System roles and permissions
Last updated: Sep-04-2025
This page lists all available system roles and individual permissions, helping you understand what each role and permission allows, so you can make informed decisions when assigning roles or designing custom ones.
-
System roles: Cloudinary provides a set of built-in roles called system roles, which are predefined permission sets tailored for common responsibilities like marketing, design, analytics, and admin tasks.
System roles make it easy to assign consistent access. You can assign them directly to principals (users, groups, or API keys), without any further configuration.
Permissions: All roles are defined by permissions, where each permission controls a specific action. System roles have a fixed set of permissions, while custom roles let you choose which permissions to include.
Note
Some features permitted by the roles and permissions listed here may not be available in your account if your plan doesn’t include the associated functionality.
Visibility of features in the UI depends on your plan and is separate from role-based permissions.
Important
Cloudinary's Roles and Permissions Management is now available as a Beta. This is an early stage release, and while it's functional and ready for real-world testing, it's subject to change as we continue refining the experience based on what we learn, including your feedback.
During the Beta period, core functionality is considered stable, though some APIs, scopes, or response formats may evolve.
How you can help:
- Use Roles and Permissions Management in real projects, prototypes, or tests.
- Share feedback, issues, or ideas with our support team.
Thank you for exploring this early release and helping us shape these tools to best meet your needs.
On this page:
System roles
System roles contain a fixed set of predefined permissions. Use system roles for fast, consistent access setup.
Below are tables summarizing the permission details for each role, divided by scope (account or product environment) and permission type (global, folder, or collection):
You can assign account-level global, product environment–level global, and folder roles to both users and groups for Console actions, and to account or product environment API keys for programmatic access. Collection roles apply only to users and groups for Console actions.
If you assign a role that doesn’t match the scope or access type, it has no effect. For more information, see Assignment considerations.
Tip
- You can't modify system roles, but you can duplicate them to use them as the basis for a new custom role. For more information, see Role management.
- You can view a full list of system roles by navigating to Role Management page in the Console Settings, selecting the Global, Folder or Collection tab, and filtering the table for System roles.
Global account-level roles
You can assign these roles to groups and users. You can also assign these roles to API keys for actions that are available programmatically.
Account-level role descriptions
This table describes each account-level role and its capabilities.
| Role Name | Description |
|---|---|
| Master Admin | Manage all account-level settings and features. |
| Admin | Manage roles, users, and groups, and access all products in the Console. |
| Tech Admin | Access all products (except MediaFlows) in the Console, and manage support. |
| Billing | Manage account-level billing, usage reports, add-ons, and upgrades. |
| Reports | Access account-level reporting details. |
| MediaFlow Admin | Manage MediaFlows plan and usage details, plus add-ons, account information, account API keys, and product environments. |
Account-level permissions by role
This table shows which permission areas each account-level role includes.
| Permission Area | Description | Master Admin | Admin | Billing | Reports | MediaFlow Admin |
|---|---|---|---|---|---|---|
| Account management | Manage account details and billing information | ✔️ | ✔️ | |||
| Account API keys | View and manage account API keys for Provisioning and Permissions APIs | ✔️ | ✔️ | |||
| Product environment management | Create and manage product environments | ✔️ | ✔️ | ✔️ | ||
| User management | Create and manage users and user groups | ✔️ | ✔️ | ✔️ | ||
| MediaFlows | View MediaFlows usage and plan details, change MediaFlows plan | ✔️ | ✔️ | ✔️ | ✔️ | |
| Product access | Access FinalTouch, Cloudinary 3D, and Media Optimizer products | ✔️ | ✔️ | ✔️ |
Global product environment-level roles
You can assign these roles to groups and users. You can also assign these roles to product environment API keys for actions that are available programmatically.
Product environment-level role descriptions
This table describes each product environment-level role and its capabilities.
| Role Name | Description |
|---|---|
| Master Admin | Fully manage all product environments, including settings, product features, dashboards, and reports. |
| Admin | Manage product environment, including Console Settings, product features, and relevant dashboards and reports. |
| Tech Admin | Manage product environment, including Console Settings, key product features (except MediaFlows), and relevant dashboards and reports. |
| Media Library Admin | Full Media Library access, plus Transformations, Creative Approval, and App Marketplace. Excludes structured metadata management. |
| Media Library User | Access specific folders and collections according to assigned permissions. |
| Billing | Access billing reports for product environment usage. |
| Reports | Access product environment reporting details only. |
Product environment-level permissions by role
This table shows which permission areas each product environment-level role includes.
| Permission Area | Description | Master Admin | Admin | Tech Admin | Media Library Admin | Media Library User | Reports |
|---|---|---|---|---|---|---|---|
| Console settings | Console Settings Manage API keys, upload settings, optimization, webhooks, and security | ✔️ | ✔️ | ✔️ | |||
| Media Library Preferences | Control the way the Media Library looks and behaves for all users in the product environment | ✔️ | |||||
| Media Library (Content-based access) | Access depends on assigned folder and collection permissions | ✔️ | |||||
| Media Library (Full access) | Full access to the Media Library and all its features including viewing and managing all folders and assets, and access to all collections | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| Moderation (Content-based access) | View, approve or reject assets pending moderation (depends on assigned folder and collection permissions) | ✔️ | |||||
| Moderation (Full access) | View, approve or reject all assets pending moderation | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Portal management | Manage media portals, including creating, viewing, editing, and publishing them | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Structured metadata | Define and manage custom fields used to describe and identify assets | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Reports and dashboards | View summary details and trend graphs to analyze DAM usage | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Delivery | Delivery settings Manage delivery in the Console Settings | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| Image product | Define named transformations and templates, manage image processing | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Video product | Manage video analytics, live streams, and video player profiles | ✔️ | ✔️ | ✔️ | ✔️ | ||
| MediaFlows | Build, view, and manage visual workflows for automating media-related tasks | ✔️ | ✔️ | ✔️ |
Additional product environment-level roles
These specialized roles provide specific functionality within the product environment.
| Role Name | Description |
|---|---|
| Moderator | Moderate all assets, with Media Library and Moderation page access. Visibility limited to assets the user can view. |
| Delivery URL Viewer | Access original and transformed delivery URLs in the Media Library for assets the user can view. |
| Collection Sharing | Invite other users to non-dynamic collections |
| Collection Creator | Create non-dynamic collections |
| Proof Creator | Create proofs from assets the user can view. |
| MediaFlow Admin | Manage MediaFlows, structured metadata, API keys, and webhooks, with EasyFlows access via the Media Library. |
Folder roles
You can assign these roles to groups and users.You can also assign these roles to product environment API keys for actions that are available programmatically.
Folder role descriptions
This table describes each folder role and its capabilities.
| Role Name | Description |
|---|---|
| Viewer | View all assets but only download public ones. |
| Contributor | Viewer permissions, plus add assets and create subfolders. |
| Editor | Contributor permissions, plus replace, restore versions, and edit assets and subfolders. |
| Manager | Editor permissions, plus delete, share, and full download access. |
Note
Cloudinary automatically grants the Creator role to users for folders they create. This role includes the same permissions as Manager, but can't be manually assigned.Folder permissions by role
This table shows which permission areas each folder role includes.
| Permission Area | Viewer | Contributor | Editor | Manager |
|---|---|---|---|---|
| View folder and assets | ✔️ | ✔️ | ✔️ | ✔️ |
| Download public assets | ✔️ | ✔️ | ✔️ | ✔️ |
| Move folder | ✔️ | ✔️ | ✔️ | |
| Add assets (upload / move in) | ✔️ | ✔️ | ✔️ | |
| Create subfolders | ✔️ | ✔️ | ✔️ | |
| Rename folder | ✔️ | ✔️ | ||
| Edit assets (replace / metadata / versions) | ✔️ | ✔️ | ||
| Delete folder | ✔️ | |||
| Manage access (share internally) | ✔️ | |||
| Download restricted assets | ✔️ | |||
| Delete assets | ✔️ | |||
| Move assets out | ✔️ | |||
| Public links for assets | ✔️ | |||
| Access control | ✔️ |
Collection roles
These roles are relevant to groups and users.
