USER_PERMISSION_DENIED from customer service for some accounts in the new Google Ads API which work in the old Adwords API

[Konstantin Tarassow]

Hello,

we have a peculiar problem with the new Google Ads API.

We are trying to run the following request:

[2019-06-12 15:29:57] google-ads.NOTICE: Request
-------
Method Name: /google.ads.googleads.v1.services.GoogleAdsService/Search
Host: googleads.googleapis.com
Headers: {
    "x-goog-api-client": "gl-php\/7.2.18-1+ubuntu16.04.1+deb.sury.org+1 gapic\/ gax\/0.38.1 grpc\/1.19.0",
    "x-goog-request-params": "customer_id=9787711904",
    "developer-token": "REDACTED",
    "login-customer-id": "4554523147"
}
Request: {"customerId":"9787711904",
"query":"
SELECT
customer.id,
customer.manager,
customer.currency_code,
customer.descriptive_name,
customer.time_zone,
customer.test_account,
customer.resource_name,
customer.auto_tagging_enabled,
customer.tracking_url_template,
customer.final_url_suffix,
customer.conversion_tracking_setting.conversion_tracking_id
FROM
customer
"}
Response
-------
Headers: {
    "request-id": "W0hmBQBSfpTqVplr2qamCw",
    "date": "Wed, 12 Jun 2019 13:29:57 GMT",
    "alt-svc": "quic=\":443\"; ma=2592000; v=\"46,44,43,39\""
}
Fault
-------
Status code: 7
Details: The caller does not have permission
Failure: {"errors":[{"errorCode":{"authorizationError":"USER_PERMISSION_DENIED"},"message":"User doesn't have permission to access customer. Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header. See https:\/\/developers.google.com\/google-ads\/api\/docs\/concepts\/call-structure#login-customer-id"}]}
[2019-06-12 15:31:32] google-ads.WARNING: Request made: Host: "googleads.googleapis.com", Method: "/google.ads.googleads.v1.services.GoogleAdsService/Search", ClientCustomerId: 9787711904, RequestId: "pdTJsdb148r5jB4tnUFFcw", IsFault: 1, FaultMessage: "["User doesn't have permission to access customer. Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header. See https:\/\/developers.google.com\/google-ads\/api\/docs\/concepts\/call-structure#login-customer-id"]"

As you can see we get a USER_PERMISSION_DENIED.

We set the login-customer-id  to the id of the corresponding MCC, the account we request the data for is 9787711904 and is directly under the MCC 4554523147.

A corresponding request to the CustomerService in the old Adwords API with the same CustomerId, credentials and Oauth refresh token works flawlessly.

We get an error like this for many more customers, but, on the other hand, many others work and we cannot see any structural difference or any difference in the approach between the working ones and the non-working ones. All which do not work in the new API work flawlessly in the old one.

What are we potentially doing wrong?

We know already that if there is an MCC chain like Account A <- Intermediate MCC B <- Top MCC C and we have the credentials for C, that we must use C as login-customer-id and not B. But in the given example the hierarchy consist only of the end account and it's MCC, the credentials (refresh token) are on the MCC.

Regards,

Konstantin

[Google Ads API Forum Advisor Prod]

Hello Konstantin,

Could you please confirm the user using which the OAuth credentials are generated? In general when using login-customer-id the OAuth user must have access to the MCC account. 

Regards,
Sai Teja, Google Ads API Team

ref:_00D1U1174p._5001UBmwT1:ref

[Konstantin Tarassow]

Hello,

we are using exactly the same Oauth token for both the new Google Ads API and the  Adwords API the user provided us with when he allowed Adwords API access to his MCC.

This access was allowed on the MCC level (4554523147).

I've just executed a GetCustomers call on the Adwords API with exactly the same Oauth token and account we are trying to access (9787711904). It works

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns1="https://adwords.google.com/api/adwords/mcm/v201809"
xmlns:ns2="https://adwords.google.com/api/adwords/cm/v201809">
<SOAP-ENV:Header>
<ns1:RequestHeader>
<ns2:clientCustomerId>6446210156</ns2:clientCustomerId>
<ns2:developerToken>REDACTED</ns2:developerToken>
<ns2:userAgent>....
</ns2:userAgent>
<ns2:validateOnly>false</ns2:validateOnly>
<ns2:partialFailure>false</ns2:partialFailure>
</ns1:RequestHeader>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:getCustomers/>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<ResponseHeader xmlns:ns2="https://adwords.google.com/api/adwords/cm/v201809"
xmlns="https://adwords.google.com/api/adwords/mcm/v201809">
<ns2:requestId>00058b38333e45ae0a858ccb460cfe2f</ns2:requestId>
<ns2:serviceName>CustomerService</ns2:serviceName>
<ns2:methodName>getCustomers</ns2:methodName>
<ns2:operations>0</ns2:operations>
<ns2:responseTime>124</ns2:responseTime>
</ResponseHeader>
</soap:Header>
<soap:Body>
<getCustomersResponse xmlns="https://adwords.google.com/api/adwords/mcm/v201809"
xmlns:ns2="https://adwords.google.com/api/adwords/cm/v201809">
<rval>
<customerId>6446210156</customerId>
...
</rval>
</getCustomersResponse>
</soap:Body>
</soap:Envelope>

[Google Ads API Forum Advisor Prod]

Hello Konstantin,

I understand the scenario you mentioned. In the AdWords API the OAuth token can be generated by a user who just have access to the client account even if that user is not having access to the manager manager account. In the Google Ads API, since we are mentioning the login-customer-id as manager account the OAuth tokens must be generated by a user having access to the Manager account.

To see if that is the case you are having troubling with, please share the email address of the user using which the OAuth credentials are created? If the user dont have access to the manager account, you have to create OAuth with the user having access to the manager account. 

Regards,
Sai Teja, Google Ads API team

ref:_00D1U1174p._5001UBmwT1:ref

[Konstantin Tarassow]

Hello,

I sent you the email as a private reply.

[Google Ads API Forum Advisor Prod]

Hello Konstantin,

Thanks for sending the email address. The email address. login-customer-id and client-customer-id are good. You will be able to validate your credentials by using the OAuth doctor. The tool will help determine if your OAuth2 credentials are correctly configured and ready to make API calls and guide you through fixing any OAuth2 problems it detects and verify the corrected configuration. Please give this a try and let us know if you have any issues.

Regards,

Sai Teja, Google Ads API Team

ref:_00D1U1174p._5001UBmwT1:ref

[Julián Canada Racinet]

Hey, we are having the exact same issue. Can you help us determine what's going on with our requests?

Regards,

Julián

[Google Ads API Forum Advisor Prod]

Hello Julian,

If you are facing USER_PERMISSION_DENIED error to investigate further, could you please share the login-customer-id, client customer id that you are using in the request and the email address of the user using which the OAuth credentials are created? You could use reply privately to the author option while sharing the information requested.