USER_PERMISSION_DENIED error despite providing correct login customer id
200 views
Skip to first unread message
sealytic...@gmail.com
Jun 23, 2022, 5:33:27 AM6/23/22
to Google Ads API and AdWords API Forum
Hello,
I am making a request with .Net Client to campaign resource. I provided correct customer id and login customer id but api returning this error. User has access to this account.
"Failure": {
"errors": [
{
"errorCode": {
"authorizationError": "USER_PERMISSION_DENIED"
},
"message": "User doesn't have permission to access customer. Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header. See https://developers.google.com/google-ads/api/docs/concepts/call-structure#cid"
}
],
"errors": [
{
"errorCode": {
"authorizationError": "USER_PERMISSION_DENIED"
},
"message": "User doesn't have permission to access customer. Note: If you're accessing a client customer, the manager's customer id must be set in the 'login-customer-id' header. See https://developers.google.com/google-ads/api/docs/concepts/call-structure#cid"
}
],
Google Ads API Forum Advisor
Jun 23, 2022, 8:26:24 AM6/23/22
to sealytic...@gmail.com, adwor...@googlegroups.com
Hi,
Thanks for reaching out to the Google Ads API Forum.
To give you an overview about the issue that you encountered encountered, the "USER_PERMISSION_DENIED" which means a user doesn't have permission to access a customer and you’re accessing a client customer using 'login-customer-id’ in the request.
That being said, you will need to ensure that the user / email address you used to generate the credentials indeed has access to the account in your request. If the user / email address has access or is associated with the MCC / manager account, you will need to specify the MCC / manager account's ID without hyphens (-) as the value of the login-customer-id field.
If the error still persists, you may provide us with the complete request and response logs, with the request-id along with the email address used to generate the OAuth2 credentials via the Reply privately to author option, so that I can continue to investigate further.
Best regards,
ref:_00D1U1174p._5004Q2bzTE2:ref
Thanks for reaching out to the Google Ads API Forum.
To give you an overview about the issue that you encountered encountered, the "USER_PERMISSION_DENIED" which means a user doesn't have permission to access a customer and you’re accessing a client customer using 'login-customer-id’ in the request.
That being said, you will need to ensure that the user / email address you used to generate the credentials indeed has access to the account in your request. If the user / email address has access or is associated with the MCC / manager account, you will need to specify the MCC / manager account's ID without hyphens (-) as the value of the login-customer-id field.
If the error still persists, you may provide us with the complete request and response logs, with the request-id along with the email address used to generate the OAuth2 credentials via the Reply privately to author option, so that I can continue to investigate further.
Best regards,
|
||||||
ref:_00D1U1174p._5004Q2bzTE2:ref
sealytic...@gmail.com
Jun 23, 2022, 8:34:56 AM6/23/22
to Google Ads API and AdWords API Forum
Hello again,
I have already checked user and login customer id.
I sent request and response logs in private.
I sent request and response logs in private.
Thanks
sealytic...@gmail.com
Jun 24, 2022, 5:10:17 AM6/24/22
to Google Ads API and AdWords API Forum
Hello,
Could you give any update about this topic?
Thanks
Google Ads API Forum Advisor
Jun 24, 2022, 6:30:34 AM6/24/22
to sealytic...@gmail.com, adwor...@googlegroups.com
Hi,
I am Carmela, also a member of the Google Ads API team. Thank you for your email.
Moving forward, I just want to inform you that my colleague Peter already sent you a response:
"However, upon checking, I could see that the immediate managers of the 3587098959 is not the 6096591137 MCC account. That said, could you confirm if the 3587098959 client account is indeed under the 6096591137 MCC account's hierarchy?
I would recommend that you first determine the hierarchy of your accounts by performing the feature discussed here.
If you will be authenticating as the user / email address associated to a MCC account, you should also ensure as well that the client accounts you will be performing API requests on are under your hierarchy. If the client account is not within your MCC's hierarchy, the user / email address should at least have access to that client account in order for you to use your authentication credentials in your API requests for the said account."
