If its your card, only your employees can have access.
If it's the advertisers card, then you and advertiser can have access.

The issue is that if you got locked out of an account, Google would (after an explanatory phone call) most likely remove the card from the account.

However - you (not the advertiser) is still liable for the charges that could be racked up on your card.

Be careful with your contracts and access if you're in that situation.

To have a permission based system however, means coding account types with permissions, a permission manager, a centralized way to handle permissions, etc.

Depending on the initial architecture of the database, this can range from a simple implementation to having to completely retool some of the interfaces.

I'm not sure how often this issue is requested by individuals - which is one of the measures everyone uses to consider implementing new features.

Of course - the other question is, why do your advertisers need access? Are there automated reports you can send them which would take the place of them needing access? Is there another way to position your services so they have no reason to login? etc...

I'd suggest you add it to the wish list thread [webmasterworld.com].