System role and policy reference
Last updated: Sep-04-2025
Cloudinary provides predefined system policies and system roles to help you manage access to features, assets, and operations across your account.
System policies: Predefined permission policies offered by Cloudinary. These are the building-blocks of all roles. Browse the list of system policies so that you can know which policies to use when building your custom roles. For more information, see Policies and permissions.
System roles: Built-in roles provided by Cloudinary. They're ready as-is to assign directly to principals (users, groups, or API keys). Browse the list of available system roles and which permissions they grant. For more information, see System roles vs. custom roles.
How you can help:
- Use Roles and Permissions Management in real projects, prototypes, or tests.
- Share feedback, issues, or ideas with our support team.
Thank you for exploring this early release and helping us shape these tools to best meet your needs.
System policy reference
This section lists all system policies provided by Cloudinary, including each policy’s ID, name, and description.
Understand what your existing roles that include the policies allow.
Decide which permissions to include in custom roles that you're creating.
Look up the
system_policy_IDto reference the policy you want to include when creating a custom role.Examine the policy statements, which define the actions that the policy allows on specific Cloudinary resources, written in Cedar language. For more information, see Understanding the policy_statement.
For more background information about system policies, see Role-based permissions overview.
For more details on system policies, see Manage roles.
Global permissions
Account settings
You can assign the permissions in this section to groups and users through roles. You can also assign these roles to API keys for actions that are available programmatically.
| Policy ID | Name | Description | Policy Statement |
|---|---|---|---|
| cld::policy::global::account_information::manage | Manage account information | Edit basic account information, such as account name and product environment display name, in the Console. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::account_information::manage"); permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::Account); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Account); |
| cld::policy::global::account_api_keys::manage | Manage account API keys | View account API keys that authenticate the Provisioning and Permissions APIs, update their details, and generate new key pairs. | permit(principal, action, resource is Cloudinary::AccountAPIKey); permit(principal, action, resource is Cloudinary::ProvisioningKey); permit(principal, action, resource == Cloudinary::Feature::"cld::global::account_api_keys::manage"); |
| cld::policy::global::product_environments::view | View product environments | View a list of all product environments in the account and their associated details. This doesn't grant access to the product environments or their contents. | permit (principal, action == Cloudinary::Action::"read", resource is Cloudinary::ProductEnvironment); permit (principal, action, resource == Cloudinary::Feature::"cld::global::product_environments::view"); |
| cld::policy::global::product_environments::manage | Manage product environments | View, add, and remove product environments in the account, and update their associated details. This doesn't grant access to the product environments or their contents. | permit (principal, action, resource is Cloudinary::ProductEnvironment); permit (principal, action, resource == Cloudinary::Feature::"cld::global::product_environments::view"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::product_environments::create"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::product_environments::delete"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::product_environments::update"); |
| cld::policy::global::users_and_groups::view | View users and groups | View all users and groups in the account and their group memberships. | permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::User); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Group); permit(principal, action, resource == Cloudinary::Feature::"cld::global::groups::view"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::users::view"); |
| cld::policy::global::users_and_groups::manage | Manage users and groups | View, add, and remove users and groups in the account, and manage group memberships. | permit (principal, action , resource is Cloudinary::User); permit (principal, action, resource is Cloudinary::Group); permit (principal, action, resource == Cloudinary::Feature::"cld::global::users::view"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::users::create"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::users::update"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::users::delete"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::groups::view"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::groups::create"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::groups::update"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::groups::delete"); |
| cld::policy::global::account_security::view | View account security settings | View account-wide security settings related to authentication, access control, and user privacy. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::account::view"); permit (principal, action == Cloudinary::Action::"read", resource is Cloudinary::Account); |
| cld::policy::global::account_security::manage | Manage account security settings | Define account-wide security settings related to authentication, access control, and user privacy. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::account::view"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::account::update"); permit (principal, action == Cloudinary::Action::"read", resource is Cloudinary::Account); permit (principal, action == Cloudinary::Action::"update", resource is Cloudinary::Account); |
| cld::policy::global::roles_permissions::manage | Manage roles and permissions | View, create, update, and delete all roles, define their permissions, and assign roles to users, groups, API keys, and other resources. | permit (principal, action, resource is Cloudinary::Role); permit (principal, action, resource == Cloudinary::Feature::"cld::global::roles_permissions::manage"); |
| cld::policy::global::billing::view | View Billing | View plan details, add-on subscriptions, and current usage and billing information. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::billing::view"); |
| cld::policy::global::billing::manage | Manage Billing | View and manage all billing-related information, including plan details, payment method, and add-on subscriptions. To purchase add-ons for additional users or product environments, this permission must be paired with the 'View users and groups' and 'View product environments' permissions, respectively. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::billing::view"); permit (principal, action, resource == Cloudinary::Feature::"cld::global::billing::update"); |
Product environment settings
You can assign the permissions in this section to users and groups through roles.
You can assign 'View API keys' and 'Manage API keys' permissions to account-level API keys.
You can assign other permissions listed below, if available programmatically, to product environment API keys.
The table below describes each permission and what it allows:
| Policy ID | Name | Description | Policy Statement |
|---|---|---|---|
| cld::policy::global::api_keys::view | View API keys | View all API keys and associated details. | permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::APIKey); permit(principal, action, resource == Cloudinary::Feature::"cld::global::api_keys::view"); |
| cld::policy::global::api_keys::manage | Manage API keys | View, create, and delete API keys, and update their associated details. | permit(principal, action, resource is Cloudinary::APIKey); permit(principal, action, resource == Cloudinary::Feature::"cld::global::api_keys::view"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::api_keys::create"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::api_keys::update"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::api_keys::delete"); |
| cld::policy::global::upload_presets::manage | Manage upload settings | View, create, modify, or delete upload settings, such as upload presets, upload mappings, and upload defaults. | permit(principal, action, resource is Cloudinary::UploadPreset); permit(principal, action, resource is Cloudinary::UploadMapping); permit(principal, action == Cloudinary::Action::"update_settings", resource is Cloudinary::ProductEnvironment); permit(principal, action, resource == Cloudinary::Feature::"cld::global::upload_settings::manage"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::upload_settings::access"); |
| cld::policy::global::backup_settings::Manage | Manage backup settings | Manage backup settings, including selecting a backup location and enabling or disabling backup for newly uploaded assets. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::backup_settings::manage"); permit(principal, action == Cloudinary::Action::"update_settings", resource is Cloudinary::ProductEnvironment); |
| cld::policy::global::initiate_backup_settings::Manage | Back up existing assets | Initiate a backup for all existing assets. | permit(principal, action == Cloudinary::Action::"initiate_backup", resource is Cloudinary::ProductEnvironment); |
| cld::policy::global::bulk_delete::Manage | Access Bulk Delete settings | Delete assets in bulk based on filter criteria from the Bulk Delete page in Console Settings. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::bulk_delete::manage"); permit(principal, action == Cloudinary::Action::"bulk_delete", resource is Cloudinary::ProductEnvironment); |
| cld::policy::global::optimization_settings::manage | Manage optimization settings | Define optimization settings such as image and video quality, and handling of CMYK in derived images. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::optimization_settings::Manage"); permit(principal, action == Cloudinary::Action::"update_settings", resource is Cloudinary::ProductEnvironment); |
| cld::policy::global::delivery_settings::manage | Manage delivery settings | Define access control list (ACL) conditions and rules in the Console to control who can access assets. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::delivery_settings::manage"); permit(principal, action == Cloudinary::Action::"update_settings", resource is Cloudinary::ProductEnvironment); |
| cld::policy::global::webhook_notifications::view | View webhook notifications | View webhook notification URLs the event types sent to each one. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::webhook_notifications::view"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Trigger); |
| cld::policy::global::webhook_notifications::manage | Manage webhook notifications | View, create, and delete webhook notification URLs, and manage the event types sent to each one. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::webhook_notifications::view"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::webhook_notifications::create"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::webhook_notifications::update"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::webhook_notifications::delete"); permit(principal, action, resource is Cloudinary::Trigger); |
| cld::policy::global::prodenv_security::manage | Manage product environment security settings | Configure security settings that control how the assets in your product environment can be delivered. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::prodenv_security::manage"); permit(principal, action == Cloudinary::Action::"update_settings", resource is Cloudinary::ProductEnvironment); |
Dashboard and reports
You can assign the permissions in this section to groups and users through roles.
| Policy ID | Name | Description | Policy Statement |
|---|---|---|---|
| cld::policy::global::ml_dashboard::access | Access the Assets Dashboard | View the Assets Dashboard, including usage summaries and trend graphs. Access is limited to data the user is permitted to see. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::ml_dashboard::access"); |
| cld::policy::global::reports::delivery::view | View Delivery Reports | View detailed media delivery analytics, such as bandwidth and request usage, top-performing assets and transformations, referral domains, and formats. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::reports::delivery::view"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Report) when {resource.type == "delivery"}; |
| cld::policy::global::reports::errors::view | View Error Reports | View delivery error trends, including any errors generated from API calls or delivery URL requests. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::reports::errors::view"); |
| cld::policy::global::reports::monthly::view | View Monthly Value Reports | View metrics that highlight Cloudinary’s added value, such as bandwidth savings and time saved through automation. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::reports::monthly::view"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Report) when {resource.type == "monthly_report"}; |
| cld::policy::global::reports::auto_monthly::view | Access Monthly Usage Reports | Enable or disable email delivery of the 'Monthly Usage Report' from email preferences in the Console. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::reports::auto_monthly::view"); permit (principal, action == Cloudinary::Action::"read", resource is Cloudinary::Report) when { resource.type == "auto_monthly_report" }; |
| cld::policy::global::reports::usage::view | Access Usage Reports | Access and view the new usage report (Jul 7: this page is still WIP) | permit (principal, action, resource == Cloudinary::Feature::"cld::global::reports::usage::view"); permit (principal, action == Cloudinary::Action::"read", resource is Cloudinary::Report) when { resource.type == "env_usage" }; |
Cloudinary Image
You can assign the permissions in this section to users and groups through roles. You can also assign these permissions to product environment API keys for actions that are available programmatically.
