System roles and permissions
Last updated: Jul-21-2025
This page lists all available system roles and individual permissions, helping you understand what each role and permission allows, so you can make informed decisions when assigning roles or designing custom ones.
-
System roles: Cloudinary provides a set of built-in roles called system roles, which are predefined permission sets tailored for common responsibilities like marketing, design, analytics, and admin tasks.
System roles make it easy to assign consistent access. You can assign them directly to users, groups, or API keys, without any further configuration.
Permissions: All roles are defined by permissions, where each permission controls a specific action. System roles have a fixed set of permissions, while custom roles let you choose which permissions to include.
Note
Some features permitted by the roles and permissions listed here may not be available in your account if your plan doesn’t include the associated functionality.
Visibility of features in the UI depends on your plan and is separate from role-based permissions.
Important
Cloudinary's Roles and Permissions Management is now available as a Beta. This is an early stage release, and while it's functional and ready for real-world testing, it's subject to change as we continue refining the experience based on what we learn, including your feedback.
During the Beta period, core functionality is considered stable, though some APIs, scopes, or response formats may evolve. We'll also be expanding the documentation with additional examples, best practices, and implementation tips.
How you can help:
- Use Roles and Permissions Management in real projects, prototypes, or tests.
- Share feedback, issues, or ideas with our support team.
Thank you for exploring this early release and helping us shape these tools to best meet your needs.
On this page:
System roles
System roles contain a fixed set of predefined permissions. Use system roles for fast, consistent access setup.
Below are tables summarizing the permission details for each role, divided by scope (account or product environment) and permission type (global, folder, or collection):
You can assign account-level global, product environment–level global, and folder roles to both users and groups for Console actions, and to account or product environment API keys for programmatic access. Collection roles apply only to users and groups for Console actions.
If you assign a role that doesn’t match the scope or access type, it has no effect.
Tip
- You can't modify system roles, but you can duplicate them to use them as the basis for a new custom role. For more information, see Role management.
- You can view a full list of system roles by navigating to Role Management page in the Console Settings, selecting the Global, Folder or Collection tab, and filtering the table for System roles.
Global account-level roles
You can assign these roles to groups and users. You can also assign these roles to API keys for actions that are available programmatically.
Account-level role descriptions
This table describes each global account-level role and what it allows.
| Role Name | Description |
|---|---|
| Master Admin | Manage all account-level settings and features. |
| Admin | Manage roles, users, and groups, and access Cloudinary products. |
| Billing | Manage account-level billing, including current plans, payment methods, tracking usage, and purchasing add-ons. |
| Reports | View account-level reports and usage metrics, including audit logs, dashboard usage summaries, and account-wide activity reports. |
Account-level permissions by role
This table shows which account-level permissions each role grants.
| Permission Area | Description | Master Admin | Admin | Billing | Reports |
|---|---|---|---|---|---|
| Role & permission management | Create and manage roles and permissions | ✔️ | |||
| User management | Create and manage users & user groups | ✔️ | ✔️ | ✔️ | |
| Product environment management | Create and manage product environments | ✔️ | |||
| MediaFlows | View MediaFlows usage and plan details, change MediaFlows plan | ✔️ | ✔️ | ✔️ | |
| Product access | Access FinalTouch, Cloudinary 3D, and Media Optimizer products | ✔️ | ✔️ | ✔️ |
Global product environment-level roles
You can assign these roles to groups and users. You can also assign these roles to product environment API keys for actions that are available programmatically.
