System roles and permissions
Last updated: Jun-30-2025
-
System roles: Cloudinary provides a set of built-in roles called system roles, predefined permission sets tailored for common responsibilities like marketing, design, analytics, and admin tasks
System roles make it easy to assign consistent access. You can assign them directly to users, groups, or API keys in the Console, without any further configuration.
Permissions: All roles are defined by permissions, where each permission controls a specific action. System roles have a fixed set of permissions, while custom roles let you choose which permissions to include.
This page lists all available system roles and individual permissions, helping you understand what each role and permission allows, so you can make informed decisions when assigning roles or designing custom ones.
On this page:
System roles
System roles contain a fixed set of predefined permissions. Use system roles for fast, consistent access setup.
Below are tables summarizing the permission details for each role, divided by scope (account or product environment) and permission type (global, folder, or collection):
You can assign account-level global, product environment–level global, and folder roles to both users and groups for Console actions, and to account or product environment API keys for programmatic access. Collection roles apply only to users and groups for Console actions.
If you assign a role that doesn’t match the scope or access type, it has no effect.
Tip
You can view a full list of system roles by navigating to Role Management page in the Console Settings, selecting the Global, Folder or Collection tab, and filtering the table for System roles.Account-level global roles
These roles can are relevant to groups, users. Actions that are available programmatically are also relevant for account API keys.
| Role Name | Description |
|---|---|
| Master Admin | Manage all account-level settings and features. |
| Admin | Manage account-level settings and features, including roles and user and group management. Account security, billing, and product environment creation and management aren't allowed. |
| Billing | Manage account-level billing, including current plan, payment methods, tracking usage, and purchasing add-ons. |
| Reports | View account-level reports and usage metrics, including audit logs, dashboard usage summaries, and account-wide activity reports. |
Product environment-level global roles
These roles can are relevant to groups, users. Actions that are available programmatically are also relevant for product environment API keys.
| Role Name | Description |
|---|---|
| Master Admin | Fully access and manage all product environments, including Console settings and preferences, all features across Cloudinary products, and all dashboards and reports. |
| Admin | Access and manage permitted product environments, including Console settings (excluding Media Library preferences), all features across Cloudinary products, and relevant dashboards and reports. |
| Tech Admin | Access and manage technical areas within permitted product environments, including Console settings (excluding Media Library preferences), all key features across Cloudinary products except MediaFlows, and relevant dashboards and reports. |
| Media Library Admin | Access and manage all features in the Assets Media Library for permitted product environments, as well as transformations, creative approval, and App Marketplace. Excludes Console settings, structured metadata, dashboards, portals, and other products. |
| Media Library User | Use Media Library features based on assigned user groups and content permissions. This role excludes all features and products outside the Assets Media Library. |
| Reports | Access product environment-level reporting details only, including delivery and error reports, transformation logs, and reports and logs for all Cloudinary products. |
Folder roles
These roles can are relevant to groups, users. Actions that are available programmatically are also relevant for product environment API keys.
| Role Name | Description |
|---|---|
| Creator | This is the same as Manager. Seems like we don't need this one b/c it's automatic for the creator and not assignable. |
| Manager | Full control over folder contents, including creating public links, setting asset access control, sharing the folder with users or groups, and managing their access. Includes all Editor permissions. |
| Contributor | Contribute new content by uploading, saving as new, creating subfolders, and moving assets in. Includes all 'Viewer' permissions. Contributors can’t edit, delete, rename, share, or manage folder access. |
| Viewer | View the folder and its contents for browsing or downloading assets. Viewers can’t upload, edit, delete, rename, move, share, or manage folder access. |
| Editor | Edit content, including restoring versions, updating metadata and tags, and renaming assets and subfolders. Includes all 'Contributor' permissions. Editors can’t delete content, move assets out, share the folder, or manage access. |
Collection roles
These roles can are relevant to groups, users.
| Role Name | Description |
|---|---|
| Manager | Manage the collection and its contents, including viewing, downloading, adding, or removing assets, deleting the collection, updating details, managing public links, and inviting collaborators. |
| Collaborator | Add to and contribute to the collection, including viewing, downloading, and adding assets. Collaborators can't remove assets, edit collection details, share publicly, or invite others. |
| Distributor | Share the collection with others, including viewing and downloading assets and inviting others to access the collection. Distributors can't modify content or settings. |
| Viewer | View and download assets in the collection. Viewers can't edit, manage, or share the collection. |
Note
You can't modify system roles, but you can duplicate them to use them as the basis for a new custom role. For more information, see Manage roles.Permissions
View all permissions that Cloudinary provides. These permissions are included in system roles, and you can select your own set of permissions to include in custom roles.
The list of permissions is divided by:
Global permissions
Account settings
These roles can are relevant to groups, users. Actions that are available programmatically are also relevant for account API keys.
| Permission | Description |
|---|---|
| Manage account information | Edit account information in the Console. |
| Manage account API keys | View account API keys that authenticate the Provisioning and Permissions APIs, update their details, and generate new key pairs. |
| View account security settings | View account-wide security settings related to authentication, access control, and user privacy. |
| Manage account security settings | Define account-wide security settings related to authentication, access control, and user privacy. |
| View Billing | View plan details, add-on subscriptions, and current usage and billing information. |
| Manage Billing | View and manage all billing-related information, including plan details, payment method, and add-on subscriptions. To purchase add-ons for additional users or product environments, this permission must be paired with the View users and groups and View product environments permissions. |
| View roles and permissions | View all roles, the permissions included in each one, and the users, groups, API keys, and other resources assigned to each role. |
| Manage roles and permissions | View, create, update, and delete all roles, define their permissions, and assign roles to users, groups, API keys, and other resources. |
| View product environments | View a list of all product environments in the account and their associated details. This doesn't grant access to the product environments or their contents. |
| Manage product environments | View, add, and remove product environments in the account, and update their associated details. This doesn't grant access to the product environments or their contents. |
| View users and groups | View all users and groups in the account and their group memberships. |
| Manage users and groups | View, add, and remove users and groups in the account, and manage group memberships. |
| View the Home Dashboard | View product environment credentials (such as API keys), along with account-level metrics, credit usage, plan details, and error summaries across all product environments. |
| View the Monthly Value Report | View metrics that highlight Cloudinary’s added value, such as bandwidth savings and time saved through automation. |
| Access Monthly Usage Report | Enable or disable email delivery of the 'Monthly Usage Report' from email preferences in the Console. |
Product environment settings
These roles can are relevant to groups, users.
Except for 'View API keys' and 'Manage API keys', which are relevant for account API keys via the Provisioning API, actions that are available programmatically are also relevant for account API keys.
| Permission | Description |
|---|---|
| View API keys | View all API keys and associated details. |
| Manage API keys | View, create, and delete API keys, and update their associated details. |
| Manage upload settings | View, create, and delete upload presets and upload mappings, and manage upload defaults. |
| Manage backup settings | Enable or disable automatic backups for newly uploaded assets, and initiate backup for all existing assets. |
| View optimization settings | View optimization settings such as image and video quality and handling of CMYK in derived images. |
| Manage optimization settings | Define optimization settings such as image and video quality, and handling of CMYK in derived images. |
| View delivery settings | View access control list (ACL) conditions and rules in the Console, which define who can access assets. |
| Manage delivery settings | Define access control list (ACL) conditions and rules in the Console to control who can access assets. |
| View webhook notifications | View webhook notification URLs and their notification types in the Console, or retrieve them via the triggers endpoint of the Admin API. |
| Manage webhook notifications | View, create, and delete webhook notification URLs, and configure their notification types via the Console or the triggers endpoint of the Admin API. |
| Manage product environment security settings | Define security settings that control how the assets in your product environment can be delivered. |
Dashboard and reports
These roles can are relevant to groups, users.
| Permission | Description |
|---|---|
| View the Home Dashboard | View product environment credentials (such as API keys), along with account-level metrics, credit usage, plan details, and error summaries across all product environments. |
| View the Delivery Report | View detailed media delivery analytics, such as bandwidth and request usage, top-performing assets and transformations, referral domains, and formats. |
| View the Error Report | View metrics that highlight Cloudinary’s added value, such as bandwidth savings and time saved through automation. |
| View the Monthly Value Report | View metrics that highlight Cloudinary’s added value, such as bandwidth savings and time saved through automation. |
| Access Monthly Usage Report | Enable or disable email delivery of the 'Monthly Usage Report' from email preferences in the Console. |
Cloudinary Image
These roles can are relevant to groups, users. Actions that are available programmatically are also relevant for product environment API keys.
| Permission | Description |
|---|---|
| Access Cloudinary Image | Access the Cloudinary Image product and use the Transformation Builder for single and bulk transformations in the Media Library. |
| View all named transformations | View named transformations using the Console or the Get transformations method of the Admin API. |
| Delete all named transformations | Delete all existing named transformations using the Console or the Delete transformation method of the Admin API. |
| Update all named transformations | Update existing named transformations using the Transformation Builder. To update templates in Studio and the Media Library, this permission must be paired with the 'Create named transformations' permission. |
| Create named transformations | Create new named transformations using the Transformation Builder. To create new templates in Studio and the Media Library, this permission must be paired with the 'Update all named transformations' permissions. |
| View unnamed transformations | View unnamed transformations previously applied to assets, using the Console or the Get transformations method of the Admin API. |
| Manage unnamed transformations | Create and update unnamed transformations previously applied to assets, using the Console or the Update transformations method of the Admin API. |
Cloudinary Video
These roles can are relevant to groups, users. Actions that are available programmatically are also relevant for product environment API keys.
| Permission | Description |
|---|---|
| Manage live streams | Create, update, and delete live stream entries, configure stream settings, and access live stream details within the Cloudinary Console. |
| Access Cloudinary Video | Access the Cloudinary Video product in the Console, including tools for managing video assets, customizing video players, and previewing transformed video content. |
| View Video Analytics | View Video Player performance metrics in the Video Analytics page, including plays, watch time, unique viewers, and top-performing videos. Use this data to understand engagement and optimize video delivery. |
| Manage Video Player profiles | Create, edit, and apply video player profiles to control player appearance and behavior, with access to the Video Player Studio for visual customization. |
Management via Assets and APIs
These roles can are relevant to groups, users. Actions that are available programmatically are also relevant for product environment API keys.
| Permission | Description |
|---|---|
| Manage structured metadata fields | Create and manage structured metadata fields, define conditional rules, and configure datasources (list values) for single and multi-selection fields. |
| Use add-ons | Apply functionality from add-ons that are enabled for the account. Note that usage may consume quota based on the add-on plan. |
| Relate assets | Create and manage relationships between assets. Viewing related assets requires folder-level or global permissions. |
| Delete all folders and assets | Delete all folders and assets without requiring specific folder or asset permissions. |
| Download all folders and their public assets | Download all folders and their assets with access control set to 'Public'. The download is a ZIP file, and the root folder can't be downloaded. |
| Download all folders and their restricted assets | Download all folders and their assets with access control set to 'Public'. The download is a ZIP file, and the root folder can't be downloaded. |
| Create folders in all locations | Create folders anywhere within the folder hierarchy without requiring specific folder permissions. |
| Upload assets | Upload assets to any folder, including the root, without requiring specific folder permissions. Includes the option to select an upload preset and apply tags and metadata. |
| Update all folders and assets | Move, rename, and overwrite all folders and assets without requiring specific folder or asset permissions. |
| Update access control for all assets | Change access control settings for all assets between 'Public' and 'Restricted' without requiring specific folder or asset permissions. |
| Restore deleted assets | Restore all deleted assets. |
Management via Assets
These roles can are relevant to groups, users.
| Permission | Description |
|---|---|
| Manage basic portals | Manage all portals with full create, read, update, and delete permissions. |
| Set Media Library Preferences | Control the way the Media Library looks and behaves for all users in the product environment. |
| Access the Assets Dashboard | View the Assets Dashboard, including usage summaries and trend graphs. Access is limited to data the user is permitted to see. |
| View and generate activity reports | View and generate reports that list all account management activities and product environment actions. |
| Access the Media Library | Access the Media Library within the Console. Without this permission, users can't view any assets. |
| Access delivery URLs via the Console | Access delivery URLs of original and transformed assets, including the ability to view, copy, and open them in a new tab. |
| Access the Moderation page | View, approve, and reject assets via the Moderation page. Access is limited to assets in folders where the user has the 'View all assets in a folder and its subfolders' permission, or all assets if the user has the global 'View all folders and assets' permission. |
| Moderate all assets | View, approve, and reject all assets in the moderation queue. This permission shoul be paired with the 'View all folders and assets' global permission. |
| Bulk update structured metadata via CSV | Upload a CSV file to bulk update structured metadata fields across multiple assets. |
| Manage the Assets App Marketplace | Manage the App Marketplace by enabling or disabling apps that extend DAM functionality based on company needs. |
| Use DAM Apps | Access and use DAM apps that have been enabled from the Assets App Marketplace, directly within the Media Library. |
| Delete asset comments | Delete all comments the user added to assets. |
| Manage portals | Manage all portals with full create, read, update, and delete access. The 'View collection' permission is required to add a specific collection to a portal. |
| Start creative approval proofs | Create proofs using assets the user has permission to view via the 'View all subfolders and assets in a folder' folder permission, or the 'View all folders and assets' global permission, and send them to a selected approval flow. |
| Create EasyFlows from the Media Library | Create EasyFlows within the Media Library to streamline Assets workflows. |
| Moderate all asset ?? | View, approve, and reject all assets in the moderation queue. This permission should be paired with the 'View all folders and assets' global permission. |
| View all folders and assets ?? | View all folders and assets without requiring specific folder or asset permissions. Downloading requires a separate permission. |
| Manage public links | Create, view, update, and delete public links to share collections externally. Also allows sharing assets directly, provided the user has view access through either the 'View all assets in a folder and its subfolders' permission or the global 'View all folders and assets' permission. |
| Share all folders | Share all folders within the folder hierarchy without requiring specific folder permissions. |
| Create (non-dynamic) collections | Create collections, excluding dynamic collections. |
| View all (non-dynamic) collections | View all collections and the assets inside them without requiring folder or asset permissions. This excludes dynamic collections. |
| Manage all (non-dynamic) collections | View and manage all collections and their assets without requiring folder permissions. Includes renaming collections and adding or removing assets the user can view via the 'View all assets in a folder and its subfolders' permission or the global 'View all folders and assets' permission. This excludes dynamic collections. |
| Invite to all (non dynamic) collections | Invite other users to access all classic collections and assign them different permission levels. This excludes dynamic collections. |
| Manage dynamic collections | Create, update, publicly share, and delete dynamic collections. Includes permission to view all assets included in dynamic collections. |
Other Cloudinary products
These roles can are relevant to groups, users. Actions that are available programmatically are also relevant for product environment API keys.
| Permission | Description |
|---|---|
| Access FinalTouch | Access the FinalTouch interface to create, customize, and publish product galleries and shoppable experiences using Cloudinary assets. |
| Access Cloudinary 3D | Access the Cloudinary 3D product to upload, manage, and preview 3D assets within the Console. |
| Can access Media Optimizer | Access the Media Optimizer from the left navigation menu. |
| Access MediaFlows | Access the MediaFlows interface to build, view, and manage visual workflows for automating media-related tasks. |
| Manage all MediaFlows | Create, update, and delete all PowerFlows and EasyFlows. |
| View all MediaFlows | View all PowerFlows and EasyFlows. |
| View MediaFlows usage and plan details | View current MediaFlows plan details, credit usage, and usage breakdowns across all product environments. |
| Change MediaFlows plan | Upgrade or downgrade the current MediaFlows plan from the Console’s plan management interface. |
| View all MediaFlow logs | View MediaFlows activity logs across all product environments, including actions performed by users, API calls, and system events. |
Folder roles
You can assign folder roles to users, groups, and product environment API keys on specific folders in the Media Library.
