System Role and Permission Policy Reference

Image & Video APIs

Last updated: Jul-21-2025

Cloudinary provides predefined system policies and system roles to help you manage access to features, assets, and operations across your account.

System policies: Predefined permission policies offered by Cloudinary. These are the building-blocks of all roles. Browse the list of system policies so that you can know which policies to use when building your custom roles. For more information, see Policies and permissions.
System roles: Built-in roles provided by Cloudinary. They're ready as-is to assign directly to users, groups, or API keys. Browse the list of available system roles and which permissions they grant. For more information, see System roles vs. custom roles.

Important

Cloudinary's Roles and Permissions Management is now available as a Beta. This is an early stage release, and while it's functional and ready for real-world testing, it's subject to change as we continue refining the experience based on what we learn, including your feedback. During the Beta period, core functionality is considered stable, though some APIs, scopes, or response formats may evolve. We'll also be expanding the documentation with additional examples, best practices, and implementation tips.

How you can help:

Use Roles and Permissions Management in real projects, prototypes, or tests.
Share feedback, issues, or ideas with our support team.

Thank you for exploring this early release and helping us shape these tools to best meet your needs.

On this page:

System policy reference
System role reference

System policy reference

This section lists all system policies provided by Cloudinary, including each policy’s ID, name, and description.

Understand what your existing roles that include the policies allow.
Decide which permissions to include in custom roles that you're creating.
Look up the system_policy_ID to reference the policy you want to include when creating a custom role.
Examine the policy statements, which define the actions that the policy allows on specific Cloudinary resources, written in Cedar language. For more information, see Understanding the policy_statement.

For more background information about system policies, see Role-based permissions overview.

For more details on system policies, see Manage roles.

Global policies

Management

Settings

Home

System Policy ID	System Policy Ids	Description	Policy Statement
cld::policy::global::reports::delivery::view	View detailed media delivery analytics, such as bandwidth and request usage, top-performing assets and transformations, referral domains, and formats.	View detailed media delivery analytics, such as bandwidth and request usage, top-performing assets and transformations, referral domains, and formats.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::reports::delivery::view"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Report) when {resource.type == "delivery"};
cld::policy::global::reports::errors::view	View delivery error trends, including any errors generated from API calls or delivery URL requests.	View delivery error trends, including any errors generated from API calls or delivery URL requests.	permit (principal, action, resource == Cloudinary::Feature::"cld::global::reports::errors::view");
cld::policy::global::reports::auto_monthly::view	Enable or disable email delivery of the 'Monthly Usage Report' from email preferences in the Console.	Enable or disable email delivery of the 'Monthly Usage Report' from email preferences in the Console.	permit (principal, action, resource == Cloudinary::Feature::"cld::global::reports::auto_monthly::view"); permit (principal, action == Cloudinary::Action::"read", resource is Cloudinary::Report) when { resource.type == "auto_montly_report" };

Image

System Policy ID	System Policy Ids	Description	Policy Statement
cld::policy::global::image::access	Access the Cloudinary Image product and use the Transformation Builder for single and bulk transformations in the Media Library.	Access the Cloudinary Image product and use the Transformation Builder for single and bulk transformations in the Media Library.	permit (principal, action, resource == Cloudinary::Feature::"cld::global::image::access");
cld::policy::global::unnamed_transformations::view	View unnamed transformations that were applied to assets.	View unnamed transformations that were applied to assets.	permit (principal, action == Cloudinary::Action::"read", resource is Cloudinary::Transformation) when { resource.named == false }; permit (principal, action, resource == Cloudinary::Feature::"cld::global::unnamed_transformations::view");
cld::policy::global::unnamed_transformations::manage	Manage unnamed transformations, including deleting them and configuring whether they can be used when Strict Transformations are enabled.	Manage unnamed transformations, including deleting them and configuring whether they can be used when Strict Transformations are enabled.	permit(principal, action, resource is Cloudinary::Transformation) when {resource.named == false};
cld::policy::global::named_transformations::view	View all named transformations and the individual transformations they include.	View all named transformations and the individual transformations they include.	permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Transformation) when { resource.named == true}; permit(principal, action, resource == Cloudinary::Feature::"cld::global::named_transformations::view");
cld::policy::global::named_transformations::delete	Delete all existing named transformations.	Delete all existing named transformations.	permit (principal, action == Cloudinary::Action::"delete", resource is Cloudinary::Transformation) when { resource.named == true }; permit (principal, action, resource == Cloudinary::Feature::"cld::global::named_transformations::delete");
cld::policy::global::named_transformations::update	Update existing named transformations	Update existing named transformations	permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::Transformation) when {resource.named == true}; permit(principal, action, resource == Cloudinary::Feature::"cld::global::named_transformations::update");
cld::policy::global::named_transformations::create	Create new named transformations.	Create new named transformations.	permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::Transformation) when {resource.named == true}; permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Transformation) when {resource.named == true}; permit(principal, action, resource == Cloudinary::Feature::"cld::global::named_transformations::create");

Video

System Policy ID	System Policy Ids	Description	Policy Statement
cld::policy::global::video::access	NEW
Access the Cloudinary Video product in the Console, including tools for managing video assets, customizing video players, and previewing transformed video content.	NEW Access the Cloudinary Video product in the Console, including tools for managing video assets, customizing video players, and previewing transformed video content.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::video::access");
cld::policy::global::video:video_analytics::view	View Video Player performance metrics in the Video Analytics page, including plays, watch time, unique viewers, and top-performing videos. Use this data to understand engagement and optimize video delivery.	View Video Player performance metrics in the Video Analytics page, including plays, watch time, unique viewers, and top-performing videos. Use this data to understand engagement and optimize video delivery.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::video_analytics::view"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::VideoAnalyticsView);
cld::policy::global::video:live_streams::manage	Create, update, and delete live stream entries, configure stream settings, and access live stream details.	Create, update, and delete live stream entries, configure stream settings, and access live stream details.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::live_streams::manage"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::LiveStream); permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::LiveStream); permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::LiveStream); permit(principal, action == Cloudinary::Action::"delete", resource is Cloudinary::LiveStream);
cld::policy::global::video_player_profiles::manage	Create, edit, and apply video player profiles to control player appearance and behavior, with access to the Video Player Studio for visual customization.	Create, edit, and apply video player profiles to control player appearance and behavior, with access to the Video Player Studio for visual customization.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::video_player_profiles::manage"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::VideoPlayerProfile); permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::VideoPlayerProfile); permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::VideoPlayerProfile); permit(principal, action == Cloudinary::Action::"delete", resource is Cloudinary::VideoPlayerProfile);

MediaFlows

System Policy ID	System Policy Ids	Description	Policy Statement
cld::policy::global::media_flows::access	NEW
Access the MediaFlows interface to build, view, and manage visual workflows for automating media-related tasks.	NEW Access the MediaFlows interface to build, view, and manage visual workflows for automating media-related tasks.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::media_flows::access");
cld::policy::global::media_flows::manage	Create, update, and delete all PowerFlows and EasyFlows.	Create, update, and delete all PowerFlows and EasyFlows.	permit (principal, action == MediaFlows::Action::"create", resource is MediaFlows::EasyFlow); permit (principal, action == MediaFlows::Action::"create", resource is MediaFlows::PowerFlow); permit (principal, action == MediaFlows::Action::"update", resource is MediaFlows::EasyFlow); permit (principal, action == MediaFlows::Action::"update", resource is MediaFlows::PowerFlow); permit (principal, action == MediaFlows::Action::"delete", resource is MediaFlows::EasyFlow); permit (principal, action == MediaFlows::Action::"delete", resource is MediaFlows::PowerFlow); permit (principal, action == MediaFlows::Action::"read", resource is MediaFlows::EasyFlow); permit (principal, action == MediaFlows::Action::"read", resource is MediaFlows::PowerFlow); permit (principal, action == MediaFlows::Action::"read_details", resource is MediaFlows::LogEntry); permit (principal, action == MediaFlows::Action::"read", resource is MediaFlows::LogEntry);
cld::policy::global::media_flows::usage_n_plane::view	View current MediaFlows plan details, credit usage, and usage breakdowns across all product environments.	View current MediaFlows plan details, credit usage, and usage breakdowns across all product environments.	permit (principal, action == MediaFlows::Action::"read", resource is MediaFlows::Usage); permit (principal, action == MediaFlows::Action::"read", resource is MediaFlows::Plan);

FinalTouch

System Policy ID	System Policy Ids	Description	Policy Statement
cld::policy::global::final_touch::access	Access the FinalTouch interface to create, customize, and publish product galleries and shoppable experiences using Cloudinary assets.	Access the FinalTouch interface to create, customize, and publish product galleries and shoppable experiences using Cloudinary assets.	permit (principal, action, resource == Cloudinary::Feature::"cld::global::final_touch::access");

Cloudinary 3D

System Policy ID	System Policy Ids	Description	Policy Statement
cld::policy::global::cloudinary_3d::access	Access the Cloudinary 3D product to upload, manage, and preview 3D assets within the Console.	Access the Cloudinary 3D product to upload, manage, and preview 3D assets within the Console.	permit (principal, action, resource == Cloudinary::Feature::"cld::global::cloudinary_3d::access");

View

System Policy ID	System Policy Ids	Description	Policy Statement
cld::policy::saved_search::view::view_saved_search	View saved search	View saved search	permit(principal, action == Cloudinary::Action::"read", resource == Cloudinary::SavedSearch::"");

Folder policies

Collection policies

System Policy ID	System Policy Ids	Description	Policy Statement
cld::policy::content::collection::view	View the collection and all the assets in it without requiring global or folder permissions for those assets.	View the collection and all the assets in it without requiring global or folder permissions for those assets.	permit(principal, action == Cloudinary::Action::"read", resource == Cloudinary::Collection::""); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Asset) when { resource has collection_ids && resource.collection_ids.contains("") };
cld::policy::content::collection::download_public_assets	Download all assets marked as 'Public' in the collection without requiring global or folder permissions.	Download all assets marked as 'Public' in the collection without requiring global or folder permissions.	permit(principal, action == Cloudinary::Action::"download", resource == Cloudinary::Collection::""); permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Asset) when { resource has collection_ids && resource.collection_ids.contains("") && !["authenticated", "private"].contains(resource.resource_type) && !resource.has_access_control };
cld::policy::content::collection::download_restricted_assets	Download all assets marked as 'Restricted' in the collection without requiring global or folder permissions.	Download all assets marked as 'Restricted' in the collection without requiring global or folder permissions.	permit(principal, action == Cloudinary::Action::"download", resource == Cloudinary::Collection::""); permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Asset) when { resource has collection_ids && resource.collection_ids.contains("") && ( ["authenticated", "private"].contains(resource.resource_type) \
cld::policy::content::collection::add_assets	Add assets To the collection. Users can only Add assets they are permitted to view, either through the 'View all assets in a folder' permission or the global 'View all folders and assets' permission.	Add assets To the collection. Users can only Add assets they are permitted to view, either through the 'View all assets in a folder' permission or the global 'View all folders and assets' permission.	permit(principal, action == Cloudinary::Action::"add_asset", resource == Cloudinary::Collection::"");
cld::policy::content::collection::remove_assets	Remove assets from the collection. Users can only remove assets they are permitted to view, either through the 'View all assets in a folder' permission or the global 'View all folders and assets' permission.	Remove assets from the collection. Users can only remove assets they are permitted to view, either through the 'View all assets in a folder' permission or the global 'View all folders and assets' permission.	permit(principal, action == Cloudinary::Action::"remove_asset", resource == Cloudinary::Collection::"");
cld::policy::content::collection::update	Rename the collection and edit its description.	Rename the collection and edit its description.	permit(principal, action == Cloudinary::Action::"update", resource == Cloudinary::Collection::"");
cld::policy::content::collection::delete	Delete the collection. This action doesn't affect the assets in it.	Delete the collection. This action doesn't affect the assets in it.	permit(principal, action == Cloudinary::Action::"delete", resource == Cloudinary::Collection::"");
cld::policy::content::collection::mange_public_link	View, create, copy, update, configure, and delete the public link for a collection.	View, create, copy, update, configure, and delete the public link for a collection.	permit (principal, action, resource is Cloudinary::PublicLink) when { resource.subject_type == "collection" }; permit(principal, action, resource == Cloudinary::Collection::"");
cld::policy::content::collection::invite	Invite users and groups to a collection, and add, edit, or remove their permissions. Users can only assign permission levels that are equal to or lower than their own for that collection.	Invite users and groups to a collection, and add, edit, or remove their permissions. Users can only assign permission levels that are equal to or lower than their own for that collection.	permit(principal, action == Cloudinary::Action::"invite", resource == Cloudinary::Collection::"");

System role reference

This section lists all system roles, including each role's ID, name, description. Blow each group of roles, you'll see the policy IDs for all the policies it includes.

You can use this list to:

Decide which role to assign to a user, group, or API key.
Look up the role ID when assigning the role.
Review the system policies granted by roles that are already in use.

For more background information about system policies, see Role-based permissions overview.

For more information on system roles, see Manage roles.

Global account-level roles

Role ID	Role Name	Description	System Policy Ids
cld::role::account::master_admin	Master Admin	Manage all account-level settings and features.	17 policies: cld::policy::global::add_ons::run, cld::policy::global::account_information::manage, cld::policy::global::account_api_keys::manage... (see full list below)
cld::role::account::admin	Admin	Manage roles, users, and groups, and access Cloudinary products.	8 policies: cld::policy::global::add_ons::run, cld::policy::global::users_and_groups::view, cld::policy::global::users_and_groups::manage... (see full list below)
cld::role::account::billing	Billing	Manage account-level billing, including current plans, payment methods, tracking usage, and purchasing add-ons.	cld::policy::global::billing::view, cld::policy::global::billing::manage
cld::role::account::reports	Reports	View account-level reports and usage metrics, including audit logs, dashboard usage summaries, and account-wide activity reports.	cld::policy::global::reports::auto_monthly::view, cld::policy::global::image::access, cld::policy::global::media_flows::usage_n_plane::view, cld::policy::global::final_touch::access, cld::policy::global::cloudinary_3d::access
cld::role::account::mediaflows_admin	Admin	Madia flow account viewer	17 policies: cld::policy::global::add_ons::run, cld::policy::global::account_information::manage, cld::policy::global::account_api_keys::manage... (see full list below)

Master Admin - Full Policy List: - cld::policy::global::add_ons::run - cld::policy::global::account_information::manage - cld::policy::global::account_api_keys::manage - cld::policy::global::product_environments::view - cld::policy::global::product_environments::manage - cld::policy::global::users_and_groups::view - cld::policy::global::users_and_groups::manage - cld::policy::global::account_security::view - cld::policy::global::account_security::manage - cld::policy::global::roles_permissions::manage - cld::policy::global::billing::view - cld::policy::global::billing::manage - cld::policy::global::reports::auto_monthly::view - cld::policy::global::image::access - cld::policy::global::media_flows::usage_n_plane::view - cld::policy::global::final_touch::access - cld::policy::global::cloudinary_3d::access

Admin - Full Policy List: - cld::policy::global::add_ons::run - cld::policy::global::users_and_groups::view - cld::policy::global::users_and_groups::manage - cld::policy::global::roles_permissions::manage - cld::policy::global::image::access - cld::policy::global::media_flows::usage_n_plane::view - cld::policy::global::final_touch::access - cld::policy::global::cloudinary_3d::access

Admin - Full Policy List: - cld::policy::global::add_ons::run - cld::policy::global::account_information::manage - cld::policy::global::account_api_keys::manage - cld::policy::global::product_environments::view - cld::policy::global::product_environments::manage - cld::policy::global::users_and_groups::view - cld::policy::global::users_and_groups::manage - cld::policy::global::account_security::view - cld::policy::global::account_security::manage - cld::policy::global::roles_permissions::manage - cld::policy::global::billing::view - cld::policy::global::billing::manage - cld::policy::global::reports::auto_monthly::view - cld::policy::global::image::access - cld::policy::global::media_flows::usage_n_plane::view - cld::policy::global::final_touch::access - cld::policy::global::cloudinary_3d::access

Global product environment-level roles

Role ID	Role Name	Description	System Policy Ids
cld::role::prodenv::master_admin	Master Admin	Fully manage all product environments, including settings, all features across products, and dashboards and reports.	57 policies: cld::policy::global::basic_portals::access, cld::policy::global::ml_preferences::manage, cld::policy::global::ml_dashboard::access... (see full list below)
cld::role::prodenv::admin	Admin	Manage permitted product environments, including Console Settings, all features across products, and relevant dashboards and reports.	53 policies: cld::policy::global::basic_portals::access, cld::policy::global::structured_metadata::access, cld::policy::global::moderation_queue::access... (see full list below)
cld::role::prodenv::tech_admin	Tech Admin	Manage tech areas, including product environment Console Settings, key features across products (excluding MediaFlows), and relevant dashboards & reports.	48 policies: cld::policy::global::basic_portals::access, cld::policy::global::structured_metadata::access, cld::policy::global::moderation_queue::access... (see full list below)
cld::role::prodenv::ml_admin	Media Library Admin	Access the Media Library for full usage and administration, including transformations, creative approval, and App Marketplace.	32 policies: cld::policy::global::basic_portals::access, cld::policy::global::moderation_queue::access, cld::policy::global::ml::access... (see full list below)
cld::role::prodenv::ml_user	Media Library User	Access specific folders and collections within the Media Library according to assigned permissions.	cld::policy::global::ml::access, cld::policy::global::marketplace:use, cld::policy::global::comments::delete
cld::role::prodenv::reports	Reports	Access product environment reports, including delivery and error reports, transformation logs, and usage for all products.	6 policies: cld::policy::global::reports::delivery::view, cld::policy::global::reports::errors::view, cld::policy::global::unnamed_transformations::view... (see full list below)
cld::role::savedsearch::viewer	Viewer	bla bla 3	cld::policy::saved_search::view::view_saved_search
cld::role::prodenv::mediaflows_admin	Admin	Madia flow product environment viewer	57 policies: cld::policy::global::basic_portals::access, cld::policy::global::ml_preferences::manage, cld::policy::global::ml_dashboard::access... (see full list below)

Master Admin - Full Policy List: - cld::policy::global::basic_portals::access - cld::policy::global::ml_preferences::manage - cld::policy::global::ml_dashboard::access - cld::policy::global::activity_reports::access - cld::policy::global::structured_metadata::access - cld::policy::global::moderation_queue::access - cld::policy::global::ml::access - cld::policy::global::asset_relation::create - cld::policy::global::marketplace:manage - cld::policy::global::marketplace:read - cld::policy::global::smd:bulk_upload - cld::policy::global::delivery_url::access - cld::policy::global::portals::view - cld::policy::global::ml_flourish_report::view - cld::policy::global::marketplace:use - cld::policy::global::comments::delete - cld::policy::global::automation::access - cld::policy::global::assets::moderate - cld::policy::global::folder_and_asset_management::delete - cld::policy::global::folder_and_asset_management::view - cld::policy::global::folder_and_asset_management::public::download - cld::policy::global::folder_and_asset_management::restricted::download - cld::policy::global::folder_and_asset_management::create_folder - cld::policy::global::folder_and_asset_management::create_asset - cld::policy::global::folder_and_asset_management::update - cld::policy::global::folder_and_asset_management::update_access_control - cld::policy::global:::restore - cld::policy::global::public_links::manage - cld::policy::global::folders::share - cld::policy::global::collections::create - cld::policy::global::collections::view - cld::policy::global::collections::update - cld::policy::global::collections::invite - cld::policy::global::dynamic_collections::manage - cld::policy::global::api_keys::view - cld::policy::global::api_keys::manage - cld::policy::global::upload_presets::manage - cld::policy::global::backup_settings::Manage - cld::policy::global::optimization_settings::manage - cld::policy::global::delivery_settings::manage - cld::policy::global::webhook_notifications::view - cld::policy::global::webhook_notifications::manage - cld::policy::global::prodenv_security::manage - cld::policy::global::reports::delivery::view - cld::policy::global::reports::errors::view - cld::policy::global::unnamed_transformations::view - cld::policy::global::unnamed_transformations::manage - cld::policy::global::named_transformations::view - cld::policy::global::named_transformations::delete - cld::policy::global::named_transformations::update - cld::policy::global::named_transformations::create - cld::policy::global::video::access - cld::policy::global::video:video_analytics::view - cld::policy::global::video:live_streams::manage - cld::policy::global::video_player_profiles::manage - cld::policy::global::media_flows::access - cld::policy::global::media_flows::manage

Admin - Full Policy List: - cld::policy::global::basic_portals::access - cld::policy::global::structured_metadata::access - cld::policy::global::moderation_queue::access - cld::policy::global::ml::access - cld::policy::global::asset_relation::create - cld::policy::global::marketplace:manage - cld::policy::global::marketplace:read - cld::policy::global::smd:bulk_upload - cld::policy::global::delivery_url::access - cld::policy::global::portals::view - cld::policy::global::ml_flourish_report::view - cld::policy::global::marketplace:use - cld::policy::global::comments::delete - cld::policy::global::assets::moderate - cld::policy::global::folder_and_asset_management::delete - cld::policy::global::folder_and_asset_management::view - cld::policy::global::folder_and_asset_management::public::download - cld::policy::global::folder_and_asset_management::restricted::download - cld::policy::global::folder_and_asset_management::create_folder - cld::policy::global::folder_and_asset_management::create_asset - cld::policy::global::folder_and_asset_management::update - cld::policy::global::folder_and_asset_management::update_access_control - cld::policy::global:::restore - cld::policy::global::public_links::manage - cld::policy::global::folders::share - cld::policy::global::collections::create - cld::policy::global::collections::view - cld::policy::global::collections::update - cld::policy::global::collections::invite - cld::policy::global::dynamic_collections::manage - cld::policy::global::api_keys::view - cld::policy::global::api_keys::manage - cld::policy::global::upload_presets::manage - cld::policy::global::backup_settings::Manage - cld::policy::global::optimization_settings::manage - cld::policy::global::delivery_settings::manage - cld::policy::global::webhook_notifications::view - cld::policy::global::webhook_notifications::manage - cld::policy::global::prodenv_security::manage - cld::policy::global::reports::delivery::view - cld::policy::global::reports::errors::view - cld::policy::global::unnamed_transformations::view - cld::policy::global::unnamed_transformations::manage - cld::policy::global::named_transformations::view - cld::policy::global::named_transformations::delete - cld::policy::global::named_transformations::update - cld::policy::global::named_transformations::create - cld::policy::global::video::access - cld::policy::global::video:video_analytics::view - cld::policy::global::video:live_streams::manage - cld::policy::global::video_player_profiles::manage - cld::policy::global::media_flows::access - cld::policy::global::media_flows::manage

Tech Admin - Full Policy List: - cld::policy::global::basic_portals::access - cld::policy::global::structured_metadata::access - cld::policy::global::moderation_queue::access - cld::policy::global::ml::access - cld::policy::global::asset_relation::create - cld::policy::global::marketplace:manage - cld::policy::global::smd:bulk_upload - cld::policy::global::delivery_url::access - cld::policy::global::marketplace:use - cld::policy::global::comments::delete - cld::policy::global::assets::moderate - cld::policy::global::folder_and_asset_management::delete - cld::policy::global::folder_and_asset_management::view - cld::policy::global::folder_and_asset_management::public::download - cld::policy::global::folder_and_asset_management::restricted::download - cld::policy::global::folder_and_asset_management::create_folder - cld::policy::global::folder_and_asset_management::create_asset - cld::policy::global::folder_and_asset_management::update - cld::policy::global::folder_and_asset_management::update_access_control - cld::policy::global:::restore - cld::policy::global::public_links::manage - cld::policy::global::folders::share - cld::policy::global::collections::create - cld::policy::global::collections::view - cld::policy::global::collections::update - cld::policy::global::collections::invite - cld::policy::global::dynamic_collections::manage - cld::policy::global::api_keys::view - cld::policy::global::api_keys::manage - cld::policy::global::upload_presets::manage - cld::policy::global::backup_settings::Manage - cld::policy::global::optimization_settings::manage - cld::policy::global::delivery_settings::manage - cld::policy::global::webhook_notifications::view - cld::policy::global::webhook_notifications::manage - cld::policy::global::prodenv_security::manage - cld::policy::global::reports::delivery::view - cld::policy::global::reports::errors::view - cld::policy::global::unnamed_transformations::view - cld::policy::global::unnamed_transformations::manage - cld::policy::global::named_transformations::view - cld::policy::global::named_transformations::delete - cld::policy::global::named_transformations::update - cld::policy::global::named_transformations::create - cld::policy::global::video::access - cld::policy::global::video:video_analytics::view - cld::policy::global::video:live_streams::manage - cld::policy::global::video_player_profiles::manage

Media Library Admin - Full Policy List: - cld::policy::global::basic_portals::access - cld::policy::global::moderation_queue::access - cld::policy::global::ml::access - cld::policy::global::asset_relation::create - cld::policy::global::marketplace:manage - cld::policy::global::smd:bulk_upload - cld::policy::global::delivery_url::access - cld::policy::global::marketplace:use - cld::policy::global::comments::delete - cld::policy::global::assets::moderate - cld::policy::global::folder_and_asset_management::delete - cld::policy::global::folder_and_asset_management::view - cld::policy::global::folder_and_asset_management::public::download - cld::policy::global::folder_and_asset_management::restricted::download - cld::policy::global::folder_and_asset_management::create_folder - cld::policy::global::folder_and_asset_management::create_asset - cld::policy::global::folder_and_asset_management::update - cld::policy::global::folder_and_asset_management::update_access_control - cld::policy::global:::restore - cld::policy::global::public_links::manage - cld::policy::global::folders::share - cld::policy::global::collections::create - cld::policy::global::collections::view - cld::policy::global::collections::update - cld::policy::global::collections::invite - cld::policy::global::dynamic_collections::manage - cld::policy::global::unnamed_transformations::view - cld::policy::global::unnamed_transformations::manage - cld::policy::global::named_transformations::view - cld::policy::global::named_transformations::delete - cld::policy::global::named_transformations::update - cld::policy::global::named_transformations::create

Reports - Full Policy List: - cld::policy::global::reports::delivery::view - cld::policy::global::reports::errors::view - cld::policy::global::unnamed_transformations::view - cld::policy::global::video::access - cld::policy::global::video:video_analytics::view - cld::policy::global::media_flows::access

Admin - Full Policy List: - cld::policy::global::basic_portals::access - cld::policy::global::ml_preferences::manage - cld::policy::global::ml_dashboard::access - cld::policy::global::activity_reports::access - cld::policy::global::structured_metadata::access - cld::policy::global::moderation_queue::access - cld::policy::global::ml::access - cld::policy::global::asset_relation::create - cld::policy::global::marketplace:manage - cld::policy::global::marketplace:read - cld::policy::global::smd:bulk_upload - cld::policy::global::delivery_url::access - cld::policy::global::portals::view - cld::policy::global::ml_flourish_report::view - cld::policy::global::marketplace:use - cld::policy::global::comments::delete - cld::policy::global::automation::access - cld::policy::global::assets::moderate - cld::policy::global::folder_and_asset_management::delete - cld::policy::global::folder_and_asset_management::view - cld::policy::global::folder_and_asset_management::public::download - cld::policy::global::folder_and_asset_management::restricted::download - cld::policy::global::folder_and_asset_management::create_folder - cld::policy::global::folder_and_asset_management::create_asset - cld::policy::global::folder_and_asset_management::update - cld::policy::global::folder_and_asset_management::update_access_control - cld::policy::global:::restore - cld::policy::global::public_links::manage - cld::policy::global::folders::share - cld::policy::global::collections::create - cld::policy::global::collections::view - cld::policy::global::collections::update - cld::policy::global::collections::invite - cld::policy::global::dynamic_collections::manage - cld::policy::global::api_keys::view - cld::policy::global::api_keys::manage - cld::policy::global::upload_presets::manage - cld::policy::global::backup_settings::Manage - cld::policy::global::optimization_settings::manage - cld::policy::global::delivery_settings::manage - cld::policy::global::webhook_notifications::view - cld::policy::global::webhook_notifications::manage - cld::policy::global::prodenv_security::manage - cld::policy::global::reports::delivery::view - cld::policy::global::reports::errors::view - cld::policy::global::unnamed_transformations::view - cld::policy::global::unnamed_transformations::manage - cld::policy::global::named_transformations::view - cld::policy::global::named_transformations::delete - cld::policy::global::named_transformations::update - cld::policy::global::named_transformations::create - cld::policy::global::video::access - cld::policy::global::video:video_analytics::view - cld::policy::global::video:live_streams::manage - cld::policy::global::video_player_profiles::manage - cld::policy::global::media_flows::access - cld::policy::global::media_flows::manage

Folder roles

Role ID	Role Name	Description	System Policy Ids
cld::role::folder::manager	Manager	All Editor permissions, plus full control over folder contents, including asset access control and public links, as well as folder sharing and access management.	16 policies: cld::policy::content::folder::view_download, cld::policy::content::folder::download_public_assets, cld::policy::content::folder::download_restricted_assets... (see full list below)
cld::role::folder::contributor	Contributor	All Viewer permissions, plus contribute new content by uploading, saving as new, creating subfolders, and moving assets in.	cld::policy::content::folder::view_download, cld::policy::content::folder::download_public_assets, cld::policy::content::folder::add_assets, cld::policy::content::folder::create_subfolders
cld::role::folder::viewer	Viewer	View the folder and its contents for browsing or downloading assets.	cld::policy::content::folder::view_download, cld::policy::content::folder::download_public_assets
cld::role::folder::editor	Editor	All Contributor permissions, plus edit content, including restoring versions, updating metadata and tags, and renaming assets and subfolders.	7 policies: cld::policy::content::folder::view_download, cld::policy::content::folder::download_public_assets, cld::policy::content::folder::add_assets... (see full list below)

Manager - Full Policy List: - cld::policy::content::folder::view_download - cld::policy::content::folder::download_public_assets - cld::policy::content::folder::download_restricted_assets - cld::policy::content::folder::add_assets - cld::policy::content::folder::create_subfolders - cld::policy::content::folder::update_assets - cld::policy::content::folder::rename_subfolders - cld::policy::content::folder::rename_assets - cld::policy::content::folder::delete_assets - cld::policy::content::folder::move_assets - cld::policy::content::folder::delete - cld::policy::content::folder::rename - cld::policy::content::folder::move - cld::policy::content::folder::manage_public_link - cld::policy::content::folder::edit_access_control - cld::policy::content::folder::invite

Editor - Full Policy List: - cld::policy::content::folder::view_download - cld::policy::content::folder::download_public_assets - cld::policy::content::folder::add_assets - cld::policy::content::folder::create_subfolders - cld::policy::content::folder::update_assets - cld::policy::content::folder::rename_subfolders - cld::policy::content::folder::rename_assets

Collection roles

Role ID	Role Name	Description	System Policy Ids
cld::role::collection::manager	Manager	All Distributor permissions, plus manage the collection, including removing assets, deleting the collection, updating details, and managing public links.	9 policies: cld::policy::content::collection::view, cld::policy::content::collection::download_public_assets, cld::policy::content::collection::download_restricted_assets... (see full list below)
cld::role::collection::collaborator	Collaborator	All Viewer permissions, plus add assets to the collection.	cld::policy::content::collection::view, cld::policy::content::collection::download_public_assets, cld::policy::content::collection::add_assets, cld::policy::content::collection::update
cld::role::collection::distributor	Distributor	All Collaborator permissions, plus share the collection with others in the organization.	cld::policy::content::collection::view, cld::policy::content::collection::download_public_assets, cld::policy::content::collection::mange_public_link, cld::policy::content::collection::invite
cld::role::collection::viewer	Viewer	View and download assets in the collection.	cld::policy::content::collection::view, cld::policy::content::collection::download_public_assets

Manager - Full Policy List: - cld::policy::content::collection::view - cld::policy::content::collection::download_public_assets - cld::policy::content::collection::download_restricted_assets - cld::policy::content::collection::add_assets - cld::policy::content::collection::remove_assets - cld::policy::content::collection::update - cld::policy::content::collection::delete - cld::policy::content::collection::mange_public_link - cld::policy::content::collection::invite

✔️ Feedback sent!

✖️

Error

Unfortunately there's been an error sending your feedback.

Rate this page:

System Policy ID	System Policy Ids	Description	Policy Statement
cld::policy::global::basic_portals::access	Manage all portals with full create, read, update, and delete permissions.	Manage all portals with full create, read, update, and delete permissions.	permit(principal, action, resource is Cloudinary::Portal); permit(principal, action == Cloudinary::Action::"read", resource == Cloudinary::Feature::"cld::global::basic_portals::access"); permit(principal, action, resource is Cloudinary::PublicLink) when { resource.subject_type == "portal"};
cld::policy::global::ml_preferences::manage	Control the way the Media Library looks and behaves for all users in the product environment.	Control the way the Media Library looks and behaves for all users in the product environment.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::ml_preferences::access"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::ml_preferences::update");
cld::policy::global::ml_dashboard::access	View the Assets Dashboard, including usage summaries and trend graphs. Access is limited to data the user is permitted to see.	View the Assets Dashboard, including usage summaries and trend graphs. Access is limited to data the user is permitted to see.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::ml_dashboard::access"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Collection); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Portal);
cld::policy::global::activity_reports::access	View and generate reports that list all account management activities and product environment actions.	View and generate reports that list all account management activities and product environment actions.	permit (principal, action, resource is Cloudinary::Report) when {resource.type=="audit_log"}; permit (principal, action, resource == Cloudinary::Feature::"cld::global::activity_reports::access");
cld::policy::global::structured_metadata::access	Create and manage structured metadata fields, define conditional rules, and configure datasources (list values) for single and multi-selection fields.	Create and manage structured metadata fields, define conditional rules, and configure datasources (list values) for single and multi-selection fields.	permit(principal, action, resource is Cloudinary::MetadataField); permit(principal, action, resource == Cloudinary::Feature::"cld::global::structured_metadata::access");
cld::policy::global::moderation_queue::access	View, approve, and reject assets from the Moderation page. Access is limited to assets in folders where the user has the 'View all assets in a folder and its subfolders' permission, or all assets if the user has the global 'View all folders and assets' permission.	View, approve, and reject assets from the Moderation page. Access is limited to assets in folders where the user has the 'View all assets in a folder and its subfolders' permission, or all assets if the user has the global 'View all folders and assets' permission.	permit (principal, action, resource == Cloudinary::Feature::"cld::global::moderation_queue::access");
cld::policy::global::ml::access	Access the Media Library within the Console. Without this permission, users can't view any assets.	Access the Media Library within the Console. Without this permission, users can't view any assets.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::ml::access");
cld::policy::global::asset_relation::create	Create and manage relationships between assets. Also requires 'Viewing related assets requires the 'View all subfolders and assets in a folder' permission for specific folders, or the 'View all folders and assets' global permission to view all assets.	Create and manage relationships between assets. Also requires 'Viewing related assets requires the 'View all subfolders and assets in a folder' permission for specific folders, or the 'View all folders and assets' global permission to view all assets.	permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::AssetRelation); permit(principal, action == Cloudinary::Action::"delete", resource is Cloudinary::AssetRelation);
cld::policy::global::marketplace:manage	Manage the App Marketplace by enabling or disabling apps that extend DAM functionality based on company needs.	Manage the App Marketplace by enabling or disabling apps that extend DAM functionality based on company needs.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::app_marketplace::access"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::DamApp); permit(principal, action == Cloudinary::Action::"subscribe", resource is Cloudinary::DamApp); permit(principal, action == Cloudinary::Action::"unsubscribe", resource is Cloudinary::DamApp);
cld::policy::global::add_ons::run	Apply functionality from add-ons that are enabled for the account. Note that usage may consume quota based on the add-on plan.	Apply functionality from add-ons that are enabled for the account. Note that usage may consume quota based on the add-on plan.	permit (principal, action, resource == Cloudinary::Feature::"cld::global::add_ons::run");
cld::policy::global::marketplace:read	Access and use DAM apps that have been enabled from the Assets App Marketplace, directly within the Media Library.	Access and use DAM apps that have been enabled from the Assets App Marketplace, directly within the Media Library.	permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::DamApp);
cld::policy::global::smd:bulk_upload	Upload a CSV file to bulk update structured metadata fields across multiple assets.	Upload a CSV file to bulk update structured metadata fields across multiple assets.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::update_smd_by_csv:access"); permit(principal, action in [Cloudinary::Action::"create", Cloudinary::Action::"read"], resource is Cloudinary::Folder) when { resource.path like "cld_system_files*" };
cld::policy::global::delivery_url::access	Access delivery URLs of original and transformed assets, including the ability to view, copy, and open them in a new tab. Access is limited to assets the user is permitted to view.	Access delivery URLs of original and transformed assets, including the ability to view, copy, and open them in a new tab. Access is limited to assets the user is permitted to view.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::delivery_url::access");
cld::policy::global::portals::view	Manage all portals with full create, read, update, and delete access. The 'View collection' permission is required to add a specific collection to a portal.	Manage all portals with full create, read, update, and delete access. The 'View collection' permission is required to add a specific collection to a portal.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::portals::view");
cld::policy::global::ml_flourish_report::view	[Won't do] View reports showing metrics that demonstrate Cloudinary value.	[Won't do] View reports showing metrics that demonstrate Cloudinary value.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::ml_monthly_value_reports::view"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Report) when {resource.type == "ml_monthly_value_reports"};
cld::policy::global::marketplace:use	[Duplicate -- don't add to UI] Relevant for the read ability for the end user	[Duplicate -- don't add to UI] Relevant for the read ability for the end user	permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::DamApp) when { resource has subscribed && resource.subscribed == true };
cld::policy::global::comments::delete	Delete all comments the user added to assets.	Delete all comments the user added to assets.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::comments::delete");
cld::policy::global::automation::access	Create EasyFlows within the Media Library to streamline Assets workflows.	Create EasyFlows within the Media Library to streamline Assets workflows.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::automation::access");
cld::policy::global::assets::moderate	View, approve, and reject all assets in the moderation queue. This permission should be paired with the 'View all folders and assets' global permission.	View, approve, and reject all assets in the moderation queue. This permission should be paired with the 'View all folders and assets' global permission.	permit(principal, action == Cloudinary::Action::"moderate", resource is Cloudinary::Asset);
cld::policy::global::folder_and_asset_management::delete	Delete all folders and assets without requiring specific folder or asset permissions.	Delete all folders and assets without requiring specific folder or asset permissions.	permit(principal, action in [Cloudinary::Action::"delete"], resource is Cloudinary::Asset); permit(principal, action in [Cloudinary::Action::"delete"], resource is Cloudinary::Folder);
cld::policy::global::folder_and_asset_management::view	View all folders and assets without requiring specific folder or asset permissions. Downloading requires a separate permission.	View all folders and assets without requiring specific folder or asset permissions. Downloading requires a separate permission.	permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Asset); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Folder); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::MetadataField); permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::MetadataField) when { resource has allow_dynamic_list_values && resource.allow_dynamic_list_values == true };
cld::policy::global::folder_and_asset_management::public::download	Download all folders and their assets with access control set to 'Public'. The download is a ZIP file, and the root folder can't be downloaded.	Download all folders and their assets with access control set to 'Public'. The download is a ZIP file, and the root folder can't be downloaded.	permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Asset) when { !["authenticated", "private"].contains(resource.resource_type) && !resource.has_access_control}; permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Folder);
cld::policy::global::folder_and_asset_management::restricted::download	Download all folders and their assets with access control set to 'Public'. The download is a ZIP file, and the root folder can't be downloaded.	Download all folders and their assets with access control set to 'Public'. The download is a ZIP file, and the root folder can't be downloaded.	permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Asset) when { (["authenticated", "private"].contains(resource.resource_type)) \
cld::policy::global::folder_and_asset_management::create_folder	Create folders anywhere within the folder hierarchy without requiring specific folder permissions.	Create folders anywhere within the folder hierarchy without requiring specific folder permissions.	permit(principal, action in [Cloudinary::Action::"create", Cloudinary::Action::"read"], resource is Cloudinary::Folder);
cld::policy::global::folder_and_asset_management::create_asset	Upload assets to any folder, including the root, without requiring specific folder permissions. Includes the option to select an upload preset and apply tags and metadata,	Upload assets to any folder, including the root, without requiring specific folder permissions. Includes the option to select an upload preset and apply tags and metadata,	permit(principal, action in [Cloudinary::Action::"create"], resource is Cloudinary::Asset);
cld::policy::global::folder_and_asset_management::update	Move, rename, and overwrite all folders and assets without requiring specific folder or asset permissions.	Move, rename, and overwrite all folders and assets without requiring specific folder or asset permissions.	permit(principal, action in [Cloudinary::Action::"update"], resource is Cloudinary::Asset); permit(principal, action in [Cloudinary::Action::"update"], resource is Cloudinary::Folder); permit(principal, action in [Cloudinary::Action::"rename"], resource is Cloudinary::Asset); permit(principal, action in [Cloudinary::Action::"rename"], resource is Cloudinary::Folder); permit(principal, action in [Cloudinary::Action::"move"], resource is Cloudinary::Folder);
cld::policy::global::folder_and_asset_management::update_access_control	Change access control settings for all assets between 'Public' and 'Restricted' without requiring specific folder or asset permissions.	Change access control settings for all assets between 'Public' and 'Restricted' without requiring specific folder or asset permissions.	permit(principal, action == Cloudinary::Action::"update_access_control", resource is Cloudinary::Asset);
cld::policy::global:::restore	Restore all deleted assets.	Restore all deleted assets.	permit(principal, action == Cloudinary::Action::"restore", resource is Cloudinary::Asset); permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::Folder); permit(principal, action, resource == Cloudinary::Feature::"cld::global::assets::restore");
cld::policy::global::public_links::manage	Create, view, update, and delete public links to share collections externally. Also allows sharing assets directly, provided the user has view access through either the 'View all assets in a folder and its subfolders' permission or the global 'View all folders and assets' permission.	Create, view, update, and delete public links to share collections externally. Also allows sharing assets directly, provided the user has view access through either the 'View all assets in a folder and its subfolders' permission or the global 'View all folders and assets' permission.	permit (principal, action, resource is Cloudinary::PublicLink) when { resource.subject_type == "asset" }; permit (principal, action, resource is Cloudinary::PublicLink) when { resource.subject_type == "collection" }; permit (principal, action, resource is Cloudinary::PublicLink) when { resource.subject_type == "portal" };
cld::policy::global::folders::share	Share all folders within the folder hierarchy without requiring specific folder permissions.	Share all folders within the folder hierarchy without requiring specific folder permissions.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::folders::share"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Role); permit(principal, action == Cloudinary::Action::"invite", resource is Cloudinary::Folder);
cld::policy::global::collections::create	Create collections, excluding dynamic collections.	Create collections, excluding dynamic collections.	permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::Collection);
cld::policy::global::collections::view	View all collections and the assets inside them without requiring folder or asset permissions. This excludes dynamic collections.	View all collections and the assets inside them without requiring folder or asset permissions. This excludes dynamic collections.	permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Collection);
cld::policy::global::collections::update	View and manage all collections and their assets without requiring folder permissions. Includes renaming collections and adding or removing assets the user can view via the 'View all assets in a folder and its subfolders' permission or the global 'View all folders and assets' permission. This excludes dynamic collections.	View and manage all collections and their assets without requiring folder permissions. Includes renaming collections and adding or removing assets the user can view via the 'View all assets in a folder and its subfolders' permission or the global 'View all folders and assets' permission. This excludes dynamic collections.	permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::Collection); permit(principal, action == Cloudinary::Action::"add_asset", resource is Cloudinary::Collection); permit(principal, action == Cloudinary::Action::"remove_asset", resource is Cloudinary::Collection); permit(principal, action == Cloudinary::Action::"create",resource is Cloudinary::PublicLink) when {resource.subject_type=="collection"};
cld::policy::global::collections::invite	Invite other users to access all classic collections and assign them different permission levels. This excludes dynamic collections.	Invite other users to access all classic collections and assign them different permission levels. This excludes dynamic collections.	permit(principal, action == Cloudinary::Action::"invite", resource is Cloudinary::Collection);
cld::policy::global::dynamic_collections::manage	Create, update, publicly share, and delete dymanic collections. Includes permission to view all assets included in dynamic collections.	Create, update, publicly share, and delete dymanic collections. Includes permission to view all assets included in dynamic collections.	permit(principal, action, resource is Cloudinary::DynamicCollection); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Asset); permit (principal,action == Cloudinary::Action::"create", resource is Cloudinary::PublicLink) when {resource.subject_type=="collection"};

System Policy ID	System Policy Ids	Description	Policy Statement
cld::policy::global::api_keys::view	View all API keys and associated details.	View all API keys and associated details.	permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::APIKey); permit(principal, action, resource == Cloudinary::Feature::"cld::global::api_keys::view");
cld::policy::global::api_keys::manage	View, create, and delete API keys, and update their associated details.	View, create, and delete API keys, and update their associated details.	permit(principal, action, resource is Cloudinary::APIKey); permit(principal, action, resource == Cloudinary::Feature::"cld::global::api_keys::view"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::api_keys::create"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::api_keys::update"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::api_keys::delete");
cld::policy::global::upload_presets::manage	View, create, modify, or delete upload settings, such as upload presets, upload mappings, and upload defaults.	View, create, modify, or delete upload settings, such as upload presets, upload mappings, and upload defaults.	permit(principal, action, resource is Cloudinary::UploadPreset); permit(principal, action, resource is Cloudinary::UploadMapping); permit(principal, action == Cloudinary::Action::"update_settings", resource is Cloudinary::ProductEnvironment); permit(principal, action, resource == Cloudinary::Feature::"cld::global::upload_settings::manage"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::upload_settings::access");
cld::policy::global::backup_settings::Manage	Manage backup settings, including selecting a backup location and enabling or disabling backup for newly uploaded assets.	Manage backup settings, including selecting a backup location and enabling or disabling backup for newly uploaded assets.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::backup_settings::manage"); permit(principal, action == Cloudinary::Action::"update_settings", resource is Cloudinary::ProductEnvironment);
cld::policy::global::optimization_settings::manage	Define optimization settings such as image and video quality, and handling of CMYK in derived images.	Define optimization settings such as image and video quality, and handling of CMYK in derived images.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::optimization_settings::Manage"); permit(principal, action == Cloudinary::Action::"update_settings", resource is Cloudinary::ProductEnvironment);
cld::policy::global::delivery_settings::manage	Define access control list (ACL) conditions and rules in the Console to control who can access assets.	Define access control list (ACL) conditions and rules in the Console to control who can access assets.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::delivery_settings::manage"); permit(principal, action == Cloudinary::Action::"update_settings", resource is Cloudinary::ProductEnvironment);
cld::policy::global::webhook_notifications::view	dio	dio	permit(principal, action, resource == Cloudinary::Feature::"cld::global::webhook_notifications::view"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Trigger);
cld::policy::global::webhook_notifications::manage	View, create, and delete webhook notification URLs.	View, create, and delete webhook notification URLs.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::webhook_notifications::view"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::webhook_notifications::create"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::webhook_notifications::update"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::webhook_notifications::delete"); permit(principal, action, resource is Cloudinary::Trigger);
cld::policy::global::prodenv_security::manage	Set security settings that control how the assets in your product environment can be delivered.	Set security settings that control how the assets in your product environment can be delivered.	permit (principal, action, resource == Cloudinary::Feature::"cld::global::prodenv_security::manage"); permit(principal, action == Cloudinary::Action::"update_settings", resource is Cloudinary::ProductEnvironment);
cld::policy::global::account_information::manage	Edit basic account information, such as account name and product environment display name, in the Console.	Edit basic account information, such as account name and product environment display name, in the Console.	permit(principal, action, resource == Cloudinary::Feature::"cld::global::account_information::manage"); permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::Account); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Account);
cld::policy::global::account_api_keys::manage	View account API keys that authenticate the Provisioning and Permissions APIs, update their details, and generate new key pairs.	View account API keys that authenticate the Provisioning and Permissions APIs, update their details, and generate new key pairs.	permit(principal, action, resource is Cloudinary::AccountAPIKey); permit(principal, action, resource is Cloudinary::ProvisioningKey); permit(principal, action, resource == Cloudinary::Feature::"cld::global::account_api_keys::manage");
cld::policy::global::product_environments::view	View a list of all product environments in the account and their associated details. This doesn't grant access to the product environments or their contents.	View a list of all product environments in the account and their associated details. This doesn't grant access to the product environments or their contents.	permit (principal, action == Cloudinary::Action::"read", resource is Cloudinary::ProductEnvironment); permit (principal, action, resource == Cloudinary::Feature::"cld::global::product_environments::view");
cld::policy::global::product_environments::manage	View, add, and remove product environments in the account, and update their associated details. This doesn't grant access to the product environments or their contents.	View, add, and remove product environments in the account, and update their associated details. This doesn't grant access to the product environments or their contents.	permit (principal, action, resource is Cloudinary::ProductEnvironment); permit (principal, action, resource == Cloudinary::Feature::"cld::global::product_environments::view"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::product_environments::create"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::product_environments::delete"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::product_environments::update");
cld::policy::global::users_and_groups::view	View all users and groups in the account and their group memberships.	View all users and groups in the account and their group memberships.	permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::User); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Group); permit(principal, action, resource == Cloudinary::Feature::"cld::global::groups::view"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::users::view");
cld::policy::global::users_and_groups::manage	View, add, and remove users and groups in the account, and manage group memberships.	View, add, and remove users and groups in the account, and manage group memberships.	permit (principal, action , resource is Cloudinary::User); permit (principal, action, resource is Cloudinary::Group); permit (principal, action, resource == Cloudinary::Feature::"cld::global::users::view"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::users::create"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::users::update"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::users::delete"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::groups::view"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::groups::create"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::groups::update"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::groups::delete");
cld::policy::global::account_security::view	View account-wide security settings related to authentication, access control, and user privacy.	View account-wide security settings related to authentication, access control, and user privacy.	permit (principal, action, resource == Cloudinary::Feature::"cld::global::account::view"); permit (principal, action == Cloudinary::Action::"read", resource is Cloudinary::Account);
cld::policy::global::account_security::manage	Define account-wide security settings related to authentication, access control, and user privacy.	Define account-wide security settings related to authentication, access control, and user privacy.	permit (principal, action, resource == Cloudinary::Feature::"cld::global::account::view"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::account::update"); permit (principal, action == Cloudinary::Action::"read", resource is Cloudinary::Account); permit (principal, action == Cloudinary::Action::"update", resource is Cloudinary::Account);
cld::policy::global::roles_permissions::manage	View, create, update, and delete all roles, define their permissions, and assign roles to users, groups, API keys, and other resources.	View, create, update, and delete all roles, define their permissions, and assign roles to users, groups, API keys, and other resources.	permit (principal, action, resource is Cloudinary::Role); permit (principal, action, resource == Cloudinary::Feature::"cld::global::roles_permissions::manage");
cld::policy::global::billing::view	View plan details, add-on subscriptions, and current usage and billing information.	View plan details, add-on subscriptions, and current usage and billing information.	permit (principal, action, resource == Cloudinary::Feature::"cld::global::billing::view");
cld::policy::global::billing::manage	View and manage all billing-related information, including plan details, payment method, and add-on subscriptions.
To purchase add-ons for additional users or product environments, this permission must be paired with the `View users and groups` and `View product environments` permissions, respectively.	View and manage all billing-related information, including plan details, payment method, and add-on subscriptions. To purchase add-ons for additional users or product environments, this permission must be paired with the `View users and groups` and `View product environments` permissions, respectively.	permit (principal, action, resource == Cloudinary::Feature::"cld::global::billing::view"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::billing::update");

