How to Give Metricfixer Safe Tracking and Analytics Access

Use this guide when Metricfixer needs access to analytics, tag management, advertising, consent, ecommerce measurement, CRM/offline conversion, call tracking, email tracking, or server-side tracking systems to diagnose a measurement issue and apply approved fixes safely.

When to use this guide

This guide applies when the task involves measurement, attribution, conversion tracking, tag management, advertising-platform diagnostics, or marketing data integrations.

Typical cases include:

• GA4 tracking diagnostics, events, key events, ecommerce measurement, audiences, attribution, or Google Ads conversion imports;
• Google Tag Manager tags, triggers, variables, templates, workspaces, environments, container exports, or server-side GTM;
• Google Ads conversions, enhanced conversions, remarketing tags, Merchant Center-related measurement, or account diagnostics;
• Meta Pixel, Meta Events Manager, datasets, Conversions API, event match quality, deduplication, catalog or ad-account measurement;
• TikTok Pixel, TikTok Events Manager, Events API, catalogs, audiences, leads, or ad-account conversion diagnostics;
• LinkedIn Insight Tag, Microsoft Advertising UET tag, Amazon Attribution, call tracking, email tracking, CRM imports, offline conversions, or lead-quality feedback loops;
• Cookie consent, Consent Mode, CMP integration, consent banner behavior, or tag firing based on consent choices.

Preferred workflow

Metricfixer normally uses the following workflow for tracking and analytics tasks:

1. Confirm the website URL, affected platform, expected result, actual result, affected events, and business impact in the ticket.
2. Start with public URLs, screenshots, browser console output, Tag Assistant output, pixel helper output, debug-mode screenshots, example order IDs, event IDs, timestamps, or redacted exports when direct access is not required.
3. Use platform invitations, partner access, user roles, workspace permissions, or selected-asset permissions instead of shared personal logins.
4. Use read-only or viewer access for initial diagnostics whenever possible.
5. Use a GTM workspace, preview mode, draft changes, staging site, test order, test lead, or sandbox conversion flow before publishing live changes.
6. Request edit, publish, admin, API, server-side, DNS, website-code, or CRM access only when the approved scope requires it.
7. Publish containers, activate conversion changes, change consent behavior, enable server-side event sending, or modify optimization goals only after written approval in the ticket.
8. Remove users, partner access, temporary tokens, test users, and temporary platform permissions after the ticket is completed.

Before you provide access

Please add the following information to the ticket before granting access:

• website URL, landing page URL, checkout URL, app URL, or affected page path;
• platforms involved, such as GA4, GTM, Google Ads, Meta, TikTok, LinkedIn, Microsoft Ads, Amazon Attribution, CRM, call tracking, email tracking, CMP, ecommerce platform, or server-side GTM;
• account, property, container, pixel, dataset, tag, conversion, catalog, CRM, or data source IDs where available;
• description of the issue: missing events, duplicate events, wrong revenue, wrong currency, attribution discrepancy, consent problem, event match problem, offline import failure, or another specific symptom;
• expected events and parameters, for example page_view, view_item, add_to_cart, begin_checkout, purchase, generate_lead, sign_up, call, email_click, subscribe, revenue, currency, transaction ID, item IDs, or lead ID;
• recent examples: order ID, transaction ID, event ID, lead ID, call ID, timestamp, ad click ID, campaign name, test email, or screenshot;
• test scenario we can safely reproduce, such as test product, test checkout, draft order, sandbox payment, test form, test phone number, test CRM lead, or test coupon;
• consent banner or CMP name, regions affected, and whether the issue depends on accepting, rejecting, or partially accepting cookies;
• whether the task may affect live ad optimization, remarketing audiences, revenue reporting, conversion bidding, consent behavior, or customer data collection;
• confirmation that the current GTM container, website code, CMP settings, or platform configuration can be exported or rolled back before live changes.