Collection role descriptions
This table describes each collection role and its capabilities.
| Role Name | Description |
|---|---|
| Viewer | View all assets but only download public ones. |
| Collaborator | Viewer permissions, plus edit details and add assets. |
| Distributor | Viewer permissions, plus share internally. |
| Manager | Distributor and Collaborator permissions, plus remove assets, delete collection, share externally, and full download. |
Collection permissions by role
This table shows which permission areas each collection role includes.
| Permission Area | Viewer | Collaborator | Distributor | Manager |
|---|---|---|---|---|
| Download public assets | ✔️ | ✔️ | ✔️ | ✔️ |
| View collection and assets | ✔️ | ✔️ | ✔️ | ✔️ |
| Rename collection | ✔️ | ✔️ | ||
| Add description | ✔️ | ✔️ | ||
| Add assets | ✔️ | ✔️ | ||
| Manage access (share internally) | ✔️ | ✔️ | ||
| Delete collection | ✔️ | |||
| Download restricted assets | ✔️ | |||
| Remove assets | ✔️ | |||
| Share externally | ✔️ |
Permissions
View all permissions that Cloudinary provides. These permissions are included in system roles, and you can select your own set of permissions to include in custom roles.
The list of permissions is divided by:
Global permissions
Account settings
You can assign the permissions in this section to groups and users through roles. You can also assign these roles to API keys for actions that are available programmatically.
| Permission | Description |
|---|---|
| Manage account information | Edit basic account information, such as account name and product environment display name, in the Console. |
| Manage account API keys | View account API keys that authenticate the Provisioning and Permissions APIs, update their details, and generate new key pairs. |
| View product environments | View a list of all product environments in the account and their associated details. This doesn't grant access to the product environments or their contents. |
| Manage product environments | View, add, and remove product environments in the account, and update their associated details. This doesn't grant access to the product environments or their contents. |
| View users and groups | View all users and groups in the account and their group memberships. |
| Manage users and groups | View, add, and remove users and groups in the account, and manage group memberships. |
| View account security settings | View account-wide security settings related to authentication, access control, and user privacy. |
| Manage account security settings | Define account-wide security settings related to authentication, access control, and user privacy. |
| Manage roles and permissions | View, create, update, and delete all roles, define their permissions, and assign roles to users, groups, API keys, and other resources. |
| View Billing | View plan details, add-on subscriptions, and current usage and billing information. |
| Manage Billing | View and manage all billing-related information, including plan details, payment method, and add-on subscriptions. To purchase add-ons for additional users or product environments, this permission must be paired with the 'View users and groups' and 'View product environments' permissions, respectively. |
Product environment settings
You can assign the permissions in this section to users and groups through roles.
You can assign 'View API keys' and 'Manage API keys' permissions to account-level API keys.
You can assign other permissions listed below, if available programmatically, to product environment API keys.
The table below describes each permission and what it allows:
| Permission | Description |
|---|---|
| View API keys | View all API keys and associated details. |
| Manage API keys | View, create, and delete API keys, and update their associated details. |
| Manage upload settings | View, create, modify, or delete upload settings, such as upload presets, upload mappings, and upload defaults. |
| Manage backup settings | Manage backup settings, including selecting a backup location and enabling or disabling backup for newly uploaded assets. |
| Back up existing assets | Initiate a backup for all existing assets. |
| Access Bulk Delete settings | Delete assets in bulk based on filter criteria from the Bulk Delete page in Console Settings. |
| Manage optimization settings | Define optimization settings such as image and video quality, and handling of CMYK in derived images. |
| Manage delivery settings | Define access control list (ACL) conditions and rules in the Console to control who can access assets. |
| View webhook notifications | View webhook notification URLs the event types sent to each one. |
| Manage webhook notifications | View, create, and delete webhook notification URLs, and manage the event types sent to each one. |
| Manage product environment security settings | Configure security settings that control how the assets in your product environment can be delivered. |
Dashboard and reports
You can assign the permissions in this section to groups and users through roles.
| Permission | Description |
|---|---|
| Access the Assets Dashboard | View the Assets Dashboard, including usage summaries and trend graphs. Access is limited to data the user is permitted to see. |
| View Delivery Reports | View detailed media delivery analytics, such as bandwidth and request usage, top-performing assets and transformations, referral domains, and formats. |
| View Error Reports | View delivery error trends, including any errors generated from API calls or delivery URL requests. |
| View Monthly Value Reports | View metrics that highlight Cloudinary’s added value, such as bandwidth savings and time saved through automation. |
| Access Monthly Usage Reports | Enable or disable email delivery of the 'Monthly Usage Report' from email preferences in the Console. |
Cloudinary Image
You can assign the permissions in this section to users and groups through roles. You can also assign these permissions to product environment API keys for actions that are available programmatically.
| Permission | Description |
|---|---|
| Access Cloudinary Image | Access the Cloudinary Image product and use the Transformation Builder for single and bulk transformations, including within the Media Library. |
| View unnamed transformations | View unnamed transformations that were applied to assets. |
| Manage unnamed transformations | Manage unnamed transformations, including deleting them and configuring whether they can be used when Strict Transformations are enabled. |
| View all named transformations | View all named transformations and the individual transformations they include. |
| Delete all named transformations | Delete all existing named transformations. |
| Update all named transformations | Update existing named transformations |
| Create named transformations | Create new named transformations. |
Cloudinary Video
You can assign the permissions in this section to users and groups through roles. You can also assign these permissions to product environment API keys for actions that are available programmatically.
| Permission | Description |
|---|---|
| Access Cloudinary Video | NEW Access the Cloudinary Video product in the Console, including tools for managing video assets, customizing video players, and previewing transformed video content. |
| View Video Analytics | View Video Player performance metrics in the Video Analytics page, including plays, watch time, unique viewers, and top-performing videos. |
| Manage live streams | Create, update, and delete live stream entries, configure stream settings, and access live stream details. |
| Manage Video Player profiles | Create, edit, and apply video player profiles to control player appearance and behavior, with access to the Video Player Studio for visual customization. |
Management via Assets and APIs
You can assign the permissions in this section to users and groups through roles. You can also assign these permissions to product environment API keys for actions that are available programmatically.
| Permission | Description |
|---|---|
| Manage structured metadata fields | Create and manage structured metadata fields, define conditional rules, and configure datasources (list values) for single and multi-selection fields. |
| Relate assets | Create and manage relationships between assets. Also requires the 'View assets’ folder permission, or the 'View all folders and assets’ global permission. |
| Use add-ons | Apply functionality from add-ons that are enabled for the account. Note that usage may consume quota based on the add-on plan. |
| Delete all folders and assets | Delete all folders and assets without requiring specific folder permissions. |
| View all folders and assets | View all folders and assets without requiring specific folder asset permissions. Downloading requires a separate permission. |
| Download all folders and their public assets | Download all folders and their assets with access control set to 'Public'. The download is a ZIP file, and the root folder can't be downloaded. |
| Download all folders and their restricted assets | Download all folders and their assets with access control set to 'Public'. The download is a ZIP file, and the root folder can't be downloaded. |
| Create folders in all locations | Create folders anywhere within the folder hierarchy without requiring specific folder permissions. |
| Upload assets | Upload assets to any folder, including the root, without requiring specific folder permissions. Includes the option to select an upload preset and apply tags and metadata. |
| Update all folders and assets | Move, rename, and overwrite all folders and assets without requiring specific folder permissions. |
| Update access control for all assets | Change access control settings for all assets between 'Public' and 'Restricted' without requiring specific folder permissions. |
Management via Assets
You can assign the permissions in this section to users and groups through roles.
