The Gist
Google just shipped new agency-level roles inside Merchant Center, and if you run an e-commerce marketing agency, this is the kind of update that quietly saves your team about forty hours a month. No more spinning up individual user accounts per client, no more hunting down which contractor still has read access to a merchant you haven't worked with since Q3 2024. The permissions model is now centralized at the agency level, which means you define a role once and it applies across every client account you manage. That's it. That's the tweet.
But here's what actually makes this matter: for years, Merchant Center treated agencies like a collection of isolated advertiser accounts. Every user had to be granted access individually, every permission lived inside that single account's settings, and offboarding someone meant manually removing them from each client one by one. I've watched mid-size agencies lose sleep over this. A departed employee keeps access to thirty merchant accounts because nobody thought to revoke it. Then one day you get a compliance audit and suddenly you're explaining why a former intern can still pull product feed data from a client's store.
This update doesn't just patch that hole. It restructures how the entire permission model works for agencies, and honestly, it's about time.
What Changed, Specifically
Google's new agency roles introduce a permission layer that sits above individual Merchant Center accounts. Instead of managing access at the account level alone, agencies can now create standardized roles — think "Feed Manager," "Viewer," or whatever custom permission sets make sense for your org — and apply those roles across their entire portfolio of client accounts from a single control panel.
The mechanics are straightforward. An agency admin defines what each role can and cannot do — which actions a user can perform, which data they can see, whether they can edit product feeds or just view reports — and then assigns team members to those roles. The permissions propagate across all linked merchant accounts automatically. No per-account configuration. No spreadsheets tracking who has access to what.
This is the kind of change that sounds boring until you actually live with the alternative. I talked to a performance marketing director at a twenty-person agency who described her offboarding process as "basically digital housekeeping for three hours every time someone leaves." Three hours. For one person leaving. Multiply that by the average agency turnover rate and you've got a significant operational tax that nobody budgets for because it's just "how things are."
Now? Revoke a role assignment and the access is gone everywhere. One click.
The Security Angle Nobody's Talking About Enough
Let's be clear about why this matters beyond convenience. The old model was a security time bomb, and most agencies didn't even know they were sitting on it.
When permissions live at the account level, you get what security folks call "permission sprawl." Users accumulate access over time — they need it for a project, the project ends, but the access stays. Over months and years, that sprawl becomes unmanageable. An agency might have fifty people who collectively hold access to five hundred merchant accounts, with overlapping permissions that no single person fully understands.
The centralized role model flips this. Now you're enforcing least-privilege access by design, not by accident. A junior associate gets a role that lets them upload product data but can't touch billing, settings, or other team members' accounts. A contractor gets read-only access to the specific merchants they're working with, and when the contract ends, you revoke one role assignment instead of hunting down thirty individual account permissions.
This also makes audits tractable. Instead of exporting permission lists from hundreds of individual accounts and trying to reconcile them in a spreadsheet, you look at the agency-level role assignments. Who has what access, across the entire portfolio, in one view. That's not just cleaner operations — that's something your compliance team will actually appreciate.
What This Means for Agency Operations
The day-to-day impact lands hardest on mid-size and large agencies — the ones managing anywhere from fifty to several hundred Merchant Center accounts. For a solo operator running three or four client stores, this change is nice but not transformative. But at scale, the difference is night and day.
Client onboarding gets faster because you're not configuring per-account permissions anymore. Bring a new team member onto a client project? Assign the appropriate role, they have access to everything they need across all relevant merchant accounts, done. No back-and-forth with the agency admin, no waiting for permission grants to propagate.
Internal governance improves too. When you can see the full role hierarchy in one place, you start noticing things you didn't before. "Wait, why does our newest hire have admin-level access to twelve merchant accounts?" Those kinds of questions get answered faster now, which means you catch over-privileged users before they cause problems.
And then there's the offboarding question, which I keep coming back to because it's genuinely one of the most underappreciated operational risks in this business. When someone leaves an agency — and people leave agencies, that's just how it works — the centralized role system means you can cut their access everywhere in seconds. No orphaned accounts. No lingering permissions that surface during an audit two years later. Just clean, immediate revocation.
The Bigger Pattern: Google Tightening Its Grip on Platform Governance
This announcement doesn't exist in a vacuum. If you've been tracking Google's advertising platform changes over the last couple of years, you'll notice a clear pattern: role-based access control is getting more sophisticated across the board. Google Ads Manager accounts got similar improvements. Google Analytics properties moved toward granular user management. Merchant Center is now getting the same treatment.
There are a few forces driving this, and they're all real:
Regulatory pressure is one. Data access controls aren't optional anymore in a lot of jurisdictions, and agencies that can demonstrate proper governance get a competitive edge when bidding for enterprise clients who have compliance requirements.
The zero-trust security model is another. The industry has largely moved past the idea that you can trust anyone inside your perimeter by default, and Google's platform changes reflect that shift. Every tool in the advertising stack is being rebuilt with the assumption that credentials will eventually be compromised, so the question isn't whether someone gets in — it's what they can do once they're inside.
For agencies, this means staying current with platform changes isn't a nice-to-have anymore. It's table stakes. Clients are going to ask about your access governance practices, and having a centralized, auditable role system in Merchant Center is going to become a differentiator — or at least a baseline expectation.
What to Watch Next
Google hasn't spelled out every detail of the rollout yet, and that's worth noting. The exact set of predefined roles, the customization options for custom permission sets, the timeline for when these features become available to all agencies — some of that is still TBD.
What I'd keep an eye on: whether Google allows fully custom roles or sticks to a fixed set of predefined options. The more flexibility agencies have in defining what each role can do, the more useful this system becomes. A one-size-fits-all permission model might work for some agencies but leave others frustrated.
Also worth watching: how Google handles the migration path. Agencies currently managing permissions at the account level are going to need a clear transition plan, and how smoothly Google makes that move will determine whether this update gets adopted quickly or sits unused for months while teams figure out the new workflow.
One more thing: I'd expect Google to eventually tie these agency roles into broader identity and access management features, possibly including SSO integration or SCIM provisioning for larger enterprise agencies. The infrastructure is being built now; the next iteration will probably make it even more powerful.