| Policy ID | Name | Description | Policy Statement |
|---|---|---|---|
| cld::policy::global::image::access | Access Cloudinary Image | Access Cloudinary Image in the Console and use the Transformation Builder for single and bulk transformations, including within the Media Library. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::image::access"); |
| cld::policy::global::unnamed_transformations::view | View unnamed transformations | View unnamed transformations that were applied to assets. | permit (principal, action == Cloudinary::Action::"read", resource is Cloudinary::Transformation) when { resource.named == false }; permit (principal, action, resource == Cloudinary::Feature::"cld::global::unnamed_transformations::view"); |
| cld::policy::global::unnamed_transformations::manage | Manage unnamed transformations | Manage unnamed transformations, including deleting them and configuring whether they can be used when Strict Transformations are enabled. | permit(principal, action, resource is Cloudinary::Transformation) when {resource.named == false}; permit (principal, action, resource == Cloudinary::Feature::"cld::global::unnamed_transformations::manage"); |
| cld::policy::global::named_transformations::view | View all named transformations | View all named transformations and the individual transformations they include. | permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Transformation) when { resource.named == true}; permit(principal, action, resource == Cloudinary::Feature::"cld::global::named_transformations::view"); |
| cld::policy::global::named_transformations::delete | Delete all named transformations | Delete all existing named transformations. | permit (principal, action == Cloudinary::Action::"delete", resource is Cloudinary::Transformation) when { resource.named == true }; permit (principal, action, resource == Cloudinary::Feature::"cld::global::named_transformations::delete"); |
| cld::policy::global::named_transformations::update | Update all named transformations | Update existing named transformations | permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::Transformation) when {resource.named == true}; permit(principal, action, resource == Cloudinary::Feature::"cld::global::named_transformations::update"); |
| cld::policy::global::named_transformations::create | Create named transformations | Create new named transformations. | permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::Transformation) when {resource.named == true}; permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Transformation) when {resource.named == true}; permit(principal, action, resource == Cloudinary::Feature::"cld::global::named_transformations::create"); |
Cloudinary Video
You can assign the permissions in this section to users and groups through roles. You can also assign these permissions to product environment API keys for actions that are available programmatically.
| Policy ID | Name | Description | Policy Statement |
|---|---|---|---|
| cld::policy::global::video::access | Access Cloudinary Video | Access Cloudinary Video in the Console, including tools for managing video assets, customizing video players, and previewing transformed video content. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::video::access"); |
| cld::policy::global::video:video_analytics::view | View Video Analytics | View Video Player performance metrics in the Video Analytics page, including plays, watch time, unique viewers, and top-performing videos. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::video_analytics::view"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::VideoAnalyticsView); |
| cld::policy::global::video:live_streams::manage | Manage live streams | Create, update, and delete live stream entries, configure stream settings, and access live stream details. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::live_streams::manage"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::LiveStream); permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::LiveStream); permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::LiveStream); permit(principal, action == Cloudinary::Action::"delete", resource is Cloudinary::LiveStream); |
| cld::policy::global::video_player_profiles::manage | Manage Video Player profiles | Create, edit, and apply video player profiles to control player appearance and behavior, with access to the Video Player Studio for visual customization. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::video_player_profiles::manage"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::VideoPlayerProfile); permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::VideoPlayerProfile); permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::VideoPlayerProfile); permit(principal, action == Cloudinary::Action::"delete", resource is Cloudinary::VideoPlayerProfile); |
Management via Assets and APIs
You can assign the permissions in this section to users and groups through roles. You can also assign these permissions to product environment API keys for actions that are available programmatically.
| Policy ID | Name | Description | Policy Statement |
|---|---|---|---|
| cld::policy::global::structured_metadata::access | Manage structured metadata fields | Create and manage structured metadata fields, define conditional rules, and configure datasources (list values) for single and multi-selection fields. | permit(principal, action, resource is Cloudinary::MetadataField); permit(principal, action, resource == Cloudinary::Feature::"cld::global::structured_metadata::access"); |
| cld::policy::global::asset_relation::create | Relate assets | Create and manage relationships between assets. Also requires the 'View assets’ folder permission, or the 'View all folders and assets’ global permission. | permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::AssetRelation); permit(principal, action == Cloudinary::Action::"delete", resource is Cloudinary::AssetRelation); |
| cld::policy::global::add_ons::run | Use add-ons | Apply functionality from add-ons that are enabled for the account. Note that usage may consume quota based on the add-on plan. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::add_ons::run"); |
| cld::policy::global::folder_and_asset_management::delete | Delete all folders and assets | Delete all folders and assets without requiring specific folder permissions. | permit(principal, action in [Cloudinary::Action::"delete"], resource is Cloudinary::Asset); permit(principal, action in [Cloudinary::Action::"delete"], resource is Cloudinary::Folder); |
| cld::policy::global::folder_and_asset_management::view | View all folders and assets | View all folders and assets without requiring specific folder asset permissions. Downloading requires a separate permission. | permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Asset); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Folder); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::MetadataField); permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::MetadataField) when { resource has allow_dynamic_list_values && resource.allow_dynamic_list_values == true }; |
| cld::policy::global::folder_and_asset_management::public::download | Download all folders and their public assets | Download all folders and their assets with access control set to 'Public'. The download is a ZIP file, and the root folder can't be downloaded. | permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Asset) when { !["authenticated", "private"].contains(resource.resource_type) && !resource.has_access_control}; permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Folder); |
| cld::policy::global::folder_and_asset_management::restricted::download | Download all folders and their restricted assets | Download all folders and their assets with access control set to 'Public'. The download is a ZIP file, and the root folder can't be downloaded. | permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Asset) when { (["authenticated", "private"].contains(resource.resource_type)) \ |
| cld::policy::global::folder_and_asset_management::create_folder | Create folders in all locations | Create folders anywhere within the folder hierarchy without requiring specific folder permissions. | permit(principal, action in [Cloudinary::Action::"create", Cloudinary::Action::"read"], resource is Cloudinary::Folder); |
| cld::policy::global::folder_and_asset_management::create_asset | Upload assets | Upload assets to any folder, including the root, without requiring specific folder permissions. Includes the option to select an upload preset and apply tags and metadata. | permit(principal, action in [Cloudinary::Action::"create"], resource is Cloudinary::Asset); |
| cld::policy::global::folder_and_asset_management::update | Update all folders and assets | Move, rename, and overwrite all folders and assets without requiring specific folder permissions. | permit(principal, action in [Cloudinary::Action::"update"], resource is Cloudinary::Asset); permit(principal, action in [Cloudinary::Action::"update"], resource is Cloudinary::Folder); permit(principal, action in [Cloudinary::Action::"rename"], resource is Cloudinary::Asset); permit(principal, action in [Cloudinary::Action::"rename"], resource is Cloudinary::Folder); permit(principal, action in [Cloudinary::Action::"move"], resource is Cloudinary::Folder); permit(principal, action in [Cloudinary::Action::"move"], resource is Cloudinary::Asset); |
| cld::policy::global::folder_and_asset_management::update_access_control | Update access control for all assets | Change access control settings for all assets between 'Public' and 'Restricted' without requiring specific folder permissions. | permit(principal, action == Cloudinary::Action::"update_access_control", resource is Cloudinary::Asset); |
| cld::policy::global:::restore | Restore deleted assets | Restore all deleted assets. | permit(principal, action == Cloudinary::Action::"restore", resource is Cloudinary::Asset); permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::Folder); permit(principal, action, resource == Cloudinary::Feature::"cld::global::assets::restore"); |
Management via Assets
You can assign the permissions in this section to users and groups through roles.
| Policy ID | Name | Description | Policy Statement |
|---|---|---|---|
| cld::policy::global::basic_portals::access | Manage basic portals | Manage all portals with full create, read, update, and delete permissions. | permit(principal, action, resource is Cloudinary::Portal); permit(principal, action == Cloudinary::Action::"read", resource == Cloudinary::Feature::"cld::global::basic_portals::access"); permit(principal, action, resource is Cloudinary::PublicLink) when { resource.subject_type == "portal"}; |
| cld::policy::global::ml_preferences::manage | Set Media Library Preferences | Control the way the Media Library looks and behaves for all users in the product environment. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::ml_preferences::access"); permit(principal, action, resource == Cloudinary::Feature::"cld::global::ml_preferences::update"); |
| cld::policy::global::activity_reports::access | View and generate activity reports | View and generate reports that list all account management activities and product environment actions. | permit (principal, action, resource is Cloudinary::Report) when {resource.type=="audit_log"}; permit (principal, action, resource == Cloudinary::Feature::"cld::global::activity_reports::access"); |
| cld::policy::global::moderation_queue::access | Access the Moderation page | Access the Moderation page. To view assets on this page, pair this permission with the 'View assets' folder permission, or 'View all folders and assets' global permission. To also approve or reject assets, pair it with 'Moderate assets' folder permission or 'Moderate all assets' global permission. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::moderation_queue::access"); |
| cld::policy::global::ml::access | Access the Media Library | Access the Media Library within the Console. Without this permission, users can't view any assets. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::ml::access"); |
| cld::policy::global::marketplace:manage | Manage the Assets App Marketplace | Manage the App Marketplace by enabling or disabling apps that extend DAM functionality based on company needs. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::app_marketplace::access"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::DamApp); permit(principal, action == Cloudinary::Action::"subscribe", resource is Cloudinary::DamApp); permit(principal, action == Cloudinary::Action::"unsubscribe", resource is Cloudinary::DamApp); |
| cld::policy::global::marketplace:read | Use DAM Apps | Access and use DAM apps that have been enabled from the Assets App Marketplace, directly within the Media Library. | permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::DamApp); |
| cld::policy::global::smd:bulk_upload | Bulk update structured metadata via CSV | Upload a CSV file to bulk update structured metadata fields across multiple assets. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::update_smd_by_csv:access"); permit(principal, action in [Cloudinary::Action::"create", Cloudinary::Action::"read"], resource is Cloudinary::Folder) when { resource.path like "cld_system_files*"}; |
| cld::policy::global::delivery_url::access | Access delivery URLs via the Console | Access delivery URLs of original and transformed assets, including the ability to view, copy, and open them in a new tab. Access is limited to assets the user is permitted to view. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::delivery_url::access"); |
| cld::policy::global::comments::delete | Delete asset comments | Delete the user’s own comments on assets. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::comments::delete"); |
| cld::policy::global::automation::access | Create EasyFlows from the Media Library | Create EasyFlows within the Media Library to streamline Assets workflows. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::automation::access"); |
| cld::policy::global::creative_approval_proofs::create | Start creative approval proofs | Create a proof using assets the user can view based on their 'View assets' folder permission or the 'View all folders and assets' global permission. Start the proof in a creative approval flow. | permit (principal, action == Cloudinary::Action::"create", resource is CreativeApproval::Proof); permit (principal, action == Cloudinary::Action::"read", resource is CreativeApproval::Template); permit (principal, action, resource == Cloudinary::Feature::"cld::global::creative_approval_proofs::create"); |
| cld::policy::global::assets::moderate | Moderate all assets | Approve and reject all assets in moderation. To perform these actions from the Moderation page, pair this permission with 'Access the Moderation page'. To view the assets on the page, pair it with the 'View all folders and assets' global permission. | permit(principal, action == Cloudinary::Action::"moderate", resource is Cloudinary::Asset); |
| cld::policy::global::public_links::manage | Manage public links | Create, view, update, and delete public links to share collections externally. Also allows sharing assets directly, provided the user has view access through either the 'View assets' folder permission or the 'View all folders and assets' global permission. | permit (principal, action, resource is Cloudinary::PublicLink) when { resource.subject_type == "asset" }; permit (principal, action, resource is Cloudinary::PublicLink) when { resource.subject_type == "collection" }; permit (principal, action, resource is Cloudinary::PublicLink) when { resource.subject_type == "portal" }; |
| cld::policy::global::folders::share | Share all folders | Share all folders within the folder hierarchy without requiring specific folder permissions. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::folders::share"); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Role); permit(principal, action == Cloudinary::Action::"invite", resource is Cloudinary::Folder); |
| cld::policy::global::collections::create | Create (non-dynamic) collections | Create non-dynamic collections. | permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::Collection); |
| cld::policy::global::collections::view | View all (non-dynamic) collections | View all non-dynamic collections and the assets inside them without requiring folder permissions. | permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Collection); |
| cld::policy::global::collections::update | Manage all (non-dynamic) collections | Manage all non-dynamic collections. Includes renaming collections and adding or removing assets the user view can via the 'View assets' collection permission or the 'View all folders and assets' global permission. | permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::Collection); permit(principal, action == Cloudinary::Action::"add_asset", resource is Cloudinary::Collection); permit(principal, action == Cloudinary::Action::"remove_asset", resource is Cloudinary::Collection); permit(principal, action == Cloudinary::Action::"create",resource is Cloudinary::PublicLink) when {resource.subject_type=="collection"}; |
| cld::policy::global::collections::invite | Invite to all (non dynamic) collections | Invite other users to access all non-dynamic collections and assign them different permission levels. | permit(principal, action == Cloudinary::Action::"invite", resource is Cloudinary::Collection); |
| cld::policy::global::dynamic_collections::manage | Manage all dynamic collections | Create, update, publicly share, and delete dynamic collections, as well as view all assets included in them. | permit(principal, action, resource is Cloudinary::DynamicCollection); permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Asset); permit (principal,action == Cloudinary::Action::"create", resource is Cloudinary::PublicLink) when {resource.subject_type=="collection"}; |
Other Cloudinary products
You can assign the permissions in this section to users and groups through roles. You can also assign these permissions to product environment API keys for actions that are available programmatically.
