Roles and permissions

Last updated: Jul-21-2025

Cloudinary roles help you control who can do what in your account and product environments. You can assign roles to users, groups, or API keys to give them the right level of access to features, settings, and content, such as folders and collections. For example, you might give your design team access to edit images in specific folders, while limiting your marketing team to view-only access.

You can customize roles to fit how your teams work, whether you're managing different brands, assigning access based on job functions, or organizing teams by region or department.

Important
Cloudinary's Roles and Permissions Management is now available as a Beta. This is an early stage release, and while it's functional and ready for real-world testing, it's subject to change as we continue refining the experience based on what we learn, including your feedback. During the Beta period, core functionality is considered stable, though some APIs, scopes, or response formats may evolve. We'll also be expanding the documentation with additional examples, best practices, and implementation tips.

How you can help:

  • Use Roles and Permissions Management in real projects, prototypes, or tests.
  • Share feedback, issues, or ideas with our support team.

Thank you for exploring this early release and helping us shape these tools to best meet your needs.


Who you can assign roles to

You can assign roles to the following entities:

  • Users: A named user with login access to the Console.
    Roles control which areas of the Console the user can access.
  • Groups: A group of users.
    Roles assigned to a group apply to all users within it.
  • Product environment API keys: Used for programmatic access to a product environment.
    Roles determine the actions the key can perform via the Admin and Upload APIs.
  • Account API keys: Used to perform account administrative tasks, e,g. user provisioning.
    Roles determine the actions the key can perform via the Provisioning & Permissions APIs.

Key role attributes

Cloudinary supports three types of roles: global, folder, and collection.

Each type of role is scoped to either the account or one or more product environments:

Role Type Description Permission Level (Scope)
Global Controls access to account-wide features (e.g., user management, billing) or grants permissions across all folders, assets, and collections within a product environment. Account or Product environment
Folder Controls what users, groups, or API keys can do in specific folders and with folder assets. Product environment
Collection Controls collaboration and visibility for specific collections in the Media Library.
Note: Only users and groups can be assigned collection roles.
Product environment

System and custom roles

Each role is either a system or custom role type:

  • System roles are predefined by Cloudinary and include a fixed set of permissions. They support most common workflows, and are immediately ready for you to assign.
    For a full list of available system roles and what each one allows, see System roles and permissions.
  • Custom roles let you define your own roles based on what your team needs. You choose which set of permissions to include in each role.

System roles can apply globally (at the account level or per product environment), to folders, and to collections.

You can create custom roles that apply globally and to folders.


Concept summary

This table brings together all the key concepts covered on this page:

Global Roles Folder Roles Collection Roles
Assignable to Users, groups, API keys Users, groups

Note: You can assign API keys programmatically.

Users, groups
Management location Console Settings > Role Management > Global Roles Console Settings > Role Management > Folder Roles Console Settings > Role Management > Collection Roles
Assignment location Assign to users:
Console Settings > User Management

Assign to API keys:
Console Settings > API Keys

Assign to account API keys:
Console Settings > Account API Keys

Media Library (folder sharing) Media Library (collection sharing)
Permission level Account or product environment Product environment Product environment
Management type System or custom System or custom System

Next steps

✔️ Feedback sent!

Rate this page: