Role-based permissions overview
Last updated: Jun-30-2025
Cloudinary's role-based permission system lets you control what users, groups, and API keys can do across your account and product environments. Permissions are managed through roles, which contain one or more policies that define specific capabilities.
This page introduces key concepts shared across the Console and Permissions API.
Who you can assign roles to
You can assign roles to the following entities:
-
Users: A named user with login access to the Console.
Roles control which areas of the Console the user can access. -
Groups: A group of users.
Roles assigned to a group apply to all users within it. -
Product environment API keys: Used for programmatic access to a product environment.
Roles determine the actions the key can perform via the Admin and Upload APIs. -
Account API keys: Used to perform account administrative tasks, e,g. user provisioning.
Roles determine the actions the key can perform via the Provisioning & Permissions APIs.
Key role attributes
Each role has two important attributes:
-
Scope type: Where the role applies.
-
account
: Scope applies at the Cloudinary account level (e.g., account security, user management, billing, etc.). -
prodenv
: Scope applies to a specific product environment (e.g., managing folders, assets, collections, product environment settings, etc.)NoteIn the Console, the scope type is referred to as Permission level.
-
Permission type: What the role governs (e.g., global permissions, or permissions on specific folder or collection instances)
Permission Type | Description | Scope Type |
---|---|---|
Global | Apply across all content instances (e.g., all folders, all assets) or to high-level account-wide features (e.g., user management, account security). |
account or prodenv
|
Folder | Controls actions on specific folders and their assets | prodenv |
Collection | Controls collaboration and visibility for specific collections in the Media Library | prodenv |
System roles vs. custom roles
Each role is either a system or custom management type. Both types use system policies, which are predefined permission rules defined by Cloudinary.
System roles are predefined by Cloudinary and include a fixed set of system policies. They can't be edited but are ideal for consistent, quick setup. You can assign them to users, groups, or API keys. For the full list of system roles that Cloudinary provides and what each role allows, see System roles and policies.
Custom roles are defined by you. You choose the name, description, and which system policies to include. This lets you tailor roles to your team's exact needs.
Role Type | Description |
---|---|
System role | Predefined by Cloudinary. Can't be modified. Useful for quick setup. |
Custom role | Created by you. You define the name, description, and permission policies it includes. |
Policies and permissions
Policies define what actions are allowed. A role includes one or more system policies:
- Written in Cedar policy language
- May apply globally or to specific content instances (e.g., a folder)
Policy Type | Applies To | Created By | Assignment method |
---|---|---|---|
System Policy | Users, groups, API keys | Cloudinary | Included in roles and assigned to principals via roles |
Custom Policy | Users, groups, API keys | You (via API) | Assigned directly to principals; not usable in roles |
Common fields glossary
Field | Description |
---|---|
scope_type |
account or prodenv . Indicates where the role or policy applies. |
scope_id |
Required if scope_type is prodenv . Specifies the target product environment. |
permission_type |
global or content . Global policies apply broadly; content policies apply to specific content instances. |
policy_parameters |
Used only for content roles. Defines what folder or collection the role applies to. |
Which method to use?
Goal | Method |
---|---|
View all system policies | GET /policies/system |
Create a custom role | POST /roles |
View all roles | GET /roles |
Assign one role to multiple users | PUT /roles/{role_id}/principals |
Assign multiple roles to one user | PUT /principal_roles |
View a user or key's current roles | GET /principal_roles |
View all users with a specific role | GET /roles/{role_id}/principals |
Inspect effective access | GET /principal_roles/inspect |