yes | Yes | Yes |
| Manage users | Yes | No | No | No |
| Manage billing | Yes | No | No | No |
| Generate API certificates | Yes | Yes | No | No |
Limited Access users only see campaigns within their assigned Campaign Groups. Everything else is invisible to them, including account-level settings and other groups.
Adding a User via the UI
- Log in to Apple Search Ads with an Account Admin account
- Click the gear icon (top right) > Account Settings
- Select User Management from the left sidebar
- Click Invite User
- Enter the user's Apple ID email address
- Select the appropriate Role:
- For Limited Access, a Campaign Group selector appears -- check the groups the user should access
- Click Send Invitation
The user receives an email from Apple with an invitation link. They must click the link, sign in with their Apple ID, and accept the invitation.
Adding a User via the API
For programmatic user management, use the Apple Search Ads Campaign Management API:
# Invite a new user with Campaign Manager role
curl -X POST "https://api.searchads.apple.com/api/v5/acls" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "X-AP-Context: orgId=$ORG_ID" \
-H "Content-Type: application/json" \
-d '{
"email": "newuser@example.com",
"roleName": "Campaign Manager",
"orgId": 7890
}'
# For Limited Access, include campaign group IDs:
curl -X POST "https://api.searchads.apple.com/api/v5/acls" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "X-AP-Context: orgId=$ORG_ID" \
-H "Content-Type: application/json" \
-d '{
"email": "contractor@agency.com",
"roleName": "Limited Access",
"orgId": 7890,
"campaignGroupIds": [111, 222]
}'
Invitation States
After sending an invitation, track its status in User Management:
| Status | Meaning | Action |
|---|---|---|
| Pending | Invitation sent, user has not accepted | Wait or remind user |
| Active | User accepted and has access | No action needed |
| Expired | Invitation expired (7 days) | Remove and re-invite |
Expired invitations must be deleted before re-inviting the same email address.
Setting Up API Access for the New User
If the new user needs programmatic access (Campaign Manager or Admin roles):
- The user logs in to Apple Search Ads
- Goes to Account Settings > API
- Clicks Create API Certificate
- Downloads the certificate files (
.pemprivate key and.cerpublic key) - Uses the credentials to authenticate API requests via OAuth 2.0:
# Generate access token from API certificate
curl -X POST "https://appleid.apple.com/auth/oauth2/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$JWT_TOKEN&scope=searchadsorg"
API certificates are tied to the individual user. If the user is later removed, their certificates should be revoked separately (see Remove Access).
Multi-Organization Access
If your company has multiple Apple Search Ads organizations (e.g., separate orgs per app or region), each org requires a separate invitation. Users can switch between orgs in the Apple Search Ads UI using the org selector dropdown.
To invite a user to multiple orgs via API, send separate POST /acls requests with different orgId values.
Best Practices
- Use Read Only for stakeholders who only review performance reports
- Use Limited Access for agencies or contractors scoped to specific campaigns
- Reserve Account Admin for two to three internal team members maximum
- Require new users to enable two-factor authentication on their Apple ID before granting access
- Document all invitations in your internal access register with the date, role, and business justification
- Review the user list quarterly and remove stale accounts
Troubleshooting
User did not receive the invitation email: Verify the email matches their Apple ID exactly. Check spam/junk folders. Corporate email filters may block Apple notifications -- whitelist @apple.com and @searchads.apple.com.
User accepted but sees no campaigns: If they have Limited Access, confirm campaign groups are assigned. If Campaign Manager, verify they are looking at the correct organization.
Invitation link expired: Remove the expired invitation from User Management, then re-invite with the same email and role.