Business Manager Access: Who Needs Permissions and How to Keep Assets Safe in 2026

Table Of Contents

• What Changed in 2026
• The Two Core Role Levels
• Asset-Level Permissions: The Real Control Layer
  • Ad Account Permissions
  • Page Permissions
  • Pixel Permissions
• How to Add an Employee or Freelancer: Step by Step
• System Users: API Access for Tools and Automations
• Partner BMs: Agency and Vendor Access
• The Offboarding Protocol: Removing Access Safely
• Case: Freelancer Access Gone Wrong
• Access Structure Template
• Quick Start Checklist
• What to Read Next

TL;DR: Adding the wrong person at the wrong permission level to your Business Manager is the fastest way to lose ad accounts, Pixels, and campaign data to an ex-employee or compromised freelancer. This guide maps every role level, what each can destroy, and how to give access without handing over the keys to everything. Need a fresh Business Manager with clean access history to start right — we have them in stock.

Sharing access to your Meta Business Manager is a security decision, not just an operational one. Every person added to your BM is a potential entry point for account compromise, accidental data deletion, or intentional asset theft. The good news: Meta's permission system is granular enough to give people exactly what they need — and nothing more.

What Changed in 2026

• Meta rolled out mandatory 2FA enforcement for all BM users in accounts with $10K+ monthly spend — this now applies at the account level, not just the user level
• The Partners section was redesigned — it now shows active asset shares, expiry dates, and permission scopes on a single screen
• System Users can now be assigned time-limited access tokens (expiry: 1, 7, 30, 90 days) — ending the practice of permanent API tokens for contractors
• Meta added access audit logs showing the last 90 days of permission changes — visible in Security Center → Access Log
• Agency accounts now show as a separate partner type with its own permission scope, separate from individual user partnerships
• Removing an Admin now requires confirmation from a second Admin — preventing single-point-of-failure account takeovers

The Two Core Role Levels

Meta Business Manager has two fundamental role levels for human users:

Admin: - Can add and remove people (including other Admins) - Can create, modify, and delete any asset (ad accounts, Pages, Pixels, datasets) - Can modify payment methods - Can verify the business - Can close the Business Manager entirely - Can see all assets in the BM

Employee: - Cannot add or remove people - Cannot create or delete BM-level assets - Can only access assets they are explicitly assigned to - Cannot see assets they haven't been given access to - Cannot modify payment methods or business settings

⚠️ Risk: Giving Admin access to a freelancer or short-term contractor is one of the most dangerous things you can do in Facebook ads. A disgruntled ex-contractor with Admin access can remove all other Admins, delete ad accounts, and block your own access. You will need to contact Meta support — a process that takes 3-10 business days with no guarantee of recovery.

The rule is simple: Admins should be maximum 2 people you completely trust. Everyone else — Employees with asset-level permissions.

Asset-Level Permissions: The Real Control Layer

Within the Employee role, each asset has its own permission levels. This is where granular control happens.

Ad Account Permissions

For a media buyer running your campaigns: give View performance + Create ads + Manage campaigns. Do NOT give Manage ad account — that includes changing payment methods.

Page Permissions

For a social media manager: Create content + Manage content. For a media buyer: Manage ads only.

Pixel Permissions

For a developer integrating your tracking: Edit. For an analyst: View only.

Need reliable accounts to attach to your properly configured BM? Browse verified Facebook ad accounts — tested before dispatch, 1-hour replacement guarantee.

How to Add an Employee or Freelancer: Step by Step

1. Go to Business Settings (gear icon, bottom-left)
2. Click People → Invite People
3. Enter the person's business email address (the one they use for their Facebook profile — it must match)
4. Set their role: Employee (not Admin) for almost all cases
5. Click Next → assign specific assets: - Ad Accounts: select which accounts and which permission level - Pages: select which Pages and which permission level - Catalogs, Pixels, etc.: add only what is needed for their work
6. Click Invite — they receive an email and must accept

Acceptance requirement: The invitee must have a Facebook personal profile. They accept the invitation via the email link or via their own Business Manager. If they don't have a Facebook profile, they cannot be added as a user.

Contractor who doesn't want to use their personal Facebook: This is a common issue. The solution is a System User (see below) for API-level access, or a dedicated "work" Facebook profile created specifically for professional use.

System Users: API Access for Tools and Automations

If you use third-party tools (Zapier, Make, custom API integrations, external dashboards), they need API access — not human user access. System Users are the correct approach.