Product environment-level role descriptions
Describes each global product environment-level role and what it allows.
| Role Name | Description |
|---|---|
| Master Admin | Fully manage all product environments, including settings, all features across products, and dashboards and reports. |
| Admin | Manage permitted product environments, including Console Settings, all features across products, and relevant dashboards and reports. |
| Tech Admin | Manage tech areas, including product environment Console Settings, key features across products (excluding MediaFlows), and relevant dashboards & reports. |
| Media Library Admin | Access the Media Library for full usage and administration, including transformations, creative approval, and App Marketplace. |
| Media Library User | Access specific folders and collections within the Media Library according to assigned permissions. |
| Reports | Access product environment reports, including delivery and error reports, transformation logs, and usage for all products. |
Product environment-level permissions by role
This table shows which product environment-level permissions each role grants.
| Permission Area | Description | Master Admin | Admin | Tech Admin | Media Library Admin | Media Library User | Reports |
|---|---|---|---|---|---|---|---|
| Media Library (Full access) | Full access to the Media Library and all its features including viewing and managing all assets and access to all collections | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| Media Library (Content-based access) | Access depends on assigned folder and collection permissions | ✔️ | |||||
| Moderation (Full access) | View, approve or reject all assets pending moderation | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Moderation (Content-based access) | View, approve or reject assets pending moderation (depends on assigned folder and collection permissions) | ||||||
| Portal management | Manage media portals, including creating, viewing, editing, and publishing them | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Reports & dashboards | View summary details and trend graphs to analyze DAM usage | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Structured metadata | Define and manage custom fields used to describe and identify assets | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Marketplace & add-ons | Extend DAM capabilities by enabling apps relevant to your workflows | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Delivery | Manage delivery settings in the Console Settings | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| Console settings | Manage API keys, upload settings, optimization, webhooks, and security | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Image product | Define named transformations and templates, manage image processing | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Video product | Manage video analytics, live streams, and video player profiles | ✔️ | ✔️ | ✔️ | |||
| MediaFlows | Build, view, and manage visual workflows for automating media-related tasks | ✔️ | ✔️ | ✔️ |
Folder roles
You can assign these roles to groups and users.You can also assign these roles to product environment API keys for actions that are available programmatically.
Folder role descriptions
Describes each folder role and what it allows.
| Role Name | Description |
|---|---|
| Viewer | View the folder and its contents for browsing or downloading assets. |
| Contributor | All Viewer permissions, plus contribute new content by uploading, saving as new, creating subfolders, and moving assets in. |
| Editor | All Contributor permissions, plus edit content, including restoring versions, updating metadata and tags, and renaming assets and subfolders. |
| Manager | All Editor permissions, plus full control over folder contents, including asset access control and public links, as well as folder sharing and access management. |
Note
Cloudinary automatically grants the Creator role to users for folders they create. This role includes the same permissions as Manager, but can't be manually assigned.Folder permissions by role
This table shows which folder-level permissions each role grants.
| Permission Area | Manager | Editor | Contributor | Viewer |
|---|---|---|---|---|
| View | ✔️ | ✔️ | ✔️ | ✔️ |
| Download public assets | ✔️ | ✔️ | ✔️ | ✔️ |
| Download restricted assets | ✔️ | |||
| Add assets (upload / move in) | ✔️ | ✔️ | ✔️ | |
| Create subfolders | ✔️ | ✔️ | ✔️ | |
| Edit assets (replace / metadata / versions) | ✔️ | ✔️ | ||
| Rename folder | ✔️ | ✔️ | ||
| Delete assets | ✔️ | |||
| Delete folder | ✔️ | |||
| Move assets out | ✔️ | |||
| Move folder | ✔️ | |||
| Public links for assets | ✔️ | |||
| Access control | ✔️ | |||
| Manage access (invite users) | ✔️ |
Collection roles
These roles are relevant to groups and users.
Collection role descriptions
Describes each collection role and what it allows.
| Role Name | Description |
|---|---|
| Viewer | View and download assets in the collection. |
| Collaborator | All Viewer permissions, plus add assets to the collection. |
| Distributor | All Collaborator permissions, plus share the collection with others in the organization. |
| Manager | All Distributor permissions, plus manage the collection, including removing assets, deleting the collection, updating details, and managing public links. |
Collection permissions by role
This table shows which collection-level permissions each role grants.
| Permission Area | Manager | Distributor | Collaborator | Viewer |
|---|---|---|---|---|
| View | ✔️ | ✔️ | ✔️ | ✔️ |
| Download public assets | ✔️ | ✔️ | ✔️ | ✔️ |
| Download restricted assets | ✔️ | |||
| Manage access (invite users) | ✔️ | ✔️ | ||
| Remove assets | ✔️ | |||
| Rename collection | ✔️ | ✔️ | ||
| Delete collection | ✔️ |
Permissions
View all permissions that Cloudinary provides. These permissions are included in system roles, and you can select your own set of permissions to include in custom roles.
The list of permissions is divided by:
Global permissions
Account settings
You can assign the permissions in this section to groups and users through roles. You can also assign these roles to API keys for actions that are available programmatically.
| Permission | Description |
|---|---|
| Manage account information | Edit basic account information, such as account name and product environment display name, in the Console. |
| Manage account API keys | View account API keys that authenticate the Provisioning and Permissions APIs, update their details, and generate new key pairs. |
| View account security settings | View account-wide security settings related to authentication, access control, and user privacy. |
| Manage account security settings | Define account-wide security settings related to authentication, access control, and user privacy. |
| View Billing | View plan details, add-on subscriptions, and current usage and billing information. |
| Manage Billing | View and manage all billing-related information, including plan details, payment method, and add-on subscriptions. To purchase add-ons for additional users or product environments, this permission must be paired with the View users and groups and View product environments permissions. |
| View roles and permissions | View all roles, the permissions included in each one, and the users, groups, API keys, and other resources assigned to each role. |
| Manage roles and permissions | View, create, update, and delete all roles, define their permissions, and assign roles to users, groups, API keys, and other resources. |
| View product environments | View a list of all product environments in the account and their associated details. This doesn't grant access to the product environments or their contents. |
| Manage product environments | View, add, and remove product environments in the account, and update their associated details. This doesn't grant access to the product environments or their contents. |
| View users and groups | View all users and groups in the account and their group memberships. |
| Manage users and groups | View, add, and remove users and groups in the account, and manage group memberships. |
Product environment settings
You can assign the permissions in this section to users and groups through roles.
You can assign ‘View API keys’ and ‘Manage API keys’ permissions to account-level API keys.
You can assign other permissions listed below, if available programmatically, to product environment API keys.
The table below describes each permission and what it allows:
| Permission | Description |
|---|---|
| View API keys | View all API keys and associated details. |
| Manage API keys | View, create, and delete API keys, and update their associated details. |
| Manage upload settings | View, create, modify, or delete upload settings, such as upload presets, upload mappings, and upload defaults. |
| Manage backup settings | Enable or disable automatic backups for newly uploaded assets, and initiate backup for all existing assets. |
| View optimization settings | View optimization settings such as image and video quality and handling of CMYK in derived images. |
| Manage optimization settings | Define optimization settings such as image and video quality, and handling of CMYK in derived images. |
| View delivery settings | View access control list (ACL) conditions and rules in the Console, which define who can access assets. |
| Manage delivery settings | Define access control list (ACL) conditions and rules in the Console to control who can access assets. |
| View webhook notifications | View webhook notification URLs and their notification types in the Console, or retrieve them via the triggers endpoint of the Admin API. |
| Manage webhook notifications | View, create, and delete webhook notification URLs, and configure their notification types via the Console or the triggers endpoint of the Admin API. |
| Manage product environment security settings | Set security settings that control how the assets in your product environment can be delivered. |
Dashboard and reports
You can assign the permissions in this section to groups and users through roles.
| Permission | Description |
|---|---|
| View the Home Dashboard | View high-level account and product environment information on the Home Dashboard, including cloud name, folder mode, and summary insights. |
| View the Delivery Report | View detailed media delivery analytics, such as bandwidth and request usage, top-performing assets and transformations, referral domains, and formats. |
| View the Error Report | View delivery error trends, including any errors generated from API calls or delivery URL requests. |
| View the Monthly Value Report | View metrics that highlight Cloudinary’s added value, such as bandwidth savings and time saved through automation. |
| Access Monthly Usage Report | Enable or disable email delivery of the 'Monthly Usage Report' from email preferences in the Console. |
Cloudinary Image
You can assign the permissions in this section to users and groups through roles. You can also assign these permissions to product environment API keys for actions that are available programmatically.
| Permission | Description |
|---|---|
| Access Cloudinary Image | Access the Cloudinary Image product and use the Transformation Builder for single and bulk transformations in the Media Library. |
| View all named transformations | View named transformations using the Console or the Get transformations method of the Admin API. |
| Delete all named transformations | Delete all existing named transformations using the Console or the Delete transformation method of the Admin API. |
| Update all named transformations | Update existing named transformations using the Transformation Builder. To update templates in Studio and the Media Library, this permission must be paired with the 'Create named transformations' permission. |
| Create named transformations | Create new named transformations using the Transformation Builder. To create new templates in Studio and the Media Library, this permission must be paired with the 'Update all named transformations' permissions. |
| View unnamed transformations | View unnamed transformations previously applied to assets, using the Console or the Get transformations method of the Admin API. |
| Manage unnamed transformations | Create and update unnamed transformations previously applied to assets, using the Console or the Update transformations method of the Admin API. |
Cloudinary Video
You can assign the permissions in this section to users and groups through roles. You can also assign these permissions to product environment API keys for actions that are available programmatically.
| Permission | Description |
|---|---|
| Access Cloudinary Video | Access the Cloudinary Video product in the Console, including tools for managing video assets, customizing video players, and previewing transformed video content. |
| View Video Analytics | View Video Player performance metrics in the Video Analytics page, including plays, watch time, unique viewers, and top-performing videos. Use this data to understand engagement and optimize video delivery. |
| Manage Video Player profiles | Create, edit, and apply video player profiles to control player appearance and behavior, with access to the Video Player Studio for visual customization. |
| Manage live streams | Create, update, and delete live stream entries, configure stream settings, and access live stream details within the Cloudinary Console. |
Management via Assets and APIs
You can assign the permissions in this section to users and groups through roles. You can also assign these permissions to product environment API keys for actions that are available programmatically.
| Permission | Description |
|---|---|
| Manage structured metadata fields | Create and manage structured metadata fields, define conditional rules, and configure datasources (list values) for single and multi-selection fields. |
| Use add-ons | Apply functionality from add-ons that are enabled for the account. Note that usage may consume quota based on the add-on plan. |
| Relate assets | Create and manage relationships between assets. Viewing related assets requires folder-level or global permissions. |
| Delete all folders and assets | Delete all folders and assets without requiring specific folder or asset permissions. |
| Download all folders and their public assets | Download all folders and their assets with access control set to 'Public'. The download is a ZIP file, and the root folder can't be downloaded. |
| Download all folders and their restricted assets | Download all folders and their assets with access control set to 'Public'. The download is a ZIP file, and the root folder can't be downloaded. |
| Create folders in all locations | Create folders anywhere within the folder hierarchy without requiring specific folder permissions. |
| Upload assets | Upload assets to any folder, including the root, without requiring specific folder permissions. Includes the option to select an upload preset and apply tags and metadata. |
| Update all folders and assets | Move, rename, and overwrite all folders and assets without requiring specific folder or asset permissions. |
| Update access control for all assets | Change access control settings for all assets between 'Public' and 'Restricted' without requiring specific folder or asset permissions. |
| Restore deleted assets | Restore all deleted assets. |
Management via Assets
You can assign the permissions in this section to users and groups through roles.
