To have system users, your Business Manager must:
bash script sample shows API calls which create a system user token then use it token to make Marketing API calls.
There are two types of system users: admin system user and system user.
You should create one system user for each type of access you need. Use the admin system user to programmatically maintain the right roles. This way, if a system user token is compromised, it has limited scope and cannot compromise more permissions.
Give system user access to assets and use system users for most API calls. You should limit using admin system user for administrative actions, such as assigning permission. Since it has the most permissions, carefully safeguard the admin system user token.
Here is how it works:
Requirements and actions required to get access to business assets:
We represent your business as an instance of a Business Manager in Marketing API. Your Business Manager must claim, create or share a Facebook app built on Marketing API. To create a system user access token, this app must have Standard Access. You can also contact your Facebook representative to be added to a list of businesses allowed to create the token.
Assets that belong to your Business Manager. For example: pages, ad accounts, and so on.
All instances of Business Manager have an admin user. Typically, this is the same person who originally created the Business Manager object and manages it over time.
An admin user can create this special type of user. An admin system user can create new users and access all assets belonging to the business. We do not recommend managing business' assets through an admin system user, since this user type has more power than a regular system user. Limit use of admin system user to creating other system user, and do not use it for access to assets.
An admin user or admin system user can create a system user. This person can ultimately access assets. Use this type of user to manage a business' assets.
A system user must grant their user permission to access assets owned by a business.
You need an app on the Marketing API with the standard access or your app must be added to a allowlist by a Facebook representative. Ensure that the app has gone through app review (and verification, if applicable) for required permissions. With a system user and this app, you can generate a system user access token. After you have this token, and after a system user grants user permissions to access assets, your can access those assets programmatically.
For a system user to operate with a Custom File Custom Audience in a business, a non system user needs to accept that Business’ Custom Audience terms of service. The acceptance must be made from an ad account that belongs to that Business.
Your app on Marketing API has a certain access level. This determines how many system users you can create for the Business Manager that owns your app:
|Level||System Users||Admin System Users|
You can group ad accounts by system user in responses based on a per-client or per- read/write basis. If you manage many ad accounts, loading all in the UI may be slow.