Manage roles
Last updated: Jun-30-2025
Cloudinary roles define what users, groups, and API keys can access and do across your account. Managing roles via the Permissions API allows you to create, update, and delete custom roles programmatically—so you can scale permissions consistently without assigning individual policies one by one.
On this page, you’ll learn how to:
- Permissions API reference: Full list of endpoints and schemas
- Assigning roles programmatically: How to assign roles via API
- Defining custom policies: Create and apply policies outside of roles
- Managing roles in the Console: UI-based role management
Retrieve roles and policies
Use these endpoints to inspect and audit your roles and available policy options:
Endpoint | Use Case |
---|---|
GET /roles?management_type=system |
List all system roles |
GET /roles?management_type=custom |
List custom roles you've created |
GET /roles/{role_id} |
View the policies included in a specific role |
GET /policies/system |
List all available system policies |
For more information on system roles and policies, see System roles and policies.
Manage custom roles
Use these endpoints to manage custom roles for your account or product environments.
Create a custom role
Use POST /roles/custom
to define a role and include the system policies it should grant.
You must specify:
-
permission_type
:global
orcontent
-
scope_type
:account
orprodenv
- One or more
system_policy_ids
- (Optional)
id
,name
, anddescription
Global roles apply to all content or account-level features. Content roles apply to specific folders or collections and require policy_parameters
when assigning.
Example 1: Create a global role to manage uploads
Example 2: Create a content role for folder access
Example 3: Create an account-level role for admin tasks
scope_type
is prodenv, you must specify the product environments when assigning the role. You can assign to "all" environments or a specific list of product environment IDs.Update or delete a custom role
Update a role: PUT /roles/custom/{role_key} You can update the role’s name, description, or system policies.
Delete a role: DELETE /roles/custom/{role_key} Roles can only be deleted if they aren’t currently assigned.
Considerations for planning roles effectively
Actions that require multiple permissions
Some tasks require multiple permissions to enable. If a user doesn't have all the permissions listed for that action, they won't be able to perform it. Make sure the roles you create contain all the listed permissions to perform these actions:
Action | Required System Policies |
---|---|
Use Moderation tab to moderate assets | Access the moderation page:cld::policy::global::moderation_queue::access Moderate all assets or assets in folders: View the assets to moderate: |
Add assets to (non-dynamic) collections | Add assets to all collections or specific collections: cld::policy::content::collection::add_assets OR cld::policy::global::collections::manage View the assets to add to collections: |
Remove assets from (non-dynamic) collections | Remove assets from all collections or specific collections: cld::policy::content::collection::remove_assets OR cld::policy::global::collections::manage View assets to remove from collections: |
Relate one asset to another | Relate assets:cld::policy::global::asset_relation::create View the assets you want to relate: |
Move assets between folders | Move assets out of the source folder: cld::policy::content::folder::move_assets Move assets into the destination folder: |