| Permission | Description |
|---|---|
| Manage basic portals | Manage all portals with full create, read, update, and delete permissions. |
| Set Media Library Preferences | Control the way the Media Library looks and behaves for all users in the product environment. |
| Access the Assets Dashboard | View the Assets Dashboard, including usage summaries and trend graphs. Access is limited to data the user is permitted to see. |
| View and generate activity reports | View and generate reports that list all account management activities and product environment actions. |
| Access the Media Library | Access the Media Library within the Console. Without this permission, users can't view any assets. |
| Access delivery URLs via the Console | Access delivery URLs of original and transformed assets, including the ability to view, copy, and open them in a new tab. |
| Access the Moderation page | Access the Moderation page. To view assets on this page, pair this permission with the 'View all assets in the folder and its subfolders' folder permission, or 'View all folders and assets' global permission. To also approve or reject assets, pair it with 'Moderate assets' folder permission or 'Moderate all assets' global permission. |
| Moderate all assets | Approve and reject all assets in queue. To perform these actions from the Moderation page, pair this permission with 'Access the Moderation page'. To view assets on the page, pair it with the 'View all folders and assets' global permission. |
| Bulk update structured metadata via CSV | Upload a CSV file to bulk update structured metadata fields across multiple assets. |
| Manage the Assets App Marketplace | Manage the App Marketplace by enabling or disabling apps that extend DAM functionality based on company needs. |
| Use DAM Apps | Access and use DAM apps that have been enabled from the Assets App Marketplace, directly within the Media Library. |
| Delete asset comments | Delete all comments the user added to assets. |
| Manage portals | Manage all portals with full create, read, update, and delete access. The 'View collection' permission is required to add a specific collection to a portal. |
| Start creative approval proofs | Create proofs using assets the user has permission to view via the 'View all subfolders and assets in the folder' folder permission, or the 'View all folders and assets' global permission, and send them to a selected approval flow. |
| Create EasyFlows from the Media Library | Create EasyFlows within the Media Library to streamline Assets workflows. |
| View all folders and assets | View all folders and assets without requiring specific folder or asset permissions. Downloading requires a separate permission. |
| Manage public links | Create, view, update, and delete public links to share collections externally. Also allows sharing assets directly, provided the user has view access through either the 'View all assets in the folder and its subfolders' folder permission or the 'View all folders and assets' global permission. |
| Share all folders | Share all folders within the folder hierarchy without requiring specific folder permissions. |
| Create (non-dynamic) collections | Create collections, excluding dynamic collections. |
| View all (non-dynamic) collections | View all collections and the assets inside them without requiring folder or asset permissions. This excludes dynamic collections. |
| Manage all (non-dynamic) collections | View and manage all collections and their assets without requiring folder permissions. Includes renaming collections and adding or removing assets the user can view via the 'View all assets in the folder and its subfolders' folder permission or the 'View all folders and assets' global permission. This excludes dynamic collections. |
| Invite to all (non dynamic) collections | Invite other users to access all classic collections and assign them different permission levels. This excludes dynamic collections. |
| Manage dynamic collections | Create, update, publicly share, and delete dynamic collections. Includes permission to view all assets included in dynamic collections. |
Other Cloudinary products
You can assign the permissions in this section to users and groups through roles. You can also assign these permissions to product environment API keys for actions that are available programmatically.
| Permission | Description |
|---|---|
| Access FinalTouch | Access the FinalTouch product to create, customize, and publish product galleries and shoppable experiences using Cloudinary assets. |
| Access Cloudinary 3D | Access the Cloudinary 3D product to upload, manage, and preview 3D assets within the Console. |
| Can access Media Optimizer | Access the Media Optimizer from the left navigation menu. |
| Access MediaFlows | Access the MediaFlows product to build, view, and manage visual workflows for automating media-related tasks. |
| Manage all MediaFlows | Create, update, and delete all PowerFlows and EasyFlows. |
| View all MediaFlows | View all PowerFlows and EasyFlows. |
| View MediaFlows usage and plan details | View current MediaFlows plan details, credit usage, and usage breakdowns across all product environments. |
| Change MediaFlows plan | Upgrade or downgrade the current MediaFlows plan from the Console’s plan management interface. |
| View all MediaFlow logs | View MediaFlows activity logs across all product environments, including actions performed by users, API calls, and system events. |
Folder permissions
You can assign the permissions in this section to users, groups, or product environment API keys through folder roles.