| Permission | Description |
|---|---|
| View all assets | View all assets in a folder and its nested subfolders. |
| Download all public assets | Download all assets marked as 'Public' in a folder and its subfolders. |
| Download all restricted assets | Download all assets marked as 'Restricted' in a folder and its subfolders. |
| Download all assets | Download all assets in a folder and its subfolders. |
| Add assets | Add assets by uploading new files, saving an asset as new, or moving existing assets from other folders. Tags and structured metadata can be applied during upload. |
| Create subfolders | Create subfolders or move existing folders into this folder. |
| Edit assets and metadata | Perform actions on assets in a specific folder and its subfolders, including replacing and editing assets, restoring versions, and updating tags, structured metadata, and contextual metadata. |
| Rename subfolders | Rename subfolders within a specified folder. This doesn't include permission to rename the folder itself. |
| Rename assets | Edit the display names and public IDs of assets in a specified folder and its subfolders. In the legacy fixed-folder mode, renaming a public ID also requires the ‘Move assets’ permission. |
| Delete assets | Delete assets in a specified folder and its subfolders. |
| Delete subfolders | Delete subfolders within a specified folder. To delete subfolders that contain assets, the user must also have the 'Delete assets' permission for those assets. |
| Move assets | Move assets between folders. This action also requires the 'Add assets' permission for the destination folder. |
| Delete folder | Delete a specified folder and its contents. If the folder contains assets, the user must also have the 'Delete assets' permission for all of them. This action is limited to folders with 1,000 assets or fewer. |
| Rename folder | Rename a folder and its subfolders. This action isn't available in the legacy fixed folder mode. |
| Move folder | Move a folder and all of its contents to a different location in the folder hierarchy. In product environments with fixed folder mode, this also requires the 'Move assets' permission for the folder. |
| Move subfolders | Move subfolders to a different location in the folder hierarchy. In fixed folder mode, this also requires the 'Move assets' permission for the subfolder. |
| Moderate assets | Approve or reject assets in the folder and its subfolders via the Moderation page in the Media Library. Also requires the global 'Access the Moderation page' permission. |
| Manage public link to asset | Create, view, update, and delete public links for assets in the folder and its subfolders, including setting access date ranges. |
| Edit access control | Set asset access control for assets in the folder and its subfolders to 'Public' or 'Restricted', with optional date-based rules for limited-time public access. |
| Share with users/groups | Manage user and group access to the folder and its subfolders. |
Collection roles
You can assign collection roles to users and groups on specific collections in the Media Library.
| Permission | Description |
|---|---|
| View collection | View the collection and all the assets in it without requiring global or folder permissions for those assets. |
| Download collection | Download all assets in the collection without requiring global or folder permissions for those assets. |
| Add assets | Add assets to the collection. Users can only add assets they are permitted to view, either through the 'View all assets in a folder' permission or the global 'View all folders and assets' permission. |
| Remove assets | Remove assets from the collection. Users can only remove assets they are permitted to view, either through the 'View all assets in a folder' permission or the global 'View all folders and assets' permission. |
| Edit collection | Rename the collection and edit its description. |
| Delete collection | Delete the collection. This action doesn't affect the assets in it. |
| Manage collection's public link | View, create, copy, update, configure, and delete the public link for a collection. |
| Invite users and groups | Invite users and groups to a collection, and add, edit, or remove their permissions. Users can only assign permission levels that are equal to or lower than their own for that collection. |
| Create collections | Create new collections. Managing the collection or adding assets requires separate permissions. |
Tip
You can view a full list permissions per type of role by navigating to Role Management page in the Console Settings, selecting the Global, Folder or Collection tab. Select to view an existing system role to review its name, description, and fixed permissions. Create a role to view all available permissions for that role type.
✖️
Error
Rate this page:
