User doesn't have permission to access customer. Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header. See https://developers.google.com/google-ads/api/docs/concepts/call-structure#cid
496 views
Skip to first unread message
Aman Bansal
Jul 6, 2022, 10:05:53 AM7/6/22
to Google Ads API and AdWords API Forum
When i use python script the api works but rest api does not works it gives error
I am using this api https://developers.google.com/google-ads/api/rest/reference/rest/v11/customers/createCustomerClient
User doesn't have permission to access customer. Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header. See https://developers.google.com/google-ads/api/docs/concepts/call-structure#cid
Google Ads API Forum Advisor
Jul 6, 2022, 10:44:38 AM7/6/22
to khan...@gmail.com, adwor...@googlegroups.com
Hi Aman,
Thank you for raising your concern. Allow me to provide support.
It appears that you are experiencing the USER_PERMISSION_DENIED error. This error occurs when you're not specifying the customer ID of the Google Ads Account, where your login user account / email address (that you've used to generate Oauth2 credential) has direct access, to the login-customer-id. If your login user account / email address has access to the manager account, then its customer id must be set in the login-customer-id header.
If the error persists after trying the provided suggestion, please provide the email address / user account used in the authentication and the complete request and response logs with request ID and request header generated on your end to further investigate.
You can provide it via Reply privately to author option. If this option is not available, then send it instead on this email address googleadsa...@google.com.
Regards,
ref:_00D1U1174p._5004Q2cT9cV:ref
Thank you for raising your concern. Allow me to provide support.
It appears that you are experiencing the USER_PERMISSION_DENIED error. This error occurs when you're not specifying the customer ID of the Google Ads Account, where your login user account / email address (that you've used to generate Oauth2 credential) has direct access, to the login-customer-id. If your login user account / email address has access to the manager account, then its customer id must be set in the login-customer-id header.
If the error persists after trying the provided suggestion, please provide the email address / user account used in the authentication and the complete request and response logs with request ID and request header generated on your end to further investigate.
You can provide it via Reply privately to author option. If this option is not available, then send it instead on this email address googleadsa...@google.com.
Regards,
|
||||||
ref:_00D1U1174p._5004Q2cT9cV:ref
Aman Bansal
Jul 6, 2022, 12:20:21 PM7/6/22
to ads...@forumsupport.google, adwor...@googlegroups.com
Hi,
I found the issue. I was passing correctly the login-customer-id the issue was in the URL
https://googleads.googleapis.com/v11/customers/[CUSTOMER_ID]/customerClientLinks:mutate
Google says [CUSTOMER_ID] should be customer id but it should be equal to login-customer-id == [CUSTOMER_ID]
So when I pass the same ID to both parameters API works.
Google Ads API Forum Advisor
Jul 6, 2022, 12:56:45 PM7/6/22
to khan...@gmail.com, adwor...@googlegroups.com
Hi Aman,
Thank you for reaching out to the Google Ads API support team.
Glad to see that a solution has been found. Please let us know if we can help with anything else.
Thanks,
ref:_00D1U1174p._5004Q2cT9cV:ref
Thank you for reaching out to the Google Ads API support team.
Glad to see that a solution has been found. Please let us know if we can help with anything else.
Thanks,
|
||||||
ref:_00D1U1174p._5004Q2cT9cV:ref
Mike M
Jul 6, 2022, 2:40:53 PM7/6/22
to Google Ads API and AdWords API Forum
Hmmm. As far as I understand it, the Customer ID used in the URL should be the Linked Customer ID. Basically, that's the customer ID where you wish to add, modify, or remove data. And you have to be granted permission by the other Google Adwords account to be able to do that linkage. The Login Customer ID, however, is what I use in the REST header to be the Google Adwords account of the account used for the API calls (ie, my developer account). The only reason I would make them the same ID is when in fact they might be, such as someone using one single Google Adwords account to not only do the API call but to affect the same account where you placed the API call. In my particular case, I'm working with multiple clients, and so I have my Login Customer ID, and then multiple Linked Customer IDs.
So, yes, you are correct if you're likely doing the API call from the same account where you wish to make this change. But for other readers of this post who have multiple clients, I wanted to address this so that they are clear as well. The documentation is not very clear on this.
Google Ads API Forum Advisor
Jul 6, 2022, 4:01:07 PM7/6/22
to volo...@gmail.com, adwor...@googlegroups.com
Hi Mike,
Thank you for chiming in. A linked-customer-id header is only used by third-party app analytics providers when uploading conversions to a linked Google Ads account. The Customer ID used in the URL should be the operating customer. You only need a login customer Id if the Google Account that generated your refresh token can only access the operating customer account via an MCC account that that Google Account is a user on.
A visual way to explain this is to imagine that the same Google account that generated the refresh token was to access an account via the Ads UI. They will see all the the accounts that List Accessible Accounts returns in the top right drop down list when you click the circle representation of the user in the UI. These are accounts the user has direct access to. If an account in that list is an MCC with child accounts attached, then to see the child accounts you would select that MCC in the top right of the UI and then the child accounts are accessible in the top left - middle accounts drop down list box in the UI. These are the same accounts that Get Account Hierarchy shows.
To access accounts that are in the top left - middle accounts drop down list box via the API you would put the selected account in the top right list in the UI as login customer Id, and you would put the selected account in the top left - middle accounts drop down list box as the operating customer.
Any account returned by Get Account Hierarchy when you you don't specify manager ID and login customer ID can be accessed by your refresh token you used to make the API call.
Any account returned by List Accessible Accounts when using a specific refresh token doesn't need the login customer Id.
Another property of those accounts returned by List Accessible Accounts is they are the only accounts that can be a login customer Id for the specific refresh token making the API call.
Feel free to get back to us.
Regards,
ref:_00D1U1174p._5004Q2cT9cV:ref
Thank you for chiming in. A linked-customer-id header is only used by third-party app analytics providers when uploading conversions to a linked Google Ads account. The Customer ID used in the URL should be the operating customer. You only need a login customer Id if the Google Account that generated your refresh token can only access the operating customer account via an MCC account that that Google Account is a user on.
A visual way to explain this is to imagine that the same Google account that generated the refresh token was to access an account via the Ads UI. They will see all the the accounts that List Accessible Accounts returns in the top right drop down list when you click the circle representation of the user in the UI. These are accounts the user has direct access to. If an account in that list is an MCC with child accounts attached, then to see the child accounts you would select that MCC in the top right of the UI and then the child accounts are accessible in the top left - middle accounts drop down list box in the UI. These are the same accounts that Get Account Hierarchy shows.
To access accounts that are in the top left - middle accounts drop down list box via the API you would put the selected account in the top right list in the UI as login customer Id, and you would put the selected account in the top left - middle accounts drop down list box as the operating customer.
Any account returned by Get Account Hierarchy when you you don't specify manager ID and login customer ID can be accessed by your refresh token you used to make the API call.
Any account returned by List Accessible Accounts when using a specific refresh token doesn't need the login customer Id.
Another property of those accounts returned by List Accessible Accounts is they are the only accounts that can be a login customer Id for the specific refresh token making the API call.
Feel free to get back to us.
Regards,
|
||||||
ref:_00D1U1174p._5004Q2cT9cV:ref
Reply all
Reply to author
Forward
0 new messages