| Policy ID | Name | Description | Policy Statement |
|---|---|---|---|
| cld::policy::global::media_flows::access | Access MediaFlows | Access MediaFlows in the Console to build, view, and manage visual workflows for automating media-related tasks. | permit(principal, action, resource == Cloudinary::Feature::"cld::global::media_flows::access"); |
| cld::policy::global::media_flows::manage | Manage all MediaFlows | Create, update, and delete all PowerFlows and EasyFlows. | permit (principal, action == MediaFlows::Action::"create", resource is MediaFlows::EasyFlow); permit (principal, action == MediaFlows::Action::"create", resource is MediaFlows::PowerFlow); permit (principal, action == MediaFlows::Action::"update", resource is MediaFlows::EasyFlow); permit (principal, action == MediaFlows::Action::"update", resource is MediaFlows::PowerFlow); permit (principal, action == MediaFlows::Action::"delete", resource is MediaFlows::EasyFlow); permit (principal, action == MediaFlows::Action::"delete", resource is MediaFlows::PowerFlow); permit (principal, action == MediaFlows::Action::"read", resource is MediaFlows::EasyFlow); permit (principal, action == MediaFlows::Action::"read", resource is MediaFlows::PowerFlow); permit (principal, action == MediaFlows::Action::"read_details", resource is MediaFlows::LogEntry); permit (principal, action == MediaFlows::Action::"read", resource is MediaFlows::LogEntry); |
| cld::policy::global::media_flows::usage_n_plane::view | View MediaFlows usage and plan details | View current MediaFlows plan details, credit usage, and usage breakdowns across all product environments. | permit (principal, action == MediaFlows::Action::"read", resource is MediaFlows::Usage); permit (principal, action == MediaFlows::Action::"read", resource is MediaFlows::Plan); |
| cld::policy::global::final_touch::access | Access FinalTouch | Access the FinalTouch product to create, customize, and publish product galleries and shoppable experiences using Cloudinary assets. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::final_touch::access"); |
| cld::policy::global::cloudinary_3d::access | Access Cloudinary 3D | Access the Cloudinary 3D product to upload, manage, and preview 3D assets within the Console. | permit (principal, action, resource == Cloudinary::Feature::"cld::global::cloudinary_3d::access"); |
Folder permissions
You can assign the permissions in this section to users, groups, or product environment API keys through folder roles.
| Policy ID | Name | Description | Policy Statement |
|---|---|---|---|
| cld::policy::content::folder::view_download | View assets | View all assets in the folder and its nested subfolders. | permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::download_public_assets | Download public assets | Download all assets marked as 'Public' in the folder and its subfolders. | permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::download_restricted_assets | Download restricted assets | Download all assets marked as 'Restricted' in the folder and its subfolders. | permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::add_assets | Add assets | Add assets to the folder by uploading new files, saving an asset as new, or moving existing assets from other folders. Tags and structured metadata can be applied during upload. | permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::create_subfolders | Create subfolders | Create subfolders or move existing folders into this folder. | permit(principal, action == Cloudinary::Action::"create", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::update_assets | Edit assets and metadata | Perform actions on assets in the folder and its subfolders, including replacing and editing assets, restoring versions, and updating tags, structured metadata, and contextual metadata. | permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::rename_subfolders | Rename subfolders | Rename subfolders within the folder. This doesn't include permission to rename the folder itself. | permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Folder) when { resource != Cloudinary::Folder::" |
| cld::policy::content::folder::rename_assets | Rename assets | Edit the display names and public IDs of assets in the folder and its subfolders. In the legacy fixed-folder mode, renaming a public ID also requires the ‘Move assets’ permission. | permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::delete_assets | Delete assets | Delete assets in the folder and its subfolders. | permit(principal, action == Cloudinary::Action::"delete", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::delete_subfolders | Delete subfolders | Delete subfolders within the folder. To delete subfolders that contain assets, the user must also have the 'Delete assets' permission for those subfolders. | permit(principal, action == Cloudinary::Action::"delete", resource is Cloudinary::Folder) when { resource != Cloudinary::Folder::" |
| cld::policy::content::folder::move_assets | Move assets | Move assets between folders. This action also requires the 'Add assets' permission for the destination folder. | permit(principal, action == Cloudinary::Action::"move", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains(" permit(principal, action == Cloudinary::Action::"move", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains(" permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::delete | Delete folder | Delete the folder and its contents. If the folder contains assets, the user must also have the 'Delete assets' permission for the folder. This action is limited to folders with 1,000 assets or fewer. | permit(principal, action == Cloudinary::Action::"delete", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::rename | Rename folder | Rename the folder and its subfolders. This action isn't available in fixed folder mode. | permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::move | Move folder | Move the folder and all of its contents to a different location in the folder hierarchy. For example, move Folder A (and its subfolder B) into a new parent folder. In fixed folder mode, this action also