Choose the minimum safe access level

1. No direct access

Use this for the initial review when Metricfixer can diagnose the issue from public pages, screenshots, browser tools, helper extensions, debug views, container exports, platform screenshots, test order details, or redacted examples.

2. Read-only diagnostic access

Use this when Metricfixer needs to inspect reports, events, conversion settings, tags, logs, diagnostics, or platform configuration but does not need to change anything. This is the safest starting point for GA4, Google Ads, Meta, TikTok, LinkedIn, Microsoft Ads, CRM, call tracking, and consent tools.

3. Workspace or draft-edit access

Use this when Metricfixer needs to prepare changes without publishing them. For Google Tag Manager, this usually means access to create or edit a workspace and test in preview mode, while the client keeps final publish approval.

4. Publish access

Use publish access only when Metricfixer is approved to publish tag, pixel, or conversion changes. Publishing can affect live tracking, ad optimization, remarketing audiences, and reporting, so it requires written approval in the ticket.

5. Admin or owner-level access

Admin-level access is not required for most tracking tasks. Use it only when the approved task requires user management, account linking, ownership verification, locked settings, data stream administration, business asset assignment, or another action that cannot be completed with a lower role.

6. API tokens and server-side access

API tokens, Conversions API tokens, Events API tokens, server-side GTM access, CRM API keys, cloud-function access, hosting access, DNS changes, and webhook secrets are sensitive. Provide them only through an approved secure method and only after Metricfixer confirms the exact purpose and minimum scope. Do not send these secrets by ordinary email.

Recommended permissions by platform

Platform interfaces and role names change over time. Use the closest least-privileged equivalent available in your account.

Google Analytics 4

• For diagnostics: use Viewer or Analyst at the relevant property level.
• For event, key event, audience, attribution, or conversion-related configuration: use Marketer or Editor when required by the task.
• For user management, account-level settings, or locked administration tasks: use Administrator only if specifically requested.
• Use GA4 data restrictions such as no cost metrics or no revenue metrics if those values are not needed for the task.
• Do not create a new GA4 property or change property ownership unless this is part of the approved scope.

Google Tag Manager

• For an audit: use Read permission for the relevant container.
• For preparing fixes: use Edit permission and let Metricfixer work in a dedicated workspace.
• For client-controlled release: use Approve if Metricfixer should create versions but the client will publish.
• For live release by Metricfixer: use Publish only after written approval.
• Export the current container before major changes, especially for ecommerce, checkout, consent, or ad-platform tags.
• Do not grant account Administrator permission unless user management, container creation, or account-level administration is required.

Google Ads

• For diagnostics: use Read-only access.
• For conversion actions, enhanced conversions, imported conversions, campaign conversion settings, or tag-related implementation: use Standard access when changes are required.
• Use Admin only when account linking, user access, product links, or manager-account approvals are part of the approved scope.
• Do not grant Billing access unless the task specifically concerns billing or payment setup.
• Do not change primary conversion goals, bidding-related conversion actions, or account-level conversion settings without written approval.

Meta Business Suite, Meta Events Manager, and Meta Pixel

• Use Meta Business partner access or asset-level access where possible instead of sending a personal Facebook login.
• Grant only the assets required for the task, such as the relevant ad account, dataset/pixel, catalog, app, Page, or domain verification area.
• For diagnostics: grant event, dataset, pixel, or ad-account visibility needed to inspect event quality, deduplication, domains, diagnostics, and attribution.
• For implementation: grant only the permission needed to edit events, configure a dataset, connect a partner integration, or test Conversions API.
• Do not grant full business admin, billing, payment, payout, or unrelated Page/Instagram permissions unless the approved task requires them.
• Treat Meta Conversions API access tokens and system-user tokens as secrets. Share them only through an approved secure method and rotate them after the task if they were temporary.

TikTok Business Center and TikTok Events Manager

• For most work, use a Standard Business Center member role with access only to the assigned ad account, pixel, catalog, lead asset, or other required asset.
• Use TikTok Events Manager access when the task involves TikTok Pixel, Events API, event diagnostics, web measurement, CRM events, or store events.
• Use Admin or finance-related roles only when the task specifically requires Business Center administration or finance management.
• Do not grant access to unrelated ad accounts, shops, catalogs, audiences, leads, or TikTok accounts.

LinkedIn Ads and Microsoft Advertising

• For diagnostics: use Viewer, read-only, or equivalent reporting access.
• For implementation: use campaign, manager, creative, standard, or equivalent edit access only if conversion tags, Insight Tag, UET, audiences, imports, or campaign settings must be changed.
• Do not grant billing admin, super admin, payment, or organization owner access unless the task specifically requires it.

Consent management platforms

• For diagnostics: provide screenshots, exported settings, vendor lists, consent categories, region rules, or read-only access if available.
• For implementation: provide edit access only to the relevant CMP workspace, banner, category, vendor, script, or integration settings.
• Metricfixer can help with technical configuration, but the client remains responsible for legal decisions about consent wording, categories, lawful basis, regional rules, and privacy notices.

Server-side tracking, CRM imports, call tracking, and email tracking

• For server-side GTM or server-side tracking: provide access only to the relevant server container, preview/debug tools, log source, DNS record, cloud service, or hosting area required for the task.
• For CRM or offline conversions: provide a sandbox, test lead, redacted export, mapping document, or limited API credentials with only the required scopes.
• For call tracking or email tracking: provide access only to the relevant tracking number, email routing, webhook, integration, or reporting area.
• Do not provide full CRM exports, unrestricted customer lists, root server access, or broad API keys unless there is no safer alternative and the scope is explicitly approved.

What not to provide

Please do not provide any of the following unless Metricfixer explicitly confirms that it is required for the approved task:

• personal Google, Facebook, TikTok, LinkedIn, Microsoft, CRM, CMS, hosting, or ecommerce account passwords;
• shared employee logins instead of platform invitations or temporary users;
• Business Owner, Organization Owner, Super Admin, Account Admin, or full business portfolio access when a lower role is enough;
• billing, payment, tax, payout, credit-card, bank-account, or invoice-administration permissions;
• production API secrets, Conversions API tokens, Events API tokens, OAuth refresh tokens, webhook secrets, private keys, or unrestricted server credentials by email;
• full customer exports, raw CRM databases, full order exports, health data, children’s data, government identification data, or other sensitive data not required for the task;
• permission to change bidding goals, primary conversions, consent behavior, live checkout tracking, or server-side routing without written approval.

Changes that require written approval

The following actions require approval in the ticket before Metricfixer performs them:

• publishing a Google Tag Manager container version or changing a live GTM environment;
• marking or unmarking GA4 key events, changing attribution settings, or creating Google Ads conversions from GA4 events;
• changing Google Ads primary conversions, conversion goals, enhanced conversions, imported conversions, product links, or account-level conversion settings;
• changing Meta or TikTok event setup, pixel/dataset configuration, CAPI/Events API token usage, event deduplication, or event optimization settings;
• editing consent banner behavior, Consent Mode defaults, CMP categories, vendor settings, or regional rules;
• deploying website code, server-side tracking code, webhooks, CRM imports, offline conversion uploads, or DNS changes;
• using live test transactions, paid ads budget, live payment flows, production customer data, or production CRM actions for verification.

How to revoke access after completion

1. Remove Metricfixer users, partner access, collaborator access, temporary users, and workspace permissions from each platform used in the task.
2. Rotate temporary API tokens, CAPI tokens, Events API tokens, CRM tokens, webhook secrets, and server-side credentials if they were shared for implementation.
3. Remove temporary GTM workspaces, test conversions, test audiences, test users, test CRM records, or temporary debug settings that are no longer needed.
4. Keep a copy of final GTM exports, screenshots, implementation notes, event lists, and approval messages for your own records.
5. Notify Metricfixer in the ticket when access has been revoked or reduced.