| Permission | Description |
|---|---|
| Manage basic portals | Manage all portals with full create, read, update, and delete permissions. |
| Set Media Library Preferences | Control the way the Media Library looks and behaves for all users in the product environment. |
| View and generate activity reports | View and generate reports that list all account management activities and product environment actions. |
| Access the Moderation page | Access the Moderation page. To view assets on this page, pair this permission with the 'View assets' folder permission, or 'View all folders and assets' global permission. To also approve or reject assets, pair it with 'Moderate assets' folder permission or 'Moderate all assets' global permission. |
| Access the Media Library | Access the Media Library within the Console. Without this permission, users can't view any assets. |
| Manage the Assets App Marketplace | Manage the App Marketplace by enabling or disabling apps that extend DAM functionality based on company needs. |
| Use DAM Apps | Access and use DAM apps that have been enabled from the Assets App Marketplace, directly within the Media Library. |
| Bulk update structured metadata via CSV | Upload a CSV file to bulk update structured metadata fields across multiple assets. |
| Access delivery URLs via the Console | Access delivery URLs of original and transformed assets, including the ability to view, copy, and open them in a new tab. Access is limited to assets the user is permitted to view. |
| Delete asset comments | Delete the user’s own comments on assets. |
| Create EasyFlows from the Media Library | Create EasyFlows within the Media Library to streamline Assets workflows. |
| Moderate all assets | Approve and reject all assets in moderation. To perform these actions from the Moderation page, pair this permission with 'Access the Moderation page'. To view the assets on the page, pair it with the 'View all folders and assets' global permission. |
| Start creative approval proofs | Create a proof using assets the user can view based on their 'View assets' folder permission or the 'View all folders and assets' global permission. Start the proof in a creative approval flow. |
| Manage public links | Create, view, update, and delete public links to share collections externally. Also allows sharing assets directly, provided the user has view access through either the 'View assets' folder permission or the 'View all folders and assets' global permission. |
| Share all folders | Share all folders within the folder hierarchy without requiring specific folder permissions. |
| Create (non-dynamic) collections | Create non-dynamic collections. |
| View all (non-dynamic) collections | View all non-dynamic collections and the assets inside them without requiring folder permissions. |
| Manage all (non-dynamic) collections | Manage all non-dynamic collections. Includes renaming collections and adding or removing assets the user view can via the 'View assets' collection permission or the 'View all folders and assets' global permission. |
| Invite to all (non dynamic) collections | Invite other users to access all non-dynamic collections and assign them different permission levels. |
| Manage all dynamic collections | Create, update, publicly share, and delete dynamic collections, as well as view all assets included in them. |
Other Cloudinary products
You can assign the permissions in this section to users and groups through roles. You can also assign these permissions to product environment API keys for actions that are available programmatically.
| Permission | Description |
|---|---|
| Access MediaFlows | Access the MediaFlows product to build, view, and manage visual workflows for automating media-related tasks. |
| Manage all MediaFlows | Create, update, and delete all PowerFlows and EasyFlows. |
| View MediaFlows usage and plan details | View current MediaFlows plan details, credit usage, and usage breakdowns across all product environments. |
| Change MediaFlows plan | Upgrade or downgrade the current MediaFlows plan from the Console’s plan management interface. |
| View all MediaFlow logs | View MediaFlows activity logs across all product environments, including actions performed by users, API calls, and system events. |
| Access FinalTouch | Access the FinalTouch product to create, customize, and publish product galleries and shoppable experiences using Cloudinary assets. |
| Access Cloudinary 3D | Access the Cloudinary 3D product to upload, manage, and preview 3D assets within the Console. |
Folder permissions
You can assign the permissions in this section to users, groups, or product environment API keys through folder roles.