requires the 'Move assets' permission for the folder. | permit(principal, action == Cloudinary::Action::"move", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" permit(principal, action == Cloudinary::Action::"move", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::move_subfolders | Move subfolders | Move subfolders to a different location in the folder hierarchy. For example, move Folder C out of Folder B, without moving Folder B itself. In fixed folder mode, this action also requires the 'Move assets' permission for the subfolder. | permit(principal, action == Cloudinary::Action::"move", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" permit(principal, action == Cloudinary::Action::"move", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" permit(principal, action == Cloudinary::Action::"rename", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::moderate | Moderate assets | Approve or reject assets in the folder and its subfolders. To view these assets on the Moderation page, pair this with the global 'Access the Moderation page' permission, along with either 'View assets' folder permission or 'View all folders and assets' global permission. | permit(principal, action == Cloudinary::Action::"moderate", resource is Cloudinary::Asset) when {resource.ancestor_ids.contains(" |
| cld::policy::content::folder::manage_public_link | Manage public link to assets | Create, view, update, and delete public links for assets in the folder and its subfolders, including setting access date ranges. | permit (principal, action, resource is Cloudinary::PublicLink) when {resource.subject_type=="asset" && resource.subject_ancestor_ids.contains(" |
| cld::policy::content::folder::edit_access_control | Edit access control | Set asset access control to 'Public' or 'Restricted' for assets in a folder and its subfolders, with an optional date range for public access. | permit(principal, action == Cloudinary::Action::"update", resource is Cloudinary::Asset) when { resource.ancestor_ids.contains(" |
| cld::policy::content::folder::invite | Share with users/groups | Manage user and group access to the folder and its subfolders. Users can only assign and remove permission levels that are equal to or lower than their own for that folder. | permit(principal, action == Cloudinary::Action::"invite", resource is Cloudinary::Folder) when { resource.ancestor_ids.contains(" |
Collection permissions
You can assign the permissions in this section to users and groups through collection roles.
| Policy ID | Name | Description | Policy Statement |
|---|---|---|---|
| cld::policy::content::collection::view | View assets | View the collection and all the assets in it without requiring global or folder permissions for those assets. | permit(principal, action == Cloudinary::Action::"read", resource == Cloudinary::Collection::" permit(principal, action == Cloudinary::Action::"read", resource is Cloudinary::Asset) when { resource has collection_ids && resource.collection_ids.contains(" |
| cld::policy::content::collection::download_public_assets | Download public assets | Download all assets marked as 'Public' in the collection without requiring global or folder permissions. | permit(principal, action == Cloudinary::Action::"download", resource == Cloudinary::Collection::" permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Asset) when { resource has collection_ids && resource.collection_ids.contains(" |
| cld::policy::content::collection::download_restricted_assets | Download restricted assets | Download all assets marked as 'Restricted' in the collection without requiring global or folder permissions. | permit(principal, action == Cloudinary::Action::"download", resource == Cloudinary::Collection::" permit(principal, action == Cloudinary::Action::"download", resource is Cloudinary::Asset) when { resource has collection_ids && resource.collection_ids.contains(" |
| cld::policy::content::collection::add_assets | Add assets | Add assets to the collection. Users can only add assets they are permitted to view via the 'View assets' folder permission or the 'View all folders and assets' global permission. | permit(principal, action == Cloudinary::Action::"add_asset", resource == Cloudinary::Collection::" |
| cld::policy::content::collection::remove_assets | Remove assets | Remove assets from the collection. Users can only remove assets they are permitted to view via the 'View assets' folder permission or the 'View all folders and assets' global permission. | permit(principal, action == Cloudinary::Action::"remove_asset", resource == Cloudinary::Collection::" |
| cld::policy::content::collection::update | Edit collection | Rename the collection and edit its description. | permit(principal, action == Cloudinary::Action::"update", resource == Cloudinary::Collection::" |
| cld::policy::content::collection::delete | Delete collection | Delete the collection. This action doesn't affect the assets in it. | permit(principal, action == Cloudinary::Action::"delete", resource == Cloudinary::Collection::" |
| cld::policy::content::collection::mange_public_link | Manage public link | View, create, copy, update, configure, and delete the public link for a collection. | permit (principal, action, resource is Cloudinary::PublicLink) when { resource.subject_type == "collection" && resource.subject_id == " permit(principal, action, resource == Cloudinary::Collection::" permit (principal, action, resource is Cloudinary::PublicLink) when {resource.subject_type=="asset" && resource has subject_collection_ids && resource.subject_collection_ids.contains(" |
| cld::policy::content::collection::invite | Invite users and groups | Invite users and groups to a collection, and add, edit, or remove their permissions. Users can only assign and remove permission levels that are equal to or lower than their own for that collection. | permit(principal, action == Cloudinary::Action::"invite", resource == Cloudinary::Collection::" |
System role reference
This section lists all system roles, including each role's ID, name, description. Below each group of roles, you'll see the policy IDs for all the policies it includes.
