Role Management in the Console

Image & Video APIs

Last updated: Jul-21-2025

Use the Cloudinary Console to define and manage roles that control access to features, settings, assets, and other types of content. Roles are reusable sets of permissions that you assign to users and groups to manage access within the Console, or to API keys to control what developers and applications can do via Cloudinary's APIs.

To view and manage roles, go to the Role Management page in Console Settings and select the Global Roles, Folder Roles, or Collection Roles tab.

Important

Cloudinary's Roles and Permissions Management is now available as a Beta. This is an early stage release, and while it's functional and ready for real-world testing, it's subject to change as we continue refining the experience based on what we learn, including your feedback. During the Beta period, core functionality is considered stable, though some APIs, scopes, or response formats may evolve. We'll also be expanding the documentation with additional examples, best practices, and implementation tips.

How you can help:

Use Roles and Permissions Management in real projects, prototypes, or tests.
Share feedback, issues, or ideas with our support team.
Thank you for exploring this early release and helping us shape these tools to best meet your needs.

Tip

You can also use the Permissions API to define custom roles and assign system or custom roles to a user, group, or API key.

On this page:

Manage roles
Assign roles
Use cases

Manage roles

You can:

View system roles
View, create, edit, and delete custom roles

All roles contain permissions (called system_policies in the API) that are pre-defined by Cloudinary. These permissions determine what the role allows.

System roles include a fixed set of permissions. You can view them, but you can’t choose which ones to include.
Custom roles let you choose which permissions to include.

Cloudinary provides system roles for that apply globally, as well as to folders and collections.

You can create custom roles that apply globally and to folders.

Tip

To learn more about these role types, see Key role attributes.

The following sections explain how to handle roles of all different types.

View all roles

The Role Management page includes separate tabs for Global, Folder, and Collection roles. Each tab displays a role count at the top and includes filters tailored to that role type.

Roles display in a table format. Here’s a summary of the columns shown:

Tab	Column	Description
All	Role Name	Name of the role. Click to view details (system roles) or edit (custom roles).
Global Roles	Permission Level (scope)	Whether the role applies at the account level or to product environments. (Folder and collection roles are always scoped to a single product environment.)
All	Type	Indicates whether the role is a System Role (predefined by Cloudinary) or a Custom Role (created by your organization).
All	Description	Optional explanation of the role’s purpose.
Folder & Collection Roles	Status	Whether the role is Visible or Hidden in the Media Library. Hidden roles stay active where already assigned but can't be newly applied via the Media Library.

Global role management:

Folder role management:

Collection role management:

View role permissions

In the main view, you can see each role's name, permission level (global roles), type, and description. However, to understand what a role actually allows, you'll need to view the specific permissions that the role contains.

To do this, select View (for system roles) or Edit (for custom roles) from the (3-dots) options menu.

The role details panel lists all available permissions relevant to that role type, with the assigned permissions checked. These permissions define what users with the role are allowed to do.
Each permission has a tooltip that gives more details:
- Hover over the i icon to see a description of what the permission enables.
- Developers can hover over the tree icon to view the underlying system policy statement, which specifies the exact resources, features, and actions the permission grants access to.

Create custom roles

When creating custom roles, you can customize the same attributes you see when viewing roles.

When creating a new custom role, you define the Role name and Description. Additional options include:

Copy from existing role (global roles only): Use an existing role as a template.
Permission level (global roles only): Specify whether the role applies at the account level or in product environments.
Permissions: Select the system policies to include in the role. These determine what users with the role are allowed to do.

Create global roles

Create folder roles

Permission levels and available permissions

All roles have a permission level, which determines the scope where the role applies and which permissions are available to assign.

For global roles, you choose whether the role applies at the account level or at the product environment level when creating or assigning the role. The available permissions differ based on this selection, and you can only assign roles that match the selected level.
Folder (and collection) roles are always scoped to a product environment. You assign these roles from within specific content instances that are inherently tied to a product environment.

Note

Assigning a global role at the product environment level doesn't grant access to the product environment itself. To explicitly assign access to product environments, see Grant product environment access to users.

The role creation form dynamically filters permissions based on your selection. You can see a full reference of all available system permission policies.

Edit custom roles

Whereas you can only view system roles, you can also edit custom roles of all types. When you click Edit from the (3-dots) options menu, you can change a custom role's name, description, and the permissions it contains. However, you can't change the permission level for a global role that already exists.

