How to Set Up a System User on Facebook
A system user lets tools and automations manage your assets via the API without anyone’s personal login. Here’s how to create one and assign its access.
A system user is a non-human member of your Business Portfolio — it represents an app, server, or integration that needs to call Meta’s API. Instead of tying automation to a person’s login (which breaks when they leave or rotate their password), you create a system user, assign it the specific assets it needs, and generate a long-lived token for it. Because that token persists, system users need disciplined offboarding.
If your situation is actually …
- You need to remove a system user later → Offboard a system user the right way →
- You’re auditing for forgotten system users → Find old partners and system users →
Before you start
You have Admin access to a Business Portfolio
System users live inside a Business Portfolio and only a portfolio Admin can create one.
Verify: Meta Business Suite → Settings → System users — if you can add one, you have Admin.
You know which assets and permissions the integration needs
Scope the system user to only the Pages, ad accounts, or datasets the tool genuinely needs — least privilege applies to machines too.
Create and assign a system user
Open System users in Business settings
In Meta Business Suite, go to Settings and open System users.
Where: Meta Business Suite → Settings → System users
Add a system user
Create a new system user, give it a clear, descriptive name (so it’s identifiable in audits), and set its role.
Confirm: The new system user appears in the list.
Assign the specific assets it needs
Assign only the Pages, ad accounts, or datasets the integration requires, with the minimum permission level. Don’t grant blanket access.
Where: Meta Business Suite → Settings → System users → (user) → assign assets
Confirm: The system user lists only the intended assets.
Generate and store the token securely
Generate an access token for the system user, scoped to the permissions the app needs, and store it in a secrets manager — never in plain text or shared chat.
Confirm: The integration authenticates using the token without any personal login.
Common mistakes
Naming system users vaguely
A system user called "test" or "user1" is impossible to audit later. Use names that say what the integration is.
Why it happens: They’re created in a hurry and never revisited.
Already happened: Find old partners and system users
Forgetting that tokens don’t expire on their own
A system user token keeps working long after the person who set it up has left. Offboarding has to include revoking it deliberately.
Why it happens: Long-lived tokens are convenient but easy to forget.
Already happened: Offboard a system user the right way
Over-scoping the assets
Granting a system user access to the whole portfolio when the tool only needs one ad account widens the blast radius if the token leaks.
Frequently asked questions
Delvia
Access issues are easier to prevent when roles, owners, and responsibilities are recorded clearly
Most access problems trace back to the same gap — no clear record of who has access, what role they hold, and what should happen when that changes. Delvia helps you keep that record so problems are visible before they become incidents.