News for Developers

Back to News
Implications of Graph API 2.12 Release

The release of Facebook Graph API, v2.12 is scheduled for January 30, 2018 and does not contain any versioned breaking changes for Facebook Marketing APIs, except for the following scenario:

If you're using Product Catalog as part of your application, you may be affected by a couple of security-related breaking changes. Technically, these are not Marketing API endpoints. However, these are used by some marketing applications, and hence can be considered breaking changes for such applications. Read further below for details.

  • Marketing API, v2.11 will continue to be the latest version and it will not enter deprecation mode on January 30, 2018.
  • Marketing API, v2.10 will continue to be in deprecated state, as it is currently, and will end of life on May 8, 2018.
  • After Graph API v2.12 is released, any calls made to Marketing APIs with the version set as 2.12, will be treated as v2.11 calls.
  • Marketing API, v2.11 and v2.12 will be deprecated and end of life at the same time, at a later date.

What's breaking?

As of May 8, 2018, we'll limit permissions to catalogs managed under the same Business Manager account to only users who have explicitly been assigned the ADMIN or ADVERTISER role on that catalog owned by a business, as follows:

  • Only users with the catalog ADMIN role can create and edit the catalog. Business Admins only have read access. This change applies to calling POST {product-catalog-id}.
  • Only users with the catalog ADVERTISER role can't edit the catalog, but have read and write access to catalogs managed under the same Business Manager account.
  • Only users with catalog ADMIN or ADVERTISER role can read the catalog.

Business Manager is used by many agencies to manage the catalogs of many different businesses and for larger organizations to manage their own businesses. To ensure read access between catalogs managed under the same Business Manager account is limited to those which have explicitly granted access, we'll require the ADMIN or ADVERTISER role to be granted to any catalog user.

Why is it breaking?

The Business Manager interface enables agencies and other businesses to manage catalogs and campaigns on behalf of multiple businesses. The businesses themselves may also access catalogs independently (via Catalog Manager or API). The existing permissions model permits businesses managed under the same Business Manager account to read each other's catalogs without each business explicitly granting access to the others. This change requires businesses to explicitly opt-in to sharing their catalogs with other businesses under the Business Manager account by assigning the ADMIN or ADVERTISER role to a user from that business.

Where does this change apply?

This change applies to calling POST {product-catalog-id} and to these calls:

GET {product-catalog-id}
GET {ad-promoted-object-node-id}
GET /{business-id}/assigned_product_catalogs
GET /{business-id}/client_product_catalogs
GET /{business-id}/owned_product_catalogs
GET /{business-id}/product_catalogs
GET /{business-project-id}/product_catalogs
GET {product-item-id}
GET {product-group-id}
GET {product-set-id}
GET {assigned_product_catalogs_edge}

What's the workaround?

API users who require access to catalogs of another business under the same Business Manager account should be explicitly assigned the ADMIN or ADVERTISER role for that catalog, as appropriate. Learn how to configure roles.

Learn more about: