Roles and permissions

Last updated: Jun-30-2025

Cloudinary roles help you control who can do what in your account and product environments. You can assign roles to users, groups, or API keys to give them the right level of access to features, settings, and content, such as folders and collections. For example, you might give your design team access to edit images in specific folders, while limiting your marketing team to view-only access.

You can customize roles to fit how your teams work, whether you're managing different brands, assigning access based on job functions, or organizing teams by region or department.


Who you can assign roles to

You can assign roles to the following entities:

  • Users: A named user with login access to the Console.
    Roles control which areas of the Console the user can access.
  • Groups: A group of users.
    Roles assigned to a group apply to all users within it.
  • Product environment API keys: Used for programmatic access to a product environment.
    Roles determine the actions the key can perform via the Admin and Upload APIs.
  • Account API keys: Used to perform account administrative tasks, e,g. user provisioning.
    Roles determine the actions the key can perform via the Provisioning & Permissions APIs.

Global, folder, and collection roles

Cloudinary supports three types of roles, each scoped to either the account or one or more product environments:

Role Type Description Permission Level (Scope)
Global Controls access to account-wide features (e.g., user management, billing) or grants permissions across all folders, assets, and collections within a product environment. Account or Product environment
Folder Controls what users, groups, or API keys can do in specific folders and with folder assets. Product environment
Collection Controls collaboration and visibility for specific collections in the Media Library.
Note: Only users and groups can be assigned collection roles.
Product environment

System and custom roles

Each role is either a system or custom role type:

  • System roles are predefined by Cloudinary and include a fixed set of permissions. They support most common workflows, and are immediately ready for you to assign.
    For a full list of available system roles and what each one allows, see System roles and permissions.
  • Custom roles let you define your own roles based on what your team needs. You choose which set of permissions to include in each role.

Both system and custom roles can be on the account-level or per product environment, as well as global or content-specific (folder or collection).


Concept summary

This table brings together all the key concepts covered on this page:

Global Roles Folder Roles Collection Roles
Assignable to Users, groups, API keys Users, groups, API keys Users, groups
Management location Console Settings > Role Management > Global Roles Console Settings > Role Management > Folder Roles Console Settings > Role Management > Collection Roles
Assignment location Assign to users:
Console Settings > User Management

Assign to API keys:
Console Settings > API Keys

Assign to account API keys:
Console Settings > Account API Keys

Media Library (folder sharing) Media Library (collection sharing)
Permission level Account or product environment Product environment Product environment
Management type System or custom System or custom System or custom

Next steps

✔️ Feedback sent!

Rate this page: