Prerequisites
- Admin access to the Google Ads account
- Reason for permission change documented
- Manager approval for access level changes (recommended)
Update User Access Level
Step 1: Navigate to Access & Security
- Sign in to your Google Ads account at ads.google.com
- Click the Tools & Settings icon in the top right
- Under "Setup," click Access and security
Step 2: Modify User Permissions
- Locate the user in the access list
- Click the pencil icon next to the user's name
- Select new access level:
- Admin: Full account control including billing and user management
- Standard: Campaign management without billing access
- Read-only: View-only access
- Email-only: Receive reports via email only
- Click Save
Changes take effect immediately - no user confirmation required.
Update Manager Account (MCC) Access
Modify MCC User Access
- Sign in to your Manager account
- Click Tools & Settings > Access and security
- Locate user in the list
- Click pencil icon next to user's name
- Select new access level:
- Admin: Full MCC control
- Standard: View and manage linked accounts
- Read-only: View-only across all accounts
- Email-only: Receive aggregated reports only
- (Optional) Modify which linked accounts the user can access
- Click Save
Grant MCC Access to Specific Accounts
- In MCC access settings, click user's pencil icon
- Under "Linked accounts," select specific accounts to grant access to
- Uncheck accounts to revoke access
- Click Save
Note: User retains their permission level, but scope is limited to selected accounts only.
Common Access Update Scenarios
Promote User from Read-only to Standard
Use case: Analyst promoted to Campaign Manager role
- Navigate to Access and security
- Click pencil icon next to user
- Change from Read-only to Standard
- Click Save
- Notify user of new permissions
Demote User from Admin to Standard
Use case: Transitioning account ownership or limiting permissions
- Verify at least one other Admin user exists (cannot remove last Admin)
- Navigate to Access and security
- Click pencil icon next to user
- Change from Admin to Standard
- Click Save
- Important: User immediately loses billing and user management access
Change User from Standard to Email-only
Use case: Stakeholder no longer needs login access, only reports
- Navigate to Access and security
- Click pencil icon next to user
- Change from Standard to Email-only
- Click Save
- Configure report schedules to include user's email
- Notify user they will no longer have login access
Upgrade Email-only to Read-only
Use case: Report recipient needs to explore data interactively
- Navigate to Access and security
- Click pencil icon next to user
- Change from Email-only to Read-only
- Click Save
- User receives invitation email to accept access
- Notify user to check email and accept invitation
Update User Email Address
Google Ads does not support changing a user's email address directly. Instead:
Option 1: Remove and Re-add User
- Remove user with old email address
- Add user with new email address
- Grant same permission level as before
Note: User's Change history remains associated with old email address.
Option 2: User Updates Google Account Email
- User updates primary email in their Google account settings
- Google Ads access automatically follows the Google account
- No admin action required
Recommended: Option 2 preserves Change history continuity.
Modify API Access
Revoke API Token Access
API access is controlled by the user's OAuth tokens, not directly by account admins.
To restrict API access:
- Change user to Email-only (removes login capability)
- User's existing API tokens will fail authorization
- User cannot generate new tokens without login access
To audit API usage:
- Review Change history for API-driven changes
- Check API Center for active developer tokens
- Use Google Cloud Console to review OAuth consent
Enable API Access for User
- Ensure user has Standard or Admin access (required for API)
- User navigates to Tools & Settings > API Center
- User applies for API access (if not already approved)
- User creates OAuth credentials for their application
Bulk Access Updates
For agencies managing multiple accounts:
Update Access Across Multiple Accounts
Google Ads does not provide native bulk user permission updates. Workarounds:
Option 1: Google Ads API Script
from google.ads.googleads.client import GoogleAdsClient
client = GoogleAdsClient.load_from_storage()
# List of account IDs to update
account_ids = ['123-456-7890', '098-765-4321']
user_email = 'user@example.com'
new_access_role = client.enums.AccessRoleEnum.STANDARD
for account_id in account_ids:
customer_user_access_service = client.get_service("CustomerUserAccessService")
# Get existing user access
query = f"""
SELECT customer_user_access.user_id, customer_user_access.access_role
FROM customer_user_access
WHERE customer_user_access.email_address = '{user_email}'
"""
response = client.get_service("GoogleAdsService").search(
customer_id=account_id.replace('-', ''),
query=query
)
for row in response:
# Update access role
customer_user_access = client.get_type("CustomerUserAccess")
customer_user_access.resource_name = row.customer_user_access.resource_name
customer_user_access.access_role = new_access_role
operation = client.get_type("CustomerUserAccessOperation")
operation.update = customer_user_access
operation.update_mask = client.get_field_mask(customer_user_access)
customer_user_access_service.mutate_customer_user_access(
customer_id=account_id.replace('-', ''),
operation=operation
)
print(f"Updated access for {user_email} in account {account_id}")
Option 2: Manual MCC Management
- Grant or update user access at MCC level
- User permissions cascade to all linked accounts
- Individual accounts can override with lower permissions
Temporary Access Changes
Grant Temporary Elevated Access
Scenario: Developer needs temporary Admin access for integration setup
- Update user to Admin access
- Document in access log with expiration date
- Set calendar reminder to downgrade access
- After project completion, downgrade back to Standard
Best practice: Use service accounts for temporary elevated access instead of modifying individual user permissions.
