Roles and permissions
Last updated: Jun-30-2025
Cloudinary roles help you control who can do what in your account and product environments. You can assign roles to users, groups, or API keys to give them the right level of access to features, settings, and content, such as folders and collections. For example, you might give your design team access to edit images in specific folders, while limiting your marketing team to view-only access.
You can customize roles to fit how your teams work, whether you're managing different brands, assigning access based on job functions, or organizing teams by region or department.
Who you can assign roles to
You can assign roles to the following entities:
-
Users: A named user with login access to the Console.
Roles control which areas of the Console the user can access. -
Groups: A group of users.
Roles assigned to a group apply to all users within it. -
Product environment API keys: Used for programmatic access to a product environment.
Roles determine the actions the key can perform via the Admin and Upload APIs. -
Account API keys: Used to perform account administrative tasks, e,g. user provisioning.
Roles determine the actions the key can perform via the Provisioning & Permissions APIs.
Global, folder, and collection roles
Cloudinary supports three types of roles, each scoped to either the account or one or more product environments:
Role Type | Description | Permission Level (Scope) |
---|---|---|
Global | Controls access to account-wide features (e.g., user management, billing) or grants permissions across all folders, assets, and collections within a product environment. | Account or Product environment |
Folder | Controls what users, groups, or API keys can do in specific folders and with folder assets. | Product environment |
Collection | Controls collaboration and visibility for specific collections in the Media Library. Note: Only users and groups can be assigned collection roles. |
Product environment |
System and custom roles
Each role is either a system or custom role type:
-
System roles are predefined by Cloudinary and include a fixed set of permissions. They support most common workflows, and are immediately ready for you to assign.
For a full list of available system roles and what each one allows, see System roles and permissions. - Custom roles let you define your own roles based on what your team needs. You choose which set of permissions to include in each role.
Both system and custom roles can be on the account-level or per product environment, as well as global or content-specific (folder or collection).
Concept summary
This table brings together all the key concepts covered on this page:
Global Roles | Folder Roles | Collection Roles | |
---|---|---|---|
Assignable to | Users, groups, API keys | Users, groups, API keys | Users, groups |
Management location | Console Settings > Role Management > Global Roles | Console Settings > Role Management > Folder Roles | Console Settings > Role Management > Collection Roles |
Assignment location | Assign to users: Console Settings > User Management Assign to API keys: Assign to account API keys: |
Media Library (folder sharing) | Media Library (collection sharing) |
Permission level | Account or product environment | Product environment | Product environment |
Management type | System or custom | System or custom | System or custom |
Next steps
- System roles and permissions: Learn which roles and permissions Cloudinary offers and what each one allows.
- Role management: Manage your roles in the Console and assign them to users, groups, and API keys.