System Policy ID	System Policy Ids	Description	Policy Statement
cld::policy::content::folder::view_download	[Final] View all assets in a folder and its nested subfolders.	[Final] View all assets in a folder and its nested subfolders.	permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("") }; permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains("") };
cld::policy::content::folder::download_public_assets	[Final] Download all assets marked as 'Public' in a folder and its subfolders.	[Final] Download all assets marked as 'Public' in a folder and its subfolders.	permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("")}; permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains("") && !["authenticated", "private"].contains(resource.resource_type) && !resource.has_access_control };
cld::policy::content::folder::download_restricted_assets	[Final] Download all assets marked as 'Restricted' in a folder and its subfolders.	[Final] Download all assets marked as 'Restricted' in a folder and its subfolders.	permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("")}; permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains("") && ( ["authenticated", "private"].contains(resource.resource_type) \
cld::policy::content::folder::add_assets	[Final] Add assets by uploading new files, saving an asset as new, or moving existing assets from other folders. Tags and structured metadata can be applied during upload.	[Final] Add assets by uploading new files, saving an asset as new, or moving existing assets from other folders. Tags and structured metadata can be applied during upload.	permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains("")};
cld::policy::content::folder::create_subfolders	[Final] Create subfolders or move existing folders into this folder.	[Final] Create subfolders or move existing folders into this folder.	permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("")};
cld::policy::content::folder::update_assets	[Final] Perform actions on assets in a specific folder and its subfolders, including replacing and editing assets, restoring versions, and updating tags, structured metadata, and contextual metadata.	[Final] Perform actions on assets in a specific folder and its subfolders, including replacing and editing assets, restoring versions, and updating tags, structured metadata, and contextual metadata.	permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains("")};
cld::policy::content::folder::rename_subfolders	[Final] Rename subfolders within a specified folder. This doesn't include permission to rename the folder itself.	[Final] Rename subfolders within a specified folder. This doesn't include permission to rename the folder itself.	permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Folder) when { resource != Cloudinary::Folder::"" && resource.ancestor_ids.contains("")};
cld::policy::content::folder::rename_assets	[Final] Edit the display names and public IDs of assets in a specified folder and its subfolders. In the legacy fixed-folder mode, renaming a public ID also requires the ‘Move assets’ permission.	[Final] Edit the display names and public IDs of assets in a specified folder and its subfolders. In the legacy fixed-folder mode, renaming a public ID also requires the ‘Move assets’ permission.	permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains("")};
cld::policy::content::folder::delete_assets	[Final] Delete assets in a specified folder and its subfolders.	[Final] Delete assets in a specified folder and its subfolders.	permit(principal, action == Cloudinary::Action::"delete", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains("")};
cld::policy::content::folder::delete_subfolders	[Final] Delete subfolders within a specified folder. To delete subfolders that contain assets, the user must also have the 'Delete assets' permission for those assets.	[Final] Delete subfolders within a specified folder. To delete subfolders that contain assets, the user must also have the 'Delete assets' permission for those assets.	permit(principal, action == Cloudinary::Action::"delete", resource is Cloudinary::Folder) when { resource != Cloudinary::Folder::"" && resource.ancestor_ids.contains("")};
cld::policy::content::folder::move_assets	[Final] Move assets between folders. This action also requires the 'Add assets' permission for the destination folder.	[Final] Move assets between folders. This action also requires the 'Add assets' permission for the destination folder.	permit(principal, action == Cloudinary::Action::"move", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains("") && context has direction && context.direction == "out"}; permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains("") };
cld::policy::content::folder::delete	[Final] Delete a specified folder and its contents. If the folder contains assets, the user must also have the 'Delete assets' permission for all of them. This action is limited to folders with 1,000 assets or fewer.	[Final] Delete a specified folder and its contents. If the folder contains assets, the user must also have the 'Delete assets' permission for all of them. This action is limited to folders with 1,000 assets or fewer.	permit(principal, action == Cloudinary::Action::"delete", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("")};
cld::policy::content::folder::rename	[Final] Rename a folder and its subfolders. This action isn't available in the legacy fixed folder mode.	[Final] Rename a folder and its subfolders. This action isn't available in the legacy fixed folder mode.	permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("")}; permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains("") };
cld::policy::content::folder::move	[Final] Move a folder and all of its contents to a different location in the folder hierarchy. For example, move Folder A (and its subfolder B) into a new parent folder. In product environments with fixed folder mode, this action also requires the 'Move assets' permission the folder.	[Final] Move a folder and all of its contents to a different location in the folder hierarchy. For example, move Folder A (and its subfolder B) into a new parent folder. In product environments with fixed folder mode, this action also requires the 'Move assets' permission the folder.	permit(principal, action == Cloudinary::Action::"move", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("") && context has direction && context.direction == "out"}; permit(principal, action == Cloudinary::Action::"move", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("") && context has direction && context.direction == "in"}; permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("")};
cld::policy::content::folder::move_subfolders	[Final] Move subfolders to a different location in the folder hierarchy. For example, move Folder C out of Folder B, without moving Folder B itself. In environments with fixed folder mode, this action also requires the 'Move assets' permission for the subfolder.	[Final] Move subfolders to a different location in the folder hierarchy. For example, move Folder C out of Folder B, without moving Folder B itself. In environments with fixed folder mode, this action also requires the 'Move assets' permission for the subfolder.	permit(principal, action == Cloudinary::Action::"move", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("") && context has direction && context.direction == "out"}; permit(principal, action == Cloudinary::Action::"move", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("") && context has direction && context.direction == "in"}; permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("")};
cld::policy::content::folder::moderate	[Final] Approve or reject assets in the folder and its subfolders via the Moderation page in the Media Library. Moderating assets also requires the global 'Access the Moderation page' permission.	[Final] Approve or reject assets in the folder and its subfolders via the Moderation page in the Media Library. Moderating assets also requires the global 'Access the Moderation page' permission.	permit(principal, action == Cloudinary::Action::"moderate", resource is Cloudinary::Asset) when {resource.ancestor_ids.contains("")};
cld::policy::content::folder::manage_public_link	[Final] Create, view, update, and delete public links for assets in the folder and its subfolders, including setting access date ranges.	[Final] Create, view, update, and delete public links for assets in the folder and its subfolders, including setting access date ranges.	permit (principal, action, resource is Cloudinary::PublicLink) when {resource.subject_type=="asset" && resource.subject_ancestor_ids.contains("")};
cld::policy::content::folder::edit_access_control	[Final] Set asset access control for assets in the folder and its subfolders to 'Public' or 'Restricted', with optional date-based rules for limited-time public access.	[Final] Set asset access control for assets in the folder and its subfolders to 'Public' or 'Restricted', with optional date-based rules for limited-time public access.	permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains("") && !["authenticated", "private"].contains(resource.resource_type) && !resource.has_access_control};
cld::policy::content::folder::invite	[Final] Manage user and group access to the folder and its subfolders.	[Final] Manage user and group access to the folder and its subfolders.	permit(principal, action == Cloudinary::Action::"invite", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains("")};

System role and policy reference

Error