Prerequisites
- Admin access to the Google Ads account
- User's email address (must be associated with a Google account)
- Determined appropriate access level (Admin, Standard, Read-only, or Email-only)
Add User via Google Ads Interface
Step 1: Navigate to Access & Security
- Sign in to your Google Ads account at ads.google.com
- Click the Tools & Settings icon in the top right
- Under "Setup," click Access and security
Step 2: Invite New User
- Click the blue Plus button
- Enter the user's email address
- Must be a valid Google account email
- Can use Gmail, Google Workspace, or any email linked to a Google account
- Select access level:
- Admin: Full account control including billing and user management
- Standard: Campaign management without billing access
- Read-only: View-only access to campaigns and reports
- Email-only: Receive reports via email without login access
- (Optional) Click Advanced to configure:
- Access to specific manager accounts if using MCC
- Email notification preferences
- Click Send invitation
Step 3: User Acceptance
- User receives email invitation to their specified email address
- User clicks Accept invitation link in email
- User signs in with their Google account
- Access is granted immediately upon acceptance
Add User to Manager Account (MCC)
Step 1: Navigate to MCC Users
- Sign in to your Manager account
- Click Tools & Settings icon
- Under "Setup," click Access and security
Step 2: Invite User
- Click the blue Plus button
- Enter user's email address
- Select access level:
- Admin: Manage MCC settings and all linked accounts
- Standard: View and manage linked accounts (subject to individual account permissions)
- Read-only: View-only across all linked accounts
- Email-only: Receive aggregated MCC reports
- (Optional) Select specific linked accounts to grant access to (if not all accounts)
- Click Send invitation
Step 3: User Acceptance
User accepts invitation via email, same process as individual account access.
Add User to Multiple Accounts (Bulk)
For agencies managing multiple client accounts via MCC:
Method 1: MCC Access (Recommended)
- Grant user access to the MCC with appropriate permission level
- User automatically inherits access to all linked accounts
- Individual account owners can restrict permissions if needed
Method 2: Individual Account Invitations
- Navigate to each Google Ads account
- Repeat individual user invitation process
- More time-consuming but provides granular control
Add Email-Only Access
For users who only need to receive reports without login access:
Step 1: Configure Email-Only User
- Navigate to Access and security
- Click Plus button
- Enter recipient's email address (does not need to be a Google account)
- Select Email-only access level
- Click Send invitation
Step 2: Configure Report Delivery
- Navigate to Reports in Google Ads
- Create or select existing report
- Click Schedule button
- Add email-only user to recipient list
- Set frequency (daily, weekly, monthly)
- Click Save
Note: Email-only users do not need to accept an invitation. They will automatically receive scheduled reports.
Add API Access
For developers or tools requiring programmatic access:
Step 1: Grant Standard or Admin Access
API access requires a login-enabled user account (Standard or Admin).
Step 2: Enable API Access
- User signs in to their Google Ads account
- Navigates to Tools & Settings > Setup > API Center
- Applies for API access (if not already enabled)
- Creates OAuth credentials for their application
Note: Manager Account (MCC) access is recommended for API users managing multiple accounts.
Verification Checklist
After adding a user, verify:
- User received invitation email
- User accepted invitation
- User appears in Access and security list with correct permission level
- User can log in and view/edit as expected based on access level
- User is documented in access management log
- User has enabled two-factor authentication (if Admin access)
Common Issues & Solutions
User Doesn't Receive Invitation Email
Solutions:
- Verify email address is correct
- Check user's spam/junk folder
- Resend invitation from Access and security page
- Ensure email is associated with a Google account
User Cannot Accept Invitation
Solutions:
- Verify user is signed in to the correct Google account
- Clear browser cache and cookies
- Try accepting in an incognito/private browser window
- Check if user's Google account is suspended or restricted
User Has Access But Cannot See Account
Solutions:
- User may need to select correct account from account selector dropdown
- Verify user is signed in to the correct Google account email
- Check if account is linked to an MCC (user may need MCC access instead)
- Refresh browser or try a different browser
Cannot Invite User (Greyed Out)
Solutions:
- Confirm you have Admin access to the account
- Check if account has reached user limit (unlikely for most accounts)
- Verify your own session hasn't expired (re-login)
Security Best Practices
- Verify identity: Confirm user identity before granting access
- Minimum access: Grant lowest permission level necessary for user's role
- Document access: Record user name, email, access level, date granted, and business justification
- Enable 2FA: Require two-factor authentication for Admin users
- Set calendar reminder: Schedule access review in 90 days
- Monitor activity: Check Change history for user actions after granting access
Integration with Google Workspace
For organizations using Google Workspace:
Centralized User Management
- Create Google group for Google Ads users (e.g.,
ads-users@company.com) - Add users to the group
- Grant access to the Google group email instead of individual users
- Manage user access by adding/removing from group
Advantages:
- Centralized access control
- Easier to manage large teams
- Automatic access removal when user leaves organization
- Audit trail via Google Workspace admin console
Workspace-Specific Features
- IP allowlisting (restrict access to office IP addresses)
- Single Sign-On (SSO) integration
- Advanced security policies
- Mobile device management
Post-Access Setup
After granting access, consider:
- Onboarding email: Send welcome message with account overview and resources
- Training: Provide Google Ads training if needed
- Guidelines: Share company policies for Google Ads management
- Communication: Add user to relevant Slack/Teams channels
- Tools: Grant access to related tools (Google Analytics, Tag Manager, etc.)
- Documentation: Share account structure, naming conventions, and SOPs
Access Request Template
Use this template for standardized access requests:
Google Ads Access Request
Requestor Name: [Name]
Email Address: [email@company.com]
Google Account Email: [google-account@gmail.com]
Account Name/ID: [Account Name - 123-456-7890]
Access Level Requested: [Admin / Standard / Read-only / Email-only]
Business Justification: [Reason for access]
Manager Approval: [Manager Name]
Start Date: [YYYY-MM-DD]
End Date (if temporary): [YYYY-MM-DD or "Ongoing"]
Automation Options
Google Ads Scripts
Automate access audits with Google Ads Scripts:
function auditAccountAccess() {
var account = AdsApp.currentAccount();
var users = account.users().get();
Logger.log('Account: ' + account.getName());
Logger.log('Users with access:');
while (users.hasNext()) {
var user = users.next();
Logger.log('Email: ' + user.getEmail() + ', Level: ' + user.getAccessLevel());
}
}
Google Ads API
Programmatically manage users via API (requires Admin access):
from google.ads.googleads.client import GoogleAdsClient
client = GoogleAdsClient.load_from_storage()
customer_user_access_service = client.get_service("CustomerUserAccessService")
# Invite new user
customer_user_access = client.get_type("CustomerUserAccess")
customer_user_access.email_address = "user@example.com"
customer_user_access.access_role = client.enums.AccessRoleEnum.ADMIN
response = customer_user_access_service.mutate_customer_user_access(
customer_id="123456789",
operation={"create": customer_user_access}
)
Note: API access management requires careful permission handling and should be reserved for automated systems with proper security controls.