Security¶
Progrid Google Ads Integration uses a three-tier security model based on standard Progrid groups. Access ranges from read-only visibility for salespeople to full configuration control for system administrators.
User groups¶
Salesperson¶
The Salesperson group (sales_team.group_sale_salesman) provides read-only access to
conversion data and reports. This is the base access level for anyone who needs to see how their
leads are being tracked in Google Ads.
Permissions:
Model |
Create |
Read |
Update |
Delete |
|---|---|---|---|---|
Conversion Queue ( |
No |
Yes |
No |
No |
Campaign Reports ( |
No |
Yes |
No |
No |
Ad Group Reports ( |
No |
Yes |
No |
No |
Keyword Reports ( |
No |
Yes |
No |
No |
Audience Lists ( |
No |
Yes |
No |
No |
Lead Form Imports ( |
No |
Yes |
No |
No |
Sales Manager¶
The Sales Manager group (sales_team.group_sale_manager) extends salesperson access with
full CRUD permissions on operational models. Managers can configure CRM stage sync, manage audience
lists, acknowledge health alerts, and create value rules.
Permissions:
Model |
Create |
Read |
Update |
Delete |
|---|---|---|---|---|
Conversion Queue ( |
Yes |
Yes |
Yes |
Yes |
Health Alerts ( |
Yes |
Yes |
Yes |
Yes |
Audience Lists ( |
Yes |
Yes |
Yes |
Yes |
Audience Members ( |
Yes |
Yes |
Yes |
Yes |
Value Rules ( |
Yes |
Yes |
Yes |
Yes |
Campaign Reports ( |
Yes |
Yes |
Yes |
Yes |
Ad Group Reports ( |
Yes |
Yes |
Yes |
Yes |
Keyword Reports ( |
Yes |
Yes |
Yes |
Yes |
Lead Form Imports ( |
Yes |
Yes |
Yes |
Yes |
Import Segments Wizard |
Yes |
Yes |
Yes |
Yes |
System Administrator¶
The System Administrator group (base.group_system) is the only group with access to the
Google Ads configuration record, which contains OAuth2 credentials and API settings.
Additional permissions:
Model |
Create |
Read |
Update |
Delete |
|---|---|---|---|---|
Configuration ( |
Yes |
Yes |
Yes |
Yes |
Important
API credentials (developer token, client ID, client secret, refresh token) are only visible to system administrators. Other users cannot see or modify these values.
Record rules¶
Conversion queue company isolation¶
Conversion queue entries are filtered by company ownership. Users can only see queue entries for
leads belonging to their current company. The rule uses the domain
[('lead_id.company_id', 'in', company_ids)] to enforce multi-company isolation.
Health alert visibility¶
Health alerts are visible to all managers regardless of company. Since alerts relate to the shared Google Ads account configuration, they are not company-filtered.
Assigning groups¶
To assign Google Ads access to a user:
Navigate to .
Select the user to configure.
Scroll to the Sales section.
Set the Sales field to User (read-only) or Manager (full access).
Click Save.
Note
The Google Ads module does not define its own security groups. It relies on the standard Sales Team groups (Salesperson and Sales Manager) and the System Administrator group for configuration access.
GDPR consent management¶
The module includes consent tracking fields on every conversion queue entry to comply with GDPR requirements. Two consent signals are sent with each conversion:
Ad User Data consent – Whether the user consented to their data being used for ads
Ad Personalization consent – Whether the user consented to personalized advertising
Default consent values are set in under the Settings tab. These defaults apply to all new conversions unless overridden.
Warning
For audience list uploads (Customer Match), Google requires ad_personalization consent to be
set to granted. Uploads with denied or unspecified consent may be rejected by the
Google Ads API.