Create a System User: 1. Business Settings → System Users → Add 2. Give it a descriptive name (e.g., "Zapier_LeadsExport" or "Tracker_ReadOnly") 3. Assign role: Admin System User (can create tokens) or Employee System User (limited) 4. Generate an Access Token → select permissions (ads_read, leads_retrieval, etc.) 5. Set token expiry: 1, 7, 30, or 90 days (new in 2026 — use 30 days for contractors)

Why System Users are safer than sharing passwords: - Tokens can be revoked instantly without changing passwords or removing profiles - Token permissions are scoped precisely — a leads-read token cannot modify campaigns - Time-limited tokens expire automatically — no forgotten contractor access - API calls are logged with the System User's ID — full audit trail

⚠️ Risk: Never share your personal BM access token or create a token with full ads_management scope for a contractor. A compromised token with full scope can read all your ad data, create campaigns, and drain budget. Use minimum necessary permissions on every System User token.

Partner BMs: Agency and Vendor Access

If an agency or vendor runs ads for you, they should access your BM as a Partner — not as individual users. This preserves the separation between your assets and theirs.

Add a Partner BM: 1. Business Settings → Partners → Add → Give access to your business 2. The partner enters your BM ID (found in BM URL or Business Settings header) 3. You approve the request and assign specific assets with defined permission levels 4. The agency's team accesses your assets through their own BM — you never share passwords

Benefits of Partner access vs. individual users: - One access control point for the entire agency — remove the Partner to cut all agency access at once - Agency employees rotate without you touching permissions - Audit trails show which agency BM made changes, not individual people

For context on how domains and Pixels are shared across partner BMs, see Meta Business Manager Domain Verification in 2026.

Scaling past $1K/day? Unlimited Business Managers remove the spend cap entirely.

The Offboarding Protocol: Removing Access Safely

This is the most overlooked part of access management. When someone leaves — employee, freelancer, or agency — the access removal process must be immediate and complete.

Offboarding checklist: 1. Business Settings → People → find the person → Remove from Business 2. Business Settings → Partners → check if they had Partner-level access → remove 3. Business Settings → System Users → revoke any tokens created for or by them 4. Business Settings → Accounts → Ad Accounts → review payment methods (check if they added a card) 5. Business Settings → Security Center → review Access Log for recent changes made by this person 6. Change the ad account payment method if they had access to billing 7. Review active campaigns for any unauthorized changes (new ad sets, modified budgets)

How long does removal take to apply? Immediately upon removal, the person loses access to all BM assets. Existing active campaigns they manage continue running — you keep control.

⚠️ Risk: The biggest offboarding mistake is removing someone from the BM but leaving them as Admin on the Facebook Page directly (separate from BM access). Page admin access is independent of BM access. Check Page Settings → Page Roles for every Page connected to your BM when offboarding anyone.

Case: Freelancer Access Gone Wrong

Situation: A media buyer hired a freelancer to manage one ad account for 3 months. At the end of the contract, the freelancer was removed from the People section of BM. Two weeks later, the ad account was disabled and campaigns were paused — the account showed "Ad Account Disabled" with no clear reason.

Action: Reviewed the Access Log in Security Center. Found that the freelancer had been given Admin role (not Employee) and had added a new System User with full token permissions before being removed. The System User was still active and making API calls that triggered Meta's fraud detection.

Result: Revoked the System User token. Submitted an account review. Account restored in 4 days. New rule: all contractors get Employee role with asset-level permissions only. System Users get time-limited tokens.

Access Structure Template

Use this structure for a typical media buying team:

Build your full launch stack: farm accounts for testing + $250-limit profiles for proven offers.

Quick Start Checklist

• [ ] Audit current People list: Business Settings → People → identify anyone who shouldn't have Admin
• [ ] Downgrade unnecessary Admins to Employee role
• [ ] Enable 2FA enforcement: Security Center → require 2FA for all users
• [ ] For new hires: send invite as Employee, assign only assets they need
• [ ] For agencies: set up Partner BM access, not individual user accounts
• [ ] For tools/automations: create System Users with time-limited tokens (30 days max for contractors)
• [ ] Create offboarding checklist and enforce it immediately when anyone leaves
• [ ] Check Page admin access separately from BM access for all Pages
• [ ] Review Access Log in Security Center quarterly
• [ ] Keep maximum 2 Admins per BM — both must be fully trusted

What to Read Next

What to read next: - BM setup → Meta Business Manager setup from scratch (2026) - Settings map → Meta Business Manager Settings 2026: Where Everything Lives - Domain → Meta Business Manager Domain Verification in 2026 - Objective → Facebook Ads Objective in 2026: Traffic vs Leads vs Messages