Suspend Access Temporarily
Google Ads does not support "suspending" access. Options:
Option 1: Change to Email-only (removes login but maintains email reports) Option 2: Remove access entirely and re-add later
Recommended: Option 1 for known temporary suspensions (e.g., leave of absence).
Verification Checklist
After updating user access:
- User appears in Access and security with new permission level
- User is notified of permission change
- Change is documented in access management log
- If downgrade: Verify user cannot access restricted features
- If upgrade: Verify user can access new features
- Review Change history for any unintended user actions
Common Issues & Solutions
Cannot Change User Permission (Greyed Out)
Causes:
- You do not have Admin access
- User is the last Admin (cannot downgrade last Admin)
- User invitation is pending (cannot modify until accepted)
Solutions:
- Verify you have Admin access
- Promote another user to Admin before downgrading current Admin
- Wait for user to accept invitation, then modify
User Still Has Old Permissions After Update
Causes:
Solutions:
- Ask user to sign out and sign back in
- Clear browser cache
- Wait a few minutes for changes to propagate
User Lost Access After Update
Causes:
- Accidentally changed to Email-only (removes login)
- User was removed instead of modified
Solutions:
- Check Access and security list
- If Email-only, upgrade back to Read-only or Standard
- If removed, re-add user with correct permissions
Audit Trail
Google Ads maintains a change history of permission modifications:
View Access Change History
- Navigate to Tools & Settings
- Under "Setup," click Change history
- Filter by:
- Type: "Access and security"
- User: Specific user who made changes
- Date range: Recent access modifications
Logged events:
- User invited
- User access level changed
- User removed
- User accepted invitation
Security Best Practices
- Document changes: Record reason for permission changes in access log
- Notify users: Inform users when their access level changes
- Manager approval: Require manager sign-off for Admin access grants
- Regular reviews: Audit user access quarterly to ensure least privilege
- Immediate downgrades: Remove Admin access immediately when no longer needed
- Monitor activity: Review Change history after permission upgrades
- Two-factor authentication: Enforce 2FA for all Admin users
Communication Template
When updating user access, notify them via email:
Subject: Google Ads Access Updated - [Account Name]
Hi [User Name],
Your access to the Google Ads account [Account Name - 123-456-7890] has been updated:
Previous Access Level: [Standard]
New Access Level: [Read-only]
Effective Date: [YYYY-MM-DD]
Reason: [Access review - role change]
If you have questions about this change, please contact [Admin Name] at [admin@company.com].
Note: Changes take effect immediately. You may need to sign out and sign back in to see updated permissions.
Thank you,
[Your Name]
Automation & Monitoring
Automated Access Reviews
Use Google Ads Scripts to generate access audit reports:
function auditAccessChanges() {
var account = AdsApp.currentAccount();
var spreadsheet = SpreadsheetApp.openByUrl('YOUR_SPREADSHEET_URL');
var sheet = spreadsheet.getActiveSheet();
sheet.clear();
sheet.appendRow(['Email', 'Access Level', 'Date Added']);
var users = account.users().get();
while (users.hasNext()) {
var user = users.next();
sheet.appendRow([
user.getEmail(),
user.getAccessLevel(),
new Date()
]);
}
Logger.log('Access audit completed');
}
Schedule to run monthly for continuous access monitoring.