Assign roles

You can assign roles to groups, users, product environment API keys, and account API keys.

Tip

To automate role assignment or assign multiple roles at once use the Permissions API Guide.

Assignment considerations

You can assign roles to groups, users, product environment API keys, and account API keys.

All role types can be assigned to any of these entities. However, some assignments may have no practical effect, depending on scope or context:

Scope matters: If you assign an account-level role to a product environment API key, the permissions won’t apply.

For example, if you try to grant product environment API keys permission to provision users via the Provisioning API, the assignment won't have any effect.
UI-based permissions: Some roles grant access to areas of the Console, such as viewing dashboards or reports.

Assigning these to an API key won’t have any effect, since API keys can’t interact with the UI.

See the full list of system permission policies for details on which permissions are available by scope and applicable to each entity type.

Assign roles to users and groups

To fully manage role assignments for users, these are the key aspects to understand:

How to grant product environment access to users
How to assign roles to groups
How to assign global roles to users (including new and existing users, directly and via group membership)
How to assign content (folder and collection) roles to users

Grant product environment access to users

Selecting product environments when assigning roles only won't actually grant access to the product environment.

You need to grant product environment access to users directly by going to User Management > Users, clicking the edit icon in the Product Environments column, and selecting the product environments to assign.

Assign roles to groups

Group roles allow all group members to inherit the same permissions, making it easier to manage teams with the same access needs.

Assign roles to new or existing groups from User Management > Groups by clicking Create a Group or selecting Assign Roles from a group's context menu.

Select a Permission level, either Account, All product environments, or a specific product environment.
- If you select the system product environment Master Admin role, All product environments is selected and can't be changed.
- If you select a system account-level role, Account is selected and can't be changed.
Choose one or more roles to assign. Only roles relevant to the selected permission level are shown.

Important

Users inherit roles from their groups, including product environment–scoped roles. However, group membership doesn't grant access to those product environments. To give access, use the Product Environments column in User Management.

Assign global roles to users

You can assign roles to users when inviting them into an account, or by editing their profile later, either directly or by adding users to groups.

New users

Grant permissions at the time of invitation by going to User Management > Users and clicking Invite.

You can optionally assign the new user to one or more groups. The user will automatically inherit all roles assigned to those groups.

To assign roles directly:

Select a Permission level, either Account, All product environments, or a specific product environment.
- If you select specific product environments (or all), the user is granted access to them as part of this flow.
- If you select the system product environment Master Admin role, All product environments is selected and can't be changed.
- If you select a system account-level role, Account is selected and can't be changed.
Choose one or more roles to assign. Only roles relevant to the selected permission level are shown.

Existing users directly

To assign or edit roles for an existing user, go to User Management > Users and click Assign Roles from the user's context menu.

Choose the Permission level (either Account, All product environments, or a specific product environment), and assign one or more roles.

Important

Selecting a product environment for existing users assigns roles within that environment, but doesn't grant the user access to it. To grant access, use the Product Environments column on the User Management page.

Existing users via group

Users inherit all roles from the groups they belong to. Managing user roles via groups streamlines permission granting because it allows you to add roles to multiple users at once. It also helps apply governance standards by controlling permissions via groups of users.

To assign a user to groups, go to User Management > Users and click Edit Details from the user's context menu. Select one or more groups.

Assign content roles to users

Content roles apply to specific folders or collections. These roles can be assigned from the Media Library using the Share menu, or via the Permissions API.

Assign roles to API keys

Product environment API keys

You can assign product environment API keys roles that apply to their specific environment and support programmatic access. These roles can include global roles (e.g., transformations, upload presets) or folder-level roles (e.g., upload, download, rename, move).

Product environment API keys are commonly used with the Upload and Admin APIs, as well as other Cloudinary APIs such as the Analyze API and Live Streaming API, to manage media, metadata, and related product environment entities.

Assign global roles from the (3-dots) options mention for a key in Settings > API Keys.
You can assign folder roles to API keys programmatically via the Permissions API.

Account API keys

Account API keys support only account-level global roles that can be used programmatically, such as user provisioning. These keys are primarily used for Provisioning and Permissions API operations.

Assign account-level global roles from the (3-dots) options mention for a key in Settings > Account API Keys.

Use cases

Give developers broad access to metadata and assets

A developer building internal tools or dashboards may need access across multiple folders. You can create a custom global role scoped to a product environment that grants: