NPPRTEAM.SHOP
My Account
Search:
Top Searches
Limit 250$Verified BM for WhatsappReinstated
Support
Popular Categories
  1. Home
  2. Articles
  3. Facebook
  4. Business Manager Roles & Access in 2026: Safe Permissions Framework

Business Manager Roles & Access in 2026: Safe Permissions Framework

Business Manager Roles & Access in 2026: Safe Permissions Framework
0.00
(0)
Views: 103513
Reading time: ~ 10 min.
Facebook
04/13/26
NPPR TEAM Editorial
Table Of Contents

Updated: April 2026

TL;DR: Most Business Manager account losses aren't caused by Meta policy — they're caused by wrong access decisions: too many admins, freelancers with full control, no backup account. A clean roles framework takes 15 minutes to set up and prevents the majority of preventable asset losses. If you're rebuilding after a permissions mistake — browse verified Facebook ad accounts with 1-hour replacement guarantee.

✅ Good fit if❌ Not a fit if
You work with a team of buyers or employeesYou run ads solo with no contractors
You manage client ad accounts or pagesYou only use your personal profile for ads
You add freelancers or agencies to your BMEveryone in your team already has admin rights
You want to recover from a roles misconfigurationYou've never granted BM access to anyone

Business Manager roles are the permission layer that determines what each person or partner can see, edit, and spend in your BM. Getting these wrong is one of the top 5 reasons media buyers lose their entire Facebook infrastructure in 2026 — not policy violations, not bad creatives, but misconfigured access.

The core rule: access should be the minimum needed to do the job. Not more.

What Changed in 2026

  • Meta updated the System Users feature — system users can now generate tokens with longer TTL (time-to-live), reducing how often API-integrated tools lose access
  • Partner roles now display an expiration warning 14 days before the 90-day shared access period ends — previously this caused silent access drops
  • 2FA enforcement for BM admins became stricter: if the BM owner's profile doesn't have 2FA, Meta blocks some Business Settings features including adding new people
  • Business Suite now shows an Access Health dashboard — a one-page view of all users and their last active date, useful for auditing stale access
  • Accounts used by people with "Full Control" on multiple BMs are being flagged at a higher rate in Q1 2026 — Meta appears to be targeting permission abuse patterns

The Three Layers of BM Access

Business Manager access operates at three distinct levels. Confusing them is where most mistakes happen.

Layer 1: BM-Level People These are the humans added to your Business Manager. They have one of two roles: - Admin — can change all business settings, add/remove people, add/remove assets, view billing - Employee — can be assigned to specific assets but cannot change BM settings

Layer 2: Asset-Level Permissions Within each asset (Page, ad account, Pixel, etc.), you assign specific capabilities: - For Pages: Advertise, Moderate, Analyze, Create content, Manage - For Ad Accounts: View Performance, Manage Campaigns, Manage Ad Account (billing access) - For Pixels: View, Edit, Advertise

Related: Business Manager Access: Who Needs Permissions and How to Keep Assets Safe in 2026

Layer 3: Partner Access (Business-to-Business) When you connect another business's BM to your assets — an agency, a vendor, a white-label partner. Partners get access without being added as individuals to your BM.

Need reliable accounts that survive moderation? Browse verified Facebook ad accounts — tested before dispatch, 1-hour replacement guarantee.

Who Gets What: Practical Role Map

RoleWho uses itBM LevelAsset permissions
BM AdminBM owner, 1-2 trusted managersAdminAll
Campaign ManagerSenior buyerEmployeeAd Account: Manage Campaigns
AnalystTracker, BI teamEmployeeAd Account: View Performance
Content ModeratorSMM, comment managerEmployeePage: Moderate, Create Content
Freelancer/External BuyerContract buyerEmployeeAd Account: Manage Campaigns only
Agency PartnerExternal agencyPartner (BM-to-BM)Specific ad accounts only
System UserAPI integrations, trackersSystem UserToken-based, asset-specific

The critical constraint: never combine billing access with campaign management for external people. An external buyer who can see your billing details, payment methods, and spending thresholds is a security risk — whether intentional or not.

For the full asset-linking setup, see Attach a Page and Ad Account to Business Manager: roles, domains, pixel setup.

Related: Attach a Page and Ad Account to Business Manager: Roles, Domains, and Pixel Setup

How to Add a Person to Business Manager

Step 1: Navigate to People

Business Settings → People → Add

Enter the person's email address (must be their Facebook account email, not just any email).

Step 2: Choose BM Role

Select Admin or Employee. Default to Employee — you can always upgrade later.

Related: Facebook Business Manager (BM): Complete Setup Guide 2026

Step 3: Assign Assets

Immediately after selecting the role, BM prompts you to assign assets. This is where you specify which ad accounts, Pages, or Pixels the person can access and what they can do with each.