Note
Assign folder roles to users and groups via the Media Library or the Permissions API, and to product environment API keys via the Permissions API only.| Permission | Description |
|---|---|
| View assets | View all assets in the folder and its nested subfolders. |
| Download public assets | Download all assets marked as 'Public' in the folder and its subfolders. |
| Download restricted assets | Download all assets marked as 'Restricted' in the folder and its subfolders. |
| Add assets | Add assets to the folder by uploading new files, saving an asset as new, or moving existing assets from other folders. Tags and structured metadata can be applied during upload. |
| Create subfolders | Create subfolders or move existing folders into this folder. |
| Edit assets and metadata | Perform actions on assets in the folder and its subfolders, including replacing and editing assets, restoring versions, and updating tags, structured metadata, and contextual metadata. |
| Rename subfolders | Rename subfolders within the folder. This doesn't include permission to rename the folder itself. |
| Rename assets | Edit the display names and public IDs of assets in the folder and its subfolders. In the legacy fixed-folder mode, renaming a public ID also requires the ‘Move assets’ permission. |
| Delete assets | Delete assets in the folder and its subfolders. |
| Delete subfolders | Delete subfolders within the folder. To delete subfolders that contain assets, the user must also have the 'Delete assets' permission for those subfolders. |
| Move assets | Move assets between folders. This action also requires the 'Add assets' permission for the destination folder. |
| Delete folder | Delete the folder and its contents. If the folder contains assets, the user must also have the 'Delete assets' permission for the folder. This action is limited to folders with 1,000 assets or fewer. |
| Rename folder | Rename the folder and its subfolders. This action isn't available in fixed folder mode. |
| Move folder | Move the folder and all of its contents to a different location in the folder hierarchy. For example, move Folder A (and its subfolder B) into a new parent folder. In fixed folder mode, this action also requires the 'Move assets' permission for the folder. |
| Move subfolders | Move subfolders to a different location in the folder hierarchy. For example, move Folder C out of Folder B, without moving Folder B itself. In fixed folder mode, this action also requires the 'Move assets' permission for the subfolder. |
| Moderate assets | Approve or reject assets in the folder and its subfolders. To view these assets on the Moderation page, pair this with the global 'Access the Moderation page' permission, along with either 'View assets' folder permission or 'View all folders and assets' global permission. |
| Manage public links to assets | Create, view, update, and delete public links for assets in the folder and its subfolders, including setting access date ranges. |
| Edit access control | Set asset access control to 'Public' or 'Restricted' for assets in a folder and its subfolders, with an optional date range for public access. |
| Share with users/groups | Manage user and group access to the folder and its subfolders. Users can only assign and remove permission levels that are equal to or lower than their own for that folder. |
Collection permissions
You can assign the permissions in this section to users and groups through collection roles.
| Permission | Description |
|---|---|
| View collection | View the collection and all the assets in it without requiring global or folder permissions for those assets. |
| Download public assets | Download all assets marked as 'Public' in the collection without requiring global or folder permissions. |
| Download restricted assets | Download all assets marked as 'Restricted' in the collection without requiring global or folder permissions. |
| Add assets | Add assets to the collection. Users can only add assets they are permitted to view via the 'View assets' folder permission or the 'View all folders and assets' global permission. |
| Remove assets | Remove assets from the collection. Users can only remove assets they are permitted to view via the 'View assets' folder permission or the 'View all folders and assets' global permission. |
| Edit collection details | Rename the collection and edit its description. |
| Delete collection | Delete the collection. This action doesn't affect the assets in it. |
| Manage public link | View, create, copy, update, configure, and delete the public link for a collection. |
| Invite users and groups | Invite users and groups to a collection, and add, edit, or remove their permissions. Users can only assign and remove permission levels that are equal to or lower than their own for that collection. |
Tip
You can view a full list permissions per type of role by navigating to Role Management page in the Console Settings and selecting the Global, Folder or Collection tab.
- Select to view an existing system role to review its name, description, and fixed permissions.
- Create a global or folder custom role to view all available permissions for that role type.
✖️
Error
Rate this page:
