How to Add Users to an Apple Search Ads Account | OpsBlu Docs

How to Add Users to an Apple Search Ads Account

Add users to Apple Search Ads with Admin, Campaign Manager, Limited Access, or Read Only roles via the UI or API, including invitation workflows and...

Prerequisites

  • Account Admin role on the Apple Search Ads account
  • The new user's Apple ID email address (they must have an Apple ID)
  • Decision on role and campaign group scoping (see role matrix below)

Role Matrix

Capability Account Admin Campaign Manager Limited Access Read Only
View campaigns and reports Yes Yes Assigned groups Yes
Create and edit campaigns Yes Yes Assigned groups No
Set budgets and bids Yes Yes Assigned groups No
Manage keywords and audiences Yes Yes Assigned groups No
Export data Yes Yes Yes Yes
Manage users Yes No No No
Manage billing Yes No No No
Generate API certificates Yes Yes No No

Limited Access users only see campaigns within their assigned Campaign Groups. Everything else is invisible to them, including account-level settings and other groups.

Adding a User via the UI

  1. Log in to Apple Search Ads with an Account Admin account
  2. Click the gear icon (top right) > Account Settings
  3. Select User Management from the left sidebar
  4. Click Invite User
  5. Enter the user's Apple ID email address
  6. Select the appropriate Role:
    • For Limited Access, a Campaign Group selector appears -- check the groups the user should access
  7. Click Send Invitation

The user receives an email from Apple with an invitation link. They must click the link, sign in with their Apple ID, and accept the invitation.

Adding a User via the API

For programmatic user management, use the Apple Search Ads Campaign Management API:

# Invite a new user with Campaign Manager role
curl -X POST "https://api.searchads.apple.com/api/v5/acls" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "X-AP-Context: orgId=$ORG_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "newuser@example.com",
    "roleName": "Campaign Manager",
    "orgId": 7890
  }'

# For Limited Access, include campaign group IDs:
curl -X POST "https://api.searchads.apple.com/api/v5/acls" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "X-AP-Context: orgId=$ORG_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "contractor@agency.com",
    "roleName": "Limited Access",
    "orgId": 7890,
    "campaignGroupIds": [111, 222]
  }'

Invitation States

After sending an invitation, track its status in User Management:

Status Meaning Action
Pending Invitation sent, user has not accepted Wait or remind user
Active User accepted and has access No action needed
Expired Invitation expired (7 days) Remove and re-invite

Expired invitations must be deleted before re-inviting the same email address.

Setting Up API Access for the New User

If the new user needs programmatic access (Campaign Manager or Admin roles):

  1. The user logs in to Apple Search Ads
  2. Goes to Account Settings > API
  3. Clicks Create API Certificate
  4. Downloads the certificate files (.pem private key and .cer public key)
  5. Uses the credentials to authenticate API requests via OAuth 2.0:
# Generate access token from API certificate
curl -X POST "https://appleid.apple.com/auth/oauth2/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$JWT_TOKEN&scope=searchadsorg"

API certificates are tied to the individual user. If the user is later removed, their certificates should be revoked separately (see Remove Access).

Multi-Organization Access

If your company has multiple Apple Search Ads organizations (e.g., separate orgs per app or region), each org requires a separate invitation. Users can switch between orgs in the Apple Search Ads UI using the org selector dropdown.

To invite a user to multiple orgs via API, send separate POST /acls requests with different orgId values.

Best Practices

  1. Use Read Only for stakeholders who only review performance reports
  2. Use Limited Access for agencies or contractors scoped to specific campaigns
  3. Reserve Account Admin for two to three internal team members maximum
  4. Require new users to enable two-factor authentication on their Apple ID before granting access
  5. Document all invitations in your internal access register with the date, role, and business justification
  6. Review the user list quarterly and remove stale accounts

Troubleshooting

User did not receive the invitation email: Verify the email matches their Apple ID exactly. Check spam/junk folders. Corporate email filters may block Apple notifications -- whitelist @apple.com and @searchads.apple.com.

User accepted but sees no campaigns: If they have Limited Access, confirm campaign groups are assigned. If Campaign Manager, verify they are looking at the correct organization.

Invitation link expired: Remove the expired invitation from User Management, then re-invite with the same email and role.

返回顶部