Note
Assign folder roles to users and groups via the Media Library or the Permissions API, and to product environment API keys via the Permissions API only.| Permission | Description |
|---|---|
| View all assets | View all assets in the folder and its nested subfolders. |
| Download all public assets | Download all assets marked as 'Public' in the folder and its subfolders. |
| Download all restricted assets | Download all assets marked as 'Restricted' in the folder and its subfolders. |
| Download all assets | Download all assets in the folder and its subfolders. |
| Add assets | Add assets to the folder by uploading new files, saving an asset as new, or moving existing assets from other folders. Tags and structured metadata can be applied during upload. |
| Create subfolders | Create subfolders or move existing folders into this folder. |
| Edit assets and metadata | Perform actions on assets in the folder and its subfolders, including replacing and editing assets, restoring versions, and updating tags, structured metadata, and contextual metadata. |
| Rename subfolders | Rename subfolders within the folder. This doesn't include permission to rename the folder itself. |
| Rename assets | Edit the display names and public IDs of assets in the folder and its subfolders. In the legacy fixed-folder mode, renaming a public ID also requires the ‘Move assets’ permission. |
| Delete assets | Delete assets in the folder and its subfolders. |
| Delete subfolders | Delete subfolders within the folder. To delete subfolders that contain assets, the user must also have the 'Delete assets' permission for those subfolders. |
| Move assets | Move assets between folders. This action also requires the 'Add assets' permission for the destination folder. |
| Delete folder | Delete the folder and its contents. If the folder contains assets, the user must also have the 'Delete assets' permission for the folder. This action is limited to folders with 1,000 assets or fewer. |
| Rename folder | Rename the folder and its subfolders. This action isn't available in fixed folder mode. |
| Move folder | Move the folder and all of its contents to a different location in the folder hierarchy. In fixed folder mode, this also requires the 'Move assets' permission for the folder. |
| Move subfolders | Move subfolders to a different location in the folder hierarchy. In fixed folder mode, this also requires the 'Move assets' permission for the subfolder. |
| Moderate assets | Approve or reject assets in the folder and its subfolders via the Moderation page in the Media Library. Also requires the global 'Access the Moderation page' permission. |
| Manage public link to assets | Create, view, update, and delete public links for assets in the folder and its subfolders, including setting access date ranges. |
| Edit access control | Set asset access control for assets in the folder and its subfolders to 'Public' or 'Restricted', with optional date-based rules for limited-time public access. |
| Share with users/groups | Manage user and group access to the folder and its subfolders. Users can only assign and remove permission levels that are equal to or lower than their own for that folder. |
Collection permissions
You can assign the permissions in this section to users and groups through collection roles.
| Permission | Description |
|---|---|
| View collection | View the collection and all the assets in it without requiring global or folder permissions for those assets. |
| Download collection | Download all assets in the collection without requiring global or folder permissions for those assets. |
| Add assets | Add assets to the collection. Users can only add assets they're permitted to view, either through the 'View all assets in the folder' folder permission or the 'View all folders and assets' permission global. |
| Remove assets | Remove assets from the collection. Users can only remove assets they're permitted to view, either through the 'View all assets in the folder' folder permission or the 'View all folders and assets' global permission. |
| Edit collection | Rename the collection and edit its description. |
| Delete collection | Delete the collection. This action doesn't affect the assets in it. |
| Manage collection's public link | View, create, copy, update, configure, and delete the public link for a collection. |
| Invite users and groups | Invite users and groups to a collection, and add, edit, or remove their permissions. Users can only assign and remove permission levels that are equal to or lower than their own for that collection. |
| Create collections | Create new collections. Managing the collection or adding assets requires separate permissions. |
Tip
You can view a full list permissions per type of role by navigating to Role Management page in the Console Settings and selecting the Global, Folder or Collection tab.
- Select to view an existing system role to review its name, description, and fixed permissions.
- Create a global or folder custom role to view all available permissions for that role type.
✖️
Error
Rate this page:
