AdRoll Remove User Access | OpsBlu Docs

AdRoll Remove User Access

Complete offboarding procedure for revoking AdRoll access when users leave, contracts end, or security incidents occur.

Remove Access Overview

Removing user access from AdRoll is critical for security, compliance, and cost control. Access should be revoked immediately when employees depart, agency contracts end, or security incidents occur. Proper offboarding includes removing the user, transferring ownership of API keys and pixels, exporting final reports, and documenting the removal for audit trails.

When to Remove Access

  • Employee departure: Termination, resignation, or role change
  • Agency contract ends: Client relationship concludes
  • Contractor project complete: Temporary engagement finished
  • Security incident: Suspicious activity or policy violation
  • Inactive users: Quarterly audit identifies unused accounts
  • Organizational restructure: Department eliminated or merged
  • Access no longer needed: User's responsibilities changed

Prerequisites

Before removing access:

1. Verify authority:

  • You must have Admin role to remove users
  • Check your permissions: Settings → Users & Roles

2. Get approval:

  • Employee offboarding ticket (HR notification)
  • Manager or executive approval
  • Contract termination documentation
  • Security incident report (if applicable)

3. Plan for continuity:

  • Who will take over user's campaigns?
  • Are there API keys to transfer?
  • Does user own pixels?
  • Any automated processes tied to this user?

4. Document before removal:

  • Screenshot of user's current access
  • List of advertisers user had access to
  • Role and Finance access status
  • Date of original access grant

Removal Impact Assessment

Check User Dependencies

Before removing, verify:

1. API key ownership:

Settings → API Access
→ Filter by user
→ List all API keys created by this user
→ Document which applications use these keys

Impact if not addressed:

  • Applications using API keys will fail
  • Automated reporting breaks
  • Integration errors
  • Campaign management interruptions

Solution: Transfer API keys to another Admin before removal

2. Pixel ownership:

Settings → Pixels
→ Check which Admin owns each pixel
→ If this user: Pixel tracking may break

Impact if not addressed:

  • Pixel becomes orphaned (no owner)
  • Tracking may stop working
  • Cannot modify pixel settings
  • Audience building breaks

Solution: Transfer pixel ownership or ensure 2+ Admins exist

3. Active campaigns:

Review campaigns user created/managed:
- Are campaigns actively running?
- Who will take over optimization?
- Any automated rules tied to this user?

Impact if not addressed:

  • Campaigns continue but no one monitoring
  • Budget overspend possible
  • Performance degradation
  • No one to adjust bids/creative

Solution: Assign campaign ownership to another user

4. Audiences:

Check audiences created by this user:
- Are they used in active campaigns?
- Will they continue to update?
- Any custom segments important to preserve?

Impact if not addressed:

  • Audiences continue to function
  • But no one owns/maintains them
  • May be accidentally deleted later

Solution: Document important audiences, assign ownership

Removal Scenarios

1. Employee Departure (Standard Offboarding)

Timeline: Day of departure or last working day

Checklist:

Pre-departure (if advance notice):

  • Document all campaigns user manages
  • Identify API keys and pixels user owns
  • Export final reports user may need
  • Assign replacement for ongoing campaigns
  • Transfer knowledge to team members

Day of departure:

  • Remove user from AdRoll organization
  • Delete or transfer API keys
  • Verify pixel ownership transferred
  • Update internal access logs
  • Notify team of access removal

Post-departure (within 7 days):

  • Audit recent user activity for anomalies
  • Confirm campaigns transitioned smoothly
  • Archive user documentation
  • Update disaster recovery contacts

Steps:

  1. Export user activity:

    Before removal, capture:
- Screenshot of user profile (role, advertisers, finance access)
- Recent campaign changes (last 30 days)
- API key list (if Admin)
- Audience ownership

  2. Transfer dependencies:

    • API keys: Generate replacements under different Admin
    • Pixels: Contact AdRoll support or have another Admin reinstall
    • Campaigns: Document which campaigns need new owner

  3. Remove user:

    • Settings → Users & Roles
    • Find user → Click ⋯ (three dots) or Edit
    • Click Remove from organization or Delete
    • Confirm removal

  4. Verify removal:

    • User no longer appears in Users & Roles list
    • User cannot log in (test if possible)
    • API keys no longer work (if not transferred)

  5. Document removal:

    Date: 2025-01-15
User: john.doe@company.com
Action: Removed from AdRoll
Reason: Employment terminated
Last working day: 2025-01-14
Removed by: IT Admin
API keys transferred: Yes (2 keys to admin@company.com)
Pixels transferred: Yes (pixel ownership to admin@company.com)
Campaigns affected: 5 campaigns reassigned to sarah.jones@company.com
Final reports exported: Yes
Audit trail: Attached screenshots and export

2. Agency Contract Termination

Timeline: Contract end date or transition period

Scenarios:

A. Agency loses client (full removal):

User: agency@example.com
Advertiser access: Client A only
Action: Remove from organization entirely
Reason: Contract ended, no other clients managed

B. Agency loses one client but keeps others (scope reduction):

User: agency@example.com
Advertiser access: Client A, Client B, Client C
Action: Remove Client A scope only
Reason: Client A contract ended, but still managing B and C

C. Transition to client self-management:

User: agency@example.com
Current role: Marketer
Action: Downgrade to Analyst (read-only) for 30-day transition
Then: Remove entirely after transition
Reason: Client taking over, agency provides handoff support

Steps for full removal:

  1. Pre-removal export:

    Export for client:
- Campaign performance reports (last 12 months)
- Audience configurations
- Current campaign settings
- Pixel installation guide
- API documentation (if used)

  2. Final client handoff:

    • Schedule transition meeting
    • Provide export documentation
    • Share access credentials if client taking over same account
    • Document campaign strategy and optimization notes

  3. Transfer ownership:

    • If client continues with AdRoll:

      • Invite client users as Admins/Marketers
      • Client takes over pixel ownership
      • Agency generates final invoice
      • Remove agency users after client confirmed access

    • If client discontinuing AdRoll:

      • Pause all campaigns
      • Export final performance data
      • Notify AdRoll support of account closure
      • Agency removes access

  4. Remove agency users:

    • Settings → Users & Roles
    • Remove agency account managers
    • Remove agency analysts
    • Remove agency API service accounts
    • Confirm no agency users remain in client advertiser

  5. Document contract closure:

    Client: Company X
Contract end date: 2025-01-31
Agency users removed: 3 (John Doe, Jane Smith, API Account)
Final reports delivered: 2025-01-28
Client access granted: 2025-01-25 (overlapping transition)
Billing finalized: 2025-02-05
Removal complete: 2025-02-01

3. Temporary Contractor / Project Completion

Timeline: Project end date (pre-planned)

Before project ends:

  1. Set calendar reminder for project end date
  2. Document project deliverables and final reports
  3. Notify contractor of upcoming access removal
  4. Confirm no ongoing dependencies

On project end date:

  1. Export final reports for contractor
  2. Remove user from organization
  3. Document removal in project closure ticket

Steps:

Project: Q4 Campaign Optimization
Contractor: consultant@agency.com
Project dates: 2024-10-01 to 2024-12-31
Access granted: 2024-10-01 (Marketer role, Brand A only)
Access removed: 2025-01-01 (day after project end)

Removal process:
1. Final report exported: 2024-12-30
2. Contractor notified: 2024-12-15 (2 weeks advance notice)
3. Access removed: 2025-01-01
4. Project closed: 2025-01-05

Best practice: Always remove temporary access promptly after project completion. Don't wait for quarterly audit.

4. Security Incident / Policy Violation

Timeline: Immediate removal (within minutes to hours)

Triggers:

  • Suspicious login activity
  • Unauthorized campaign changes
  • Attempt to access restricted advertisers
  • API key misuse
  • Policy violation (sharing credentials, etc.)
  • External security team notification

Immediate actions:

Step 1: Restrict access immediately (5 minutes)

Settings → Users & Roles → Edit user
→ Change role to Analyst (read-only)
→ Remove Finance access
→ Reduce advertiser scope to minimum
→ Save changes

Why restrict first instead of remove:

  • Preserves audit trail
  • Allows investigation of recent activity
  • Can be restored if false alarm
  • Provides evidence for HR/legal

Step 2: Investigate (1-24 hours)

Review:
- Login history (recent locations, devices)
- Campaign changes (last 30-90 days)
- API usage (if Admin role)
- Financial transactions (if Finance access)
- User communication (Slack, email about AdRoll)

Step 3: Determine resolution

If confirmed incident:
→ Remove user from organization
→ Rotate all API keys
→ Audit all recent changes
→ Notify affected clients
→ File security incident report

If false alarm:
→ Restore original access
→ Document investigation
→ Communicate with user
→ Update alerting thresholds

Step 4: Full removal (if confirmed violation)

Settings → Users & Roles → Remove from organization
→ Export audit log
→ Screenshot all evidence
→ Document in security incident ticket
→ Notify HR/Legal as required

Step 5: Post-incident review (within 7 days)

Actions:
- Review access policies
- Update security procedures
- Identify process improvements
- Communication to team (without naming user)
- Training if needed

5. Inactive User Cleanup (Quarterly Audit)

Trigger: User hasn't logged in for 90+ days

Process:

  1. Generate inactivity report:

    Export user list: Settings → Users & Roles → Export
Sort by: Last login date
Filter: Last login > 90 days ago
Review: Each inactive user

  2. Verify inactivity is appropriate:

    Check:
- Is user still employed? (Ask HR)
- Have they changed roles? (Ask manager)
- Is account seasonal? (Finance users may only login monthly)
- Should they be removed or retained?