If you're having trouble receiving private replies from us, please check your Spam folder. Additionally, please add the 'Google Ads API Forum Advisor ' on that email to your contact list to ensure we aren't flagged as Spam in future messages. If you don't see a message from us in your Spam folder, please email us directly at [googleadsa...@google.com] referring to your forum case.
Regards,
ref:_00D1U1174p._5004Q2bzTE2:ref
I am Carmela, also a member of the Google Ads API team. Thank you for your email.
Moving forward, I just want to inform you that my colleague Peter already sent you a response:
"However, upon checking, I could see that the immediate managers of the 3587098959 is not the 6096591137 MCC account. That said, could you confirm if the 3587098959 client account is indeed under the 6096591137 MCC account's hierarchy?
I would recommend that you first determine the hierarchy of your accounts by performing the feature discussed here.
If you will be authenticating as the user / email address associated to a MCC account, you should also ensure as well that the client accounts you will be performing API requests on are under your hierarchy. If the client account is not within your MCC's hierarchy, the user / email address should at least have access to that client account in order for you to use your authentication credentials in your API requests for the said account."
If you're having trouble receiving private replies from us, please check your Spam folder. Additionally, please add the 'Google Ads API Forum Advisor ' on that email to your contact list to ensure we aren't flagged as Spam in future messages. If you don't see a message from us in your Spam folder, please email us directly at [googleadsa...@google.com] referring to your forum case.
Regards,
|
||||||
ref:_00D1U1174p._5004Q2bzTE2:ref
sealytic...@gmail.com
Jun 24, 2022, 7:04:10 AM6/24/22
to Google Ads API and AdWords API Forum
Hello Camela,
Yes the 3587098959 client account is indeed under the 6096591137 MCC account's hierarchy because first I am calling list accessible customers endpoint and then I am building hierarchy based on response. At the same time I checked over Ads UI.
Google Ads API Forum Advisor
Jun 24, 2022, 7:17:09 AM6/24/22
to sealytic...@gmail.com, adwor...@googlegroups.com
Hi,
Thanks for confirming. The USER_PERMISSION_DENIED error usually indicates that you are authenticating as a user that does not have access to the account (3587098959) specified in your API request.
Also, since you specified the "login-customer-id": "6096591137", could you confirm if the user / email address you used to generate your OAuth2 credentials indeed has access to the said 6096591137 MCC / manager account?
To avoid the above error, you will need to ensure that the user / email address you used to generate the credentials indeed has access to the account in your request. If the user / email address has access or is associated to the MCC / manager account, you will need to specify the said MCC / manager account's ID as the value of the login-customer-id field.
If the issue persists, could you also share privately which user / email address it was you used when you generated your credentials?
Regards,
|
||||||
ref:_00D1U1174p._5004Q2bzTE2:ref
sealytic...@gmail.com
Jun 24, 2022, 8:00:47 AM6/24/22
to Google Ads API and AdWords API Forum
Hello again,
6096591137 has gotten from listaccessiblecustomers endpoint. So there is no chance for a permission error for given credentials. And
3587098959 has again gotten with previously fetched mcc from api response. So it should not have a credential error. Because they are already fetched with api. But when I used them in campaign resource, I am getting mentioned error. I shared related email address with private message.
Google Ads API Forum Advisor
Jun 24, 2022, 10:15:46 AM6/24/22
to sealytic...@gmail.com, adwor...@googlegroups.com
Hello,
If the account, 3587098959, was returned in your ListAccessibleCustomers request, then you should have access in this account, as only direct access accounts are listed. If 3587098959 was returned, can you please provide us with the complete request and response logs for the ListAccessibleCustomers request?
Thanks,
ref:_00D1U1174p._5004Q2bzTE2:ref
If the account, 3587098959, was returned in your ListAccessibleCustomers request, then you should have access in this account, as only direct access accounts are listed. If 3587098959 was returned, can you please provide us with the complete request and response logs for the ListAccessibleCustomers request?
Thanks,
|
||||||
ref:_00D1U1174p._5004Q2bzTE2:ref
sealytic...@gmail.com
Jun 26, 2022, 3:22:53 AM6/26/22
to Google Ads API and AdWords API Forum
Hello,
No, 6096591137 is gotten from listAccessibleCustomers and then based on this response, hiearachy is built. And
3587098959 is gotten from this hierarchy. I already sent the logs but I am sending it again.
