Facebook user accounts only have a single personal ad account. If you need additional ad accounts you should use Business Manager. Facebook no longer creates gray-accounts for anyone needing new, additional ad accounts.
To set up a Business Manager you need a Facebook page that represents your business.
business_management permission permissions from any clients to manage their ad accounts and pages. When you set up a Business Manager, you should claim your app or add your app to your Business Manager account using the App Advanced Settings panel.
Facebook requires two-factor authentication using the field
BUSINESS_ID/two_factor_type on the business object to verify people from that business who want to access the API.
You may need to for agencies or direct brand clients. If they authorize your app, you can take actions on their behalf, including reports and stats pulls. If you need long term access, without cleints logging into your app, you should ask them to grant your Business Manager the roles you need. You can then assign that role to your own system users. Typically you need the
Advertiser roles from clients.
Enter the Ad Account IDs to promote your app. This grant users access to those Ad Accounts using Business Manager and other Facebook tools.
Yes. The Business should grant these people access to those ad accounts.
You can also grant permissions to another business with business-to-business permissions. Once a business has permissions to the ad accounts, their admin can then give permission to it's employees up to the permission level granted.
You cannot relay permissions given to your Business to another Business.
No. Even though the admin system user can create ad accounts it won't automatically have access to any ad account in the business. Business admins or Admin system users have to assign roles for users or system users with Facebook tools or APIs.
User represents real people taking an action, while a system user represents a machine taking action. Software action should be done through a system user.
You should use business to business permissions which are long-term or use long-live user tokens. Business permissions has the ability for one business to give another business permissions to manage their business and the assets owned by that business.
Business permissions are documented here.
Long-lived user tokens are documented here.
A system user is a machine or software taking programmatic action on behalf a business. You cannot use it Facebook, and it is associated with your Business Manager for greater security.
An admin system user has access to everything in the business and there is only one admin system user per business. System users can have access restrictions set by the admin system user.
When you manage actual permissions for the business itself you should use the admin system user. For example use this when you grant a new employee permissions to appropriate assets. For all other actions such as creating ads for a specific ad account, you should use system user. System users have a higher level of security because, if compromised, they can only access what they are assigned.
Access tokens are by user account, therefore any ad account they have general or admin access to will allow you to create campaigns, ads, and so on. This is regardless of whether the account is direct or agency.
Rate limits for System Users are grouped by ad account and not by user.
You use a user token whenever an individual person is taking an action, and the system user token for machine initiated actions.
You can logically group ad accounts per system user based on your client or your read/write model. If you have many ad accounts, loading all of them in the UI may be slow.
You should create one system user for each set of 'access types' you need. And you should use the admin system user to maintain the right roles programmatically. You can be more certain that if a regular system user token is compromised, it has limited scope and cannot compromise more permissions. You should carefully safeguard your admin system user.
You can ask for access from a someone as a business owner or as an agency for the business. This enables you to target ads at people who like a third-party's page. You should use
AGENCY only when you need access to another business's Page, and don't technically or legally own it.
For agency and Facebook Marketing Partners, you should get the client to authorize your business by using an agency request. You can ask for any roles for the page. If you're advertising, you should get the "ADVERTISER" and "INSIGHTS_ANALYST" roles. If you need to publish to the page beyond unpublished page posts, you should request additional roles. In your Business Manager you should assign each user only one role that is appropriate with their responsibilities.