You can use this list to:
Decide which role to assign to a user, group, or API key.
Look up the role ID when assigning the role.
Review the system policies granted by roles that are already in use.
For more background information about system policies, see Role-based permissions overview.
For more information on system roles, see Manage roles.
Global roles
Account-level roles
You can assign the permissions in this section to groups and users through roles. You can also assign these roles to API keys for actions that are available programmatically.
| Role ID | Role Name | Description | Policy IDs |
|---|---|---|---|
| cld::role::account::master_admin | Master Admin | Manage all account-level settings and features. | 18 policies (see list below) |
| cld::role::account::admin | Admin | Manage roles, users, and groups, and access all products in the Console. | 9 policies (see list below) |
| cld::role::account::billing | Billing | Manage account-level billing, usage reports, add-ons, and upgrades. | 4 policies (see list below) |
| cld::role::account::reports | Reports | Access account-level reporting details. | 6 policies (see list below) |
| cld::role::account::tech_admin | Tech Admin | Access all products (except MediaFlows) in the Console, and manage support. | 5 policies (see list below) |
| cld::role::account::mediaflows_admin | MediaFlow Admin | Manage MediaFlows plan and usage details, plus add-ons, account information, account API keys, and product environments. | 5 policies (see list below) |
Master Admin - Full Policy List:
• cld::policy::global::add_ons::run
• cld::policy::global::account_information::manage
• cld::policy::global::account_api_keys::manage
• cld::policy::global::product_environments::view
• cld::policy::global::product_environments::manage
• cld::policy::global::users_and_groups::view
• cld::policy::global::users_and_groups::manage
• cld::policy::global::account_security::view
• cld::policy::global::account_security::manage
• cld::policy::global::roles_permissions::manage
• cld::policy::global::billing::view
• cld::policy::global::billing::manage
• cld::policy::global::reports::monthly::view
• cld::policy::global::reports::auto_monthly::view
• cld::policy::global::image::access
• cld::policy::global::media_flows::usage_n_plane::view
• cld::policy::global::final_touch::access
• cld::policy::global::cloudinary_3d::access
• cld::policy::global::add_ons::run
• cld::policy::global::users_and_groups::view
• cld::policy::global::users_and_groups::manage
• cld::policy::global::roles_permissions::manage
• cld::policy::global::reports::monthly::view
• cld::policy::global::image::access
• cld::policy::global::media_flows::usage_n_plane::view
• cld::policy::global::final_touch::access
• cld::policy::global::cloudinary_3d::access
• cld::policy::global::product_environments::view
• cld::policy::global::users_and_groups::view
• cld::policy::global::billing::view
• cld::policy::global::billing::manage
• cld::policy::global::reports::monthly::view
• cld::policy::global::reports::auto_monthly::view
• cld::policy::global::image::access
• cld::policy::global::media_flows::usage_n_plane::view
• cld::policy::global::final_touch::access
• cld::policy::global::cloudinary_3d::access
Tech Admin - Full Policy List:
• cld::policy::global::add_ons::run
• cld::policy::global::reports::monthly::view
• cld::policy::global::image::access
• cld::policy::global::final_touch::access
• cld::policy::global::cloudinary_3d::access
MediaFlow Admin - Full Policy List:
• cld::policy::global::add_ons::run
• cld::policy::global::account_information::manage
• cld::policy::global::account_api_keys::manage
• cld::policy::global::product_environments::view
• cld::policy::global::media_flows::usage_n_plane::view
Product environment-level roles
You can assign the permissions in this section to users and groups through roles.
You can assign 'View API keys' and 'Manage API keys' permissions to account-level API keys.
You can assign other permissions listed below, if available programmatically, to product environment API keys.
| Role ID | Role Name | Description | Policy IDs |
|---|---|---|---|
| cld::role::prodenv::billing | Billing | Access billing reports for product environment usage. | cld::policy::global::reports::usage::view |
| cld::role::prodenv::master_admin | Master Admin | Fully manage all product environments, including settings, product features, dashboards, and reports. | 57 policies (see list below) |
| cld::role::prodenv::admin | Admin | Manage product environment, including Console Settings, product features, and relevant dashboards and reports. | 53 policies (see list below) |
| cld::role::prodenv::tech_admin | Tech Admin | Manage product environment, including Console Settings, key product features (except MediaFlows), and relevant dashboards and reports. | 49 policies (see list below) |
| cld::role::prodenv::ml_admin | Media Library Admin | Full Media Library access, plus Transformations, Creative Approval, and App Marketplace. Excludes structured metadata management. | 31 policies (see list below) |
| cld::role::prodenv::ml_user | Media Library User | Access specific folders and collections according to assigned permissions. |
cld::policy::global::ml::accesscld::policy::global::comments::delete
|
| cld::role::prodenv::reports | Reports | Access product environment reporting details only. | 7 policies (see list below) |
Other product environment-level roles
| Role ID | Role Name | Description | Policy IDs |
|---|---|---|---|
| cld::role::prodenv::mediaflows_admin | MediaFlow Admin | Manage MediaFlows, structured metadata, API keys, and webhooks, with EasyFlows access via the Media Library. | 7 policies (see list below) |
| cld::role::prodenv::viewer | Viewer | View all folders and assets, with access to the Media Library. |
cld::policy::global::ml::accesscld::policy::global::folder_and_asset_management::view
|
| cld::role::prodenv::contributor | Contributor | All legacy Viewer permissions, plus upload assets and share all folders. | 5 policies (see list below) |