If you skip asset assignment at this step, the person is added to BM but has no access to anything — they appear as an inactive Employee.

Step 4: Confirm via Email

The invited person receives an email invitation. They must accept it while logged into the correct Facebook profile. If they're logged into a different profile, the invitation won't connect properly.

⚠️ Important: Before adding anyone to your BM, verify their Facebook profile is real and active. Fake or compromised profiles granted BM access become a direct attack vector on your assets. This applies to freelancers from job boards especially — confirm identity before granting access.

How to Add a Partner Business (Agency or Vendor)

Business Settings → Partners → Add

Enter the partner's BM ID (they share this with you — it's visible in their Business Settings under Business Info). Choose what you're sharing with them:

  • Share your assets with them (they work in your BM infrastructure)
  • Request access to their assets (you need something they own)

After connecting, go to each asset you want to share and assign it to the partner business explicitly. Connecting two BMs doesn't automatically share anything — each asset assignment is manual.

⚠️ Important: Partner access expires every 90 days starting Q4 2024. Meta sends a warning 14 days before expiration. If you miss it, the partner silently loses access mid-campaign. Add a calendar reminder 10 days after each new partner connection to check the expiration date.

Scaling past $1K/day? Unlimited Business Managers remove the spend cap entirely — clients run $5K–$10K+/day through them.

System Users: API Access Without Personal Profiles

System Users are non-human accounts inside BM designed for API integrations — trackers, automation tools, custom dashboards.

Business Settings → System Users → Add

Create a system user (give it a descriptive name like tracker-integration-voluum), assign it Admin or Employee type, then generate an access token. The token grants the system user access to specific assets you assign.

Why this matters: if you connect a third-party tracker using your personal Facebook login instead of a system user, your tracker's API calls are tied to your profile. If your profile gets restricted, the integration breaks. System users are independent.

Token lifetime: standard tokens expire, admin-level tokens can be set to never expire (use carefully — rotate them when staff changes).

Practical Case: Buyer Drains Budget Due to Wrong Permission Level

Problem: A media buyer was added to a BM with "Manage Ad Account" permission — which includes the ability to modify payment methods. He updated the billing to test a new card, which triggered a billing verification review. The ad account was paused for 48 hours during peak campaignperiod.

Action: The team reviewed all buyer permissions and restricted external buyers to "Manage Campaigns" only — no billing access. Payment method changes became an admin-only operation.

Result: Zero billing disruptions in the following 90 days. The campaign budget utilization improved because pauses caused by billing reviews dropped to zero.

What Happens When You Remove Someone's Access

Removing a person from a BM asset removes their ability to see or modify that asset immediately. Removing them from the BM entirely removes all asset access simultaneously.

Key nuance: removing someone from BM does not remove them from the Facebook Page if they were separately added as a Page admin through the Page's own settings (outside BM). Always check both BM access and direct Page admin roles when offboarding.

Use the Access Health dashboard (Business Settings → People → Access Health) to audit who has access to what before offboarding anyone.

For the complete setup context, see Meta Business Manager setup from scratch (2026): domain, Pixel, CAPI, roles.

The Backup Admin Rule

Every BM should have at least two Admin-level personal profiles — the owner and one trusted backup. If the primary Admin's personal profile gets restricted, the backup admin can still manage the BM and attempt recovery.

Rules for the backup admin: - Must be a real, active Facebook profile (not a farm account) - Must have 2FA enabled on their profile - Must not share a device, IP, or browser session with the primary admin (this reduces cross-contamination risk) - Should be added with a different card/payment method if they ever need to manage billing

Build your full launch stack: farm accounts for testing + $250-limit profiles for proven offers.

FAQ: Business Manager Roles and Access in 2026

Permission management in BM is one of the highest-risk operational areas — the wrong role assignment can expose billing data, allow accidental campaign changes, or lock you out of your own assets. Here are the questions that come up most often.

What's the difference between Employee and Admin at the BM level? A BM Admin can add or remove people, create and delete assets (ad accounts, pixels, pages), and change other people's roles — including removing other admins. An Employee can only access assets they've been explicitly assigned to, with the permissions set on that specific asset. The key risk: giving someone Admin at BM level instead of asset-level access hands them full control over everything, including the ability to lock you out. Rule: only 2 people in any BM should hold Admin — the account owner and one backup.

What happens to campaigns if I remove a team member? Removing a person from BM does not delete or pause their campaigns. Campaigns continue running under the ad account, not under the individual. What does break: custom reports, saved audiences created by that person, and any automated rules set up under their user ID. Before removing anyone, export their saved audiences and automated rules, or reassign ownership of those assets to another team member first.

Can a System User replace a personal profile for all operations? For API-driven operations — yes. System Users can manage campaigns, read reporting, and handle pixel events without requiring a human profile. However, System Users cannot perform actions that require human identity verification: adding a new credit card, submitting an appeal for a banned account, or accessing Live Chat support. Keep at least one verified human Admin for these scenarios.

How do I give a freelancer access to one campaign without exposing everything else? At the ad account level, assign them "Advertiser" role — this allows creating and editing campaigns but not viewing billing. Do not grant BM-level Employee access if you only want them to work on one account. In Ads Manager, you can further restrict by creating a shared custom report view so they only see the campaigns relevant to their work. Never give freelancers Analyst or Advertiser access at BM level — that exposes all accounts in the BM.

Why does a partner BM have different permissions than my employees? Partner access is managed separately from People access. A partner BM is an external business entity that gets access to specific assets (ad accounts, pages) you share with them. They manage those assets under their own BM's team structure — you don't see who on their team does what. Employee access is individual and trackable. For agencies managing client accounts, this distinction matters for accountability: partner access lets the agency use their own team without the client needing to manage individual seat assignments. See also: media buying workflow, SOPs and team structure.

Quick Start Checklist: BM Roles & Access

  • [ ] BM owner has 2FA enabled on personal profile
  • [ ] At least one backup Admin added (different device/IP)
  • [ ] All team members added as Employee (not Admin unless needed)
  • [ ] Each person assigned only the assets they need
  • [ ] No external person has Manage Ad Account (billing) permission
  • [ ] Freelancers assigned: Manage Campaigns only
  • [ ] Partner BM connections created for agencies (BM-to-BM)
  • [ ] System Users created for API integrations (trackers, tools)
  • [ ] Access Health dashboard reviewed monthly
  • [ ] Calendar reminder set for partner access renewal (90 days)

What to read next: - Setup → Meta Business Manager setup from scratch (2026) - Linking assets → Attach a Page and Ad Account to Business Manager - Interface → Meta Business Manager Settings 2026: Where Everything Lives - Troubleshooting → Meta Ads Zero Delivery in 2026: 7 Causes

Related articles

FAQ

What's the difference between BM Admin and Full Control on an asset?

BM Admin controls the Business Manager itself — adding people, changing settings, viewing billing. "Full Control" on a specific asset (like a Page) means full permissions on that asset only. You can be an Employee at BM level but have Full Control on a specific Page. These are independent permission layers.

Can a freelancer see my billing information if they're added as Employee?

No — if you assign them only campaign-management permissions on the ad account, they cannot see billing. Billing visibility requires "Manage Ad Account" permission, which includes financial settings. Assign "Manage Campaigns" only to external buyers.

How many admins should a BM have?

Two or three maximum. One primary owner and one or two trusted backups. More admins = more attack surface. Every admin-level profile is a point of failure — if any of them gets compromised, your entire BM is at risk.

What happens to my campaigns if a buyer I remove was running active ads?

Active campaigns continue running after you remove the buyer — campaigns are owned by the ad account, not the person. The ads won't stop. You should pause or review them manually if you're ending the relationship unexpectedly.

Can I grant a partner access to only one ad account, not all of them?

Yes. Connecting two BMs creates a relationship but doesn't share any assets automatically. You assign each asset individually after the connection. An agency can have access to three of your five ad accounts and nothing else.

What is a System User and when should I use one?

A System User is a non-human BM account for API integrations — trackers like Voluum or Binom, automation tools, custom dashboards. It gets an access token instead of a login. Use System Users whenever a third-party tool needs API access to your BM assets — don't use your personal login for this.

My partner's access expired mid-campaign. How do I restore it fast?

Go to Business Settings → Partners → find the partner → extend or re-authorize. The partner needs to accept from their side too. Budget for a 15–30 minute window to restore it. Meta sends warnings 14 days before expiration since Q4 2024 — act on those warnings immediately.

Can I see what actions an employee took in my BM?

Limited audit logging is available. Business Settings → Business Info → Activity Log shows major actions (adding people, changing roles, adding assets). Individual campaign edits are logged in Ads Manager's Edit History, accessible per-campaign.

Meet the Author

NPPR TEAM Editorial
NPPR TEAM Editorial

Content prepared by the NPPR TEAM media buying team — 15+ specialists with over 7 years of combined experience in paid traffic acquisition. The team works daily with TikTok Ads, Facebook Ads, Google Ads, teaser networks, and SEO across Europe, the US, Asia, and the Middle East. Since 2019, over 30,000 orders fulfilled on NPPRTEAM.SHOP.

Articles