Follow these guidelines if you are a Facebook Marketing Partner or a advertiser managing ad accounts or Pages. Depending on your responsibility, you may handle assets differently. Here is a list of the most relevant suggestions based on your role.
Customer owns the assets and they login to the Marketing Partner app directly. The Marketing Partner app uses the user's token.
Customer owns the assets, they give the Marketing Partner access by adding a Marketing Partner user account or grey user directly to the assets
The Marketing Partner's own the assets, and manages them programmatically.
The Marketing Partner's own the assets and manages them using employees.
Marketing Partner manages customer ad accounts or customer’s gray ad accounts by saving / storing end customer passwords.
Customer owns their ad accounts and assets, but Marketing Partner employees need access for customer ad accounts for troubleshooting reasons.
Marketing Partner owns the ad accounts for customers, while customer owns its own Pages.
Marketing Partner has multiple ad accounts and customer Pages, and wants to map which which assets are for which customer.
Projectscreated, one Project for each customer, whose ad accounts and Pages would be included in that Project. Marketing Partner users will create ads in the context of a Project, to avoid using a wrong ad account to create ads.
Marketing Partner or customer employees do not want to use their personal Facebook login to access Business Manager.
Marketing Partner app does not have Ads Management access, but still wants to use BM system user to invoke Page APIs.
Facebook user accounts only have a single personal ad account. If you need additional ad accounts you should use Business Manager. Facebook no longer creates gray-accounts for anyone needing new, additional ad accounts.Q: Do I need a Facebook Page?
To set up a Business Manager you need a Facebook page that represents your business.Q: How do I access Business Manager APIs?
If your app has Marketing API access you automatically have access to all the Business Manager APIs.
manage_pages permissions from any clients to manage their ad accounts and pages. When you set up a Business Manager you should claim your app or add your app to your Business Manager account using the app advanced settings panel.
Facebook requires two-factor authentication using the field `BUSINESS_ID/two_factor_type on the business object to verify people from that business who want to access the API.Q: How is our app on Marketing API associated with a Business Manager
You may need to for agencies or direct brand clients. If they authorize your app, you can take actions on their behalf, including reports and stats pulls. If you need long term access, without cleints logging into your app, you should ask them to grant your Business Manager the roles you need. You can then assign that role to your own system users. Typically you need the
Advertiser roles from clients.
Yes. Pass the
business_id parameter into the call with the appropriate Business ID. You can find more information about this in Connection Objects.
Enter the Ad Account IDs to promote your app. This grant users access to those Ad Accounts using Business Manager and other Facebook tools.Q. Can I add more than 25 ad accounts to a user?
No. Adding ad accounts to a user at
AD_ACCOUNT_ID/assigned_users bypasses this limit. See Business Manager, Ad Accounts.
Disable it from getting credit in Ads Manager. There is no API support for this.
User represents real people taking an action, while a system user represents a machine taking action. Software action should be done through a system user.Q: What permissions do I use for deferred user actions?
You should use business to business permissions which are long-term or use long-live user tokens. Business permissions has the ability for one business to give another business permissions to manage their business and the assets owned by that business.
A system user is a machine or software taking programmatic action on behalf a business. You cannot use it Facebook, and it is associated with your Business Manager for greater security.Q: When do I use system user admin versus system user?
An admin system user has access to everything in the business and there is only one admin system user per business. System users can have access restrictions set by the admin system user.
When you manage actual permissions for the business itself you should use the admin system user. For example use this when you grant a new employee permissions to appropriate assets. For all other actions such as creating ads for a specific ad account, you should use system user. System users have a higher level of security because, if compromised, they can only access what they are assigned.Q: Can I manage a multiple accounts and create campaigns and ads if the accounts are claimed with AGENCY `access_type` with one Business Manager access token?
Access tokens are by user account, therefore any ad account they have general or admin access to will allow you to create campaigns, ads, and so on. This is regardless of whether the account is direct or agency.Q: What are the rate limits for system users? Will one system user be able to replace multiple gray users for automated actions?
Rate limits for System Users are grouped by ad account and not by user.Q: Do our existing app secrets remain the same?
YesQ: What access token do I need to create a system user?
Create the system user and fetch its token using the Business Manager, under
Settings | System User. You see this option if your Business owns an app that has ads-api access, or you own an app that is whitelisted by Facebook.
You use a user token whenever an individual person is taking an action, and the system user token for machine initiated actions.Q: How many system users should I have?
You can logically group ad accounts per system user based on your client or your read/write model. If you have many ad accounts, loading all of them in the UI may be slow.
You should create one system user for each set of 'access types' you need. And you should use the admin system user to maintain the right roles programmatically. You can be more certain that if a regular system user token is compromised, it has limited scope and cannot compromise more permissions. You should carefully safeguard your admin system user.Q: Do system users only have the ability to manage 25 accounts?
Once you attach your app to your Business Manager, you can create more than 25 ad accounts. See Business Manager API, Ad Accounts.Q: Why claim a page as an agency? What kind of access do would grant?
You can ask for access from a someone as a business owner or as an agency for the business. This enables you to target ads at people who like a third-party's page. You should use
AGENCY only when you need access to another business's Page, and don't technically or legally own it.
For agency and Facebook Marketing Partners, you should get the client to authorize your business by using an agency request. You can ask for any roles for the page. If you're advertising, you should get the "ADVERTISER" and "INSIGHTS_ANALYST" roles. If you need to publish to the page beyond unpublished page posts, you should request additional roles. In your Business Manager you should assign each user only one role that is appropriate with their responsibilities.
Yes. The Business should grant these people access to those ad accounts.
You can also grant permissions to another business with business-to-business permissions. Once a business has permissions to the ad accounts, their admin can then give permission to it's employees up to the permission level granted.Q: Can I pass on permissions given to my Business to another Business?
You cannot relay permissions given to your Business to another Business.Q. When someone uses [Business Manager](https://business.facebook.com) and creates new ad account, do system users automatically get permissions to handle them?
No. Even though the admin system user can create ad accounts it won't automatically have access to any ad account in the business. Business admins or Admin system users have to assign roles for users or system users with Facebook tools or APIs.