Thanks
Google Ads API Forum Advisor
Jun 27, 2022, 3:33:08 AM6/27/22
to sealytic...@gmail.com, adwor...@googlegroups.com
Hi,
Thank you for the clarification. Upon checking this response, I did not see the send logs as you mentioned. To better check this, could you please provide us the email address that is used in authentication? For security purposes, you can provide it via the Reply privately to author option. If this option is not available, then send it instead on this email address googleadsapi-support@google.com.
Best regards,
ref:_00D1U1174p._5004Q2bzTE2:ref
Thank you for the clarification. Upon checking this response, I did not see the send logs as you mentioned. To better check this, could you please provide us the email address that is used in authentication? For security purposes, you can provide it via the Reply privately to author option. If this option is not available, then send it instead on this email address googleadsapi-support@google.com.
Best regards,
|
||||||
ref:_00D1U1174p._5004Q2bzTE2:ref
Message has been deleted
Message has been deleted
Message has been deleted
Google Ads API Forum Advisor
Jun 28, 2022, 1:31:10 PM6/28/22
to sealytic...@gmail.com, adwor...@googlegroups.com
Greetings!
This was escalated all the way up to me as I often get the more challenging questions that don't seem to have an obvious issue. First, thank you so much for providing such detailed logs and information. I'll cover my observations followed by some next steps.
Observations
I double-checked a few things to make sure that things were working as expected:
When this error does occur, I see ~500 user permission denied error per minute for a sustained period. I also see that when this happened 2 days ago, there was 1 successful request at 7:28, and then it failed for an hour for every request. Then, another successful request at 8:28, and then it failed for 1 hour, and then another successful request at 9:28, and then failed for an hour with the pattern repeating itself. This leads me to believe that there is an access token generated once an hour that works, but the requests that happen afterwards are not using that access token. Since an access token lasts for one hour, I don't believe this is a coincidence that the pattern repeats itself once an hour.
Next Steps
Please check to see if this continues to be an issue as I see that for about 2 days requests look successful. Also, please check your code to see what could be causing the access token to be generated at the same time every hour, but not used. Hopefully, the pattern I've given you will point you in the right direction as to what may be happening there when you look through your code base. Pro tip: Be on the lookout for race conditions (if that applies to your code) as I've seen this pattern before when someone had a race condition in their code when making use of the access token.
Best,
ref:_00D1U1174p._5004Q2bzTE2:ref
This was escalated all the way up to me as I often get the more challenging questions that don't seem to have an obvious issue. First, thank you so much for providing such detailed logs and information. I'll cover my observations followed by some next steps.
Observations
I double-checked a few things to make sure that things were working as expected:
- The account hierarchy has not changed in years, so nothing is shifting in the account hierarchy that could cause this.
- The login customer ID is indeed in the account hierarchy of the client account.
- The email you're using backing your refresh token does indeed have access to the login customer ID, and there have been no recent changes that I've seen.
When this error does occur, I see ~500 user permission denied error per minute for a sustained period. I also see that when this happened 2 days ago, there was 1 successful request at 7:28, and then it failed for an hour for every request. Then, another successful request at 8:28, and then it failed for 1 hour, and then another successful request at 9:28, and then failed for an hour with the pattern repeating itself. This leads me to believe that there is an access token generated once an hour that works, but the requests that happen afterwards are not using that access token. Since an access token lasts for one hour, I don't believe this is a coincidence that the pattern repeats itself once an hour.
Next Steps
Please check to see if this continues to be an issue as I see that for about 2 days requests look successful. Also, please check your code to see what could be causing the access token to be generated at the same time every hour, but not used. Hopefully, the pattern I've given you will point you in the right direction as to what may be happening there when you look through your code base. Pro tip: Be on the lookout for race conditions (if that applies to your code) as I've seen this pattern before when someone had a race condition in their code when making use of the access token.
Best,
|
||||||
ref:_00D1U1174p._5004Q2bzTE2:ref
Reply all
Reply to author
Forward
0 new messages