  3. Contact user before removal:

    Subject: AdRoll Account Inactive - Confirm Access Needed

Hi [Name],

Our records show your AdRoll account hasn't been accessed in 90+ days.

To maintain security, we're reviewing inactive accounts.

Please confirm:
- Do you still need AdRoll access?
- If yes, please log in to confirm account is active
- If no, we'll remove your access on [Date]

Let me know within 7 days if you need to retain access.

Thanks,
[Your name]

  4. Remove if no response:

    • After 7-day grace period
    • No response = remove access
    • Can be restored if user contacts later

  5. Document cleanup:

    Quarterly Access Audit: Q1 2025

Inactive users identified: 12
Contacted: 12 (2025-01-15)
Responses:
- Need access: 3 (retained, now active)
- Don't need access: 4 (removed)
- No response: 5 (removed after 7 days)

Removed: 9 total
Retained: 3 total
Audit complete: 2025-01-30

Removal Execution Steps

  1. Log in to AdRoll: https://app.adroll.com
  2. Ensure correct Organization selected
  3. Navigate: Settings (gear icon) → Users & Roles

Remove User

Method 1: Remove from organization (full removal)

  1. Find user in list
  2. Click ⋯ (three dots) or Edit button
  3. Click Remove from organization or Delete
  4. Confirm removal in popup dialog
  5. User immediately removed

Method 2: Remove advertiser scope (partial removal)

  1. Find user → Click Edit
  2. Uncheck advertiser boxes to remove access
  3. If all advertisers unchecked: User can log in but sees nothing
  4. Save changes

Best practice: Use full removal (Method 1) unless user needs to retain access to other advertisers

Verify Removal

Immediately after removal:

  1. Check user list:

    • User no longer appears in Settings → Users & Roles
    • If still appears: Removal didn't complete, try again

  2. Test login (if possible):

    • Try logging in with user's email
    • Should see: "User not found" or "No access to this organization"

  3. Verify API keys disabled (if Admin):

    • Test API calls with user's old keys
    • Should fail with 401 Unauthorized
    • If still work: Keys not deleted, remove manually

  4. Check campaigns unaffected:

    • Active campaigns continue running
    • No errors in campaign status
    • Reassigned owner can access/edit

Post-Removal Actions

Transfer Responsibilities

1. Campaign ownership:

Assign campaigns to replacement:
- Document which campaigns user managed
- Share campaign strategy notes
- Provide optimization history
- Set up handoff meeting if complex

2. Audience maintenance:

Review audiences user created:
- Document important audiences
- Note any custom segmentation logic
- Assign ownership to team member
- Update documentation

3. Reporting responsibilities:

If user was data/reporting owner:
- Transfer report templates
- Share dashboard access
- Document custom metrics
- Train replacement

API Key & Pixel Cleanup

API keys (if user was Admin):

  1. List all keys user owned:

    • Settings → API Access
    • Document applications using each key

  2. Generate replacement keys:

    • Another Admin creates new keys
    • Update applications with new keys
    • Test applications work correctly

  3. Delete old keys:

    • After 7-day transition period
    • Verify no applications using old keys
    • Delete from Settings → API Access

Pixels (if user owned):

  1. Transfer pixel ownership:

    • Contact AdRoll support for transfer
    • Or have another Admin reinstall pixel
    • Update GTM/website templates if new pixel ID

  2. Verify tracking continues:

    • Check Settings → Pixels → Pixel Health
    • Should show "Active" status
    • Test pixel firing on site

Documentation & Compliance

Update records:

1. Access log:

## User Removal Log

Date: 2025-01-15
User removed: john.doe@company.com
Previous role: Marketer
Advertiser access: Brand A, Brand B
Finance access: No
Removal reason: Employment terminated (2025-01-14)
Removed by: admin@company.com
API keys transferred: Yes (2 keys)
Pixels transferred: Yes (pixel ABC123 → admin@company.com)
Campaigns reassigned: 5 campaigns → sarah.jones@company.com
Final reports exported: Yes (attached)
Documentation: See ticket #12345

2. Ticketing system:

  • Close offboarding ticket
  • Attach removal screenshots
  • Link to HR termination ticket
  • Note completion date

3. Internal documentation:

  • Update team roster
  • Remove from email distribution lists
  • Update disaster recovery contacts
  • Remove from Slack channels (if applicable)

4. Compliance archives:

  • Save removal documentation
  • Retain for audit period (typically 7 years)
  • Include: Before/after screenshots, approval emails, final reports

Troubleshooting Removal

Cannot Remove User (Grayed Out)

Symptoms:

  • "Remove" button grayed out or missing
  • "Permission denied" error

Causes:

1. Not an Admin:

Only Admins can remove users
Check your role: Settings → Users & Roles
Request Admin to perform removal

2. Trying to remove yourself:

Cannot remove your own account (prevents lockout)
Have another Admin remove you
Or remove advertiser scope instead of full removal

3. Last Admin in organization:

Cannot remove last Admin (prevents lockout)
Invite another Admin first
Then remove yourself

User Still Has Access After Removal

Symptoms:

  • User reports they can still log in
  • User appears removed but can access campaigns

Causes:

1. Removal didn't save:

Try removal again
Check user list after removal
If still appears: Contact AdRoll support

2. User has access to multiple organizations:

User removed from Org A
But still has access to Org B (different organization)
User can still log in, just can't see Org A
This is expected behavior

3. Browser cache:

User's browser cached old session
Have user clear cache or log out completely
Try incognito/private browsing mode

4. Duplicate accounts:

User has multiple email addresses
You removed john.doe@company.com
But they also have j.doe@company.com
Check for duplicate accounts

API Keys Still Work After Removal

Symptoms:

  • Removed user's API keys still authenticate
  • Applications continue working with old keys

Cause:

  • API keys not deleted, only user account removed
  • Keys exist independently of user account

Fix:

  1. Settings → API Access
  2. Find keys created by removed user
  3. Delete each key manually
  4. Keys immediately stop working
  5. Update applications with replacement keys

Best Practices

Proactive Removal

Don't wait for access to become a problem:

Set automatic reminders:

Employee departure: Remove same day
Contractor project end: Remove on end date (calendar reminder)
Agency contract: Remove on contract end date
Quarterly audit: Review all users for inactivity

Best practice: Remove within 24 hours of trigger event, not days or weeks later

Principle of Least Access

Before removing, consider downgrade:

Scenario: User no longer manages campaigns but may need reporting

Option A: Remove entirely (restrictive)
Option B: Downgrade to Analyst (preserves reporting access)

Choose B if user legitimately needs continued read-only access
Choose A if no ongoing business need

Graduated removal:

Day 1: Downgrade Admin → Analyst (read-only)
Day 30: Remove entirely if no longer needed
Benefit: Allows for questions/handoff without full access

Communication & Notification

Always notify affected parties:

Internal team:

Subject: Access Removal Notification

FYI: John Doe's AdRoll access was removed on 2025-01-15.

Reason: Employment terminated
Campaigns affected: 5 campaigns reassigned to Sarah Jones
Contact Sarah for questions about:
- Brand A campaigns
- Q4 holiday promotions
- Retargeting audiences

API keys transferred to admin@company.com.

Client (if agency removal):

Subject: Agency Transition Complete

Hi [Client],

As discussed, our agency access to your AdRoll account has been removed as of [Date].

Final deliverables:
- Performance report (attached)
- Campaign documentation (attached)
- Transition notes (attached)

Your new account manager:
- Name: [Name]
- Email: [Email]
- Phone: [Phone]

Thank you for the opportunity to work together.

User being removed (if appropriate):

Subject: AdRoll Access Removed

Hi [Name],

Your AdRoll access was removed on [Date] as part of your offboarding.

Reason: [Employment ended / Contract completed / Project finished]

If you need historical reports, please contact:
- [Name/Email] within 30 days

Thank you for your contributions.

Audit Trail

Document everything:

Minimum documentation:

  • Who was removed (user email)
  • When removed (timestamp)
  • Who performed removal (admin name)
  • Why removed (business reason)
  • What was transferred (API keys, pixels, campaigns)

Enhanced documentation (recommended):

  • Before/after screenshots
  • Approval chain (manager, HR, security)
  • Impact assessment
  • Transition plan
  • Final reports exported
  • Post-removal verification

Retain for:

  • 7 years (compliance/legal)
  • Or per your organization's data retention policy

Security Checklist

Before removal:

  • Verify approval received (HR, manager, security)
  • Export audit trail (user activity, campaign changes)
  • Identify API keys and pixels user owns
  • Document campaigns and audiences to transfer
  • Set up replacement access (if needed)

During removal:

  • Remove user from organization
  • Delete or transfer API keys
  • Transfer pixel ownership (if applicable)
  • Verify removal completed successfully
  • Screenshot confirmation of removal

After removal:

  • Test that user cannot log in
  • Verify API keys disabled
  • Confirm campaigns unaffected
  • Update internal access logs
  • Notify affected teams
  • Archive documentation for compliance

Ongoing:

  • Quarterly access audit includes review of removals
  • Monitor for any unauthorized access attempts
  • Validate transition completed smoothly
  • Update disaster recovery documentation

Next Steps

返回顶部