| cld::role::prodenv::editor | Editor | All legacy Contributor permissions, plus moderate, delete, and download all assets, and create folders. | 13 policies (see list below) |
| cld::role::prodenv::moderator | Moderator | Moderate all assets, with Media Library and Moderation page access. Visibility limited to assets the user can view. | 5 policies (see list below) |
| cld::role::prodenv::access_to_delivery_url | Delivery URL Viewer | Access original and transformed delivery URLs in the Media Library for assets the user can view. | 4 policies (see list below) |
| cld::role::prodenv::can_invite | Collection Sharing | Invite other users to non-dynamic collections. | 4 policies (see list below) |
| cld::role::prodenv::can_create_collections | Collection Creator | Create non-dynamic collections. | 4 policies (see list below) |
| cld::role::prodenv::proof_creator | Proof Creator | Create proofs from assets the user can view. |
cld::policy::global::ml::accesscld::policy::global::asset_relation::createcld::policy::global::comments::delete
|
Master Admin - Full Policy List:
• cld::policy::global::basic_portals::access
• cld::policy::global::ml_preferences::manage
• cld::policy::global::ml_dashboard::access
• cld::policy::global::activity_reports::access
• cld::policy::global::structured_metadata::access
• cld::policy::global::moderation_queue::access
• cld::policy::global::ml::access
• cld::policy::global::asset_relation::create
• cld::policy::global::marketplace:manage
• cld::policy::global::marketplace:read
• cld::policy::global::smd:bulk_upload
• cld::policy::global::delivery_url::access
• cld::policy::global::portals::view
• cld::policy::global::comments::delete
• cld::policy::global::automation::access
• cld::policy::global::assets::moderate
• cld::policy::global::folder_and_asset_management::delete
• cld::policy::global::folder_and_asset_management::view
• cld::policy::global::folder_and_asset_management::public::download
• cld::policy::global::folder_and_asset_management::restricted::download
• cld::policy::global::folder_and_asset_management::create_folder
• cld::policy::global::folder_and_asset_management::create_asset
• cld::policy::global::folder_and_asset_management::update
• cld::policy::global::folder_and_asset_management::update_access_control
• cld::policy::global:::restore
• cld::policy::global::public_links::manage
• cld::policy::global::folders::share
• cld::policy::global::collections::create
• cld::policy::global::collections::view
• cld::policy::global::collections::update
• cld::policy::global::collections::invite
• cld::policy::global::dynamic_collections::manage
• cld::policy::global::api_keys::view
• cld::policy::global::api_keys::manage
• cld::policy::global::upload_presets::manage
• cld::policy::global::backup_settings::Manage
• cld::policy::global::initiate_backup_settings::Manage
• cld::policy::global::optimization_settings::manage
• cld::policy::global::delivery_settings::manage
• cld::policy::global::webhook_notifications::view
• cld::policy::global::webhook_notifications::manage
• cld::policy::global::prodenv_security::manage
• cld::policy::global::reports::delivery::view
• cld::policy::global::reports::errors::view
• cld::policy::global::reports::usage::view
• cld::policy::global::unnamed_transformations::view
• cld::policy::global::unnamed_transformations::manage
• cld::policy::global::named_transformations::view
• cld::policy::global::named_transformations::delete
• cld::policy::global::named_transformations::update
• cld::policy::global::named_transformations::create
• cld::policy::global::video::access
• cld::policy::global::video:video_analytics::view
• cld::policy::global::video:live_streams::manage
• cld::policy::global::video_player_profiles::manage
• cld::policy::global::media_flows::access
• cld::policy::global::media_flows::manage
• cld::policy::global::basic_portals::access
• cld::policy::global::structured_metadata::access
• cld::policy::global::moderation_queue::access
• cld::policy::global::ml::access
• cld::policy::global::asset_relation::create
• cld::policy::global::marketplace:manage
• cld::policy::global::marketplace:read
• cld::policy::global::smd:bulk_upload
• cld::policy::global::delivery_url::access
• cld::policy::global::portals::view
• cld::policy::global::comments::delete
• cld::policy::global::assets::moderate
• cld::policy::global::folder_and_asset_management::delete
• cld::policy::global::folder_and_asset_management::view
• cld::policy::global::folder_and_asset_management::public::download
• cld::policy::global::folder_and_asset_management::restricted::download
• cld::policy::global::folder_and_asset_management::create_folder
• cld::policy::global::folder_and_asset_management::create_asset
• cld::policy::global::folder_and_asset_management::update
• cld::policy::global::folder_and_asset_management::update_access_control
• cld::policy::global:::restore
• cld::policy::global::public_links::manage
• cld::policy::global::folders::share
• cld::policy::global::collections::create
• cld::policy::global::collections::view
• cld::policy::global::collections::update
• cld::policy::global::collections::invite
• cld::policy::global::dynamic_collections::manage
• cld::policy::global::api_keys::view
• cld::policy::global::api_keys::manage
• cld::policy::global::upload_presets::manage
• cld::policy::global::backup_settings::Manage
• cld::policy::global::initiate_backup_settings::Manage
• cld::policy::global::optimization_settings::manage
• cld::policy::global::delivery_settings::manage
• cld::policy::global::webhook_notifications::view
• cld::policy::global::webhook_notifications::manage
• cld::policy::global::prodenv_security::manage
• cld::policy::global::reports::delivery::view
• cld::policy::global::reports::errors::view
• cld::policy::global::reports::usage::view
• cld::policy::global::unnamed_transformations::view
• cld::policy::global::unnamed_transformations::manage
• cld::policy::global::named_transformations::view
• cld::policy::global::named_transformations::delete
• cld::policy::global::named_transformations::update
• cld::policy::global::named_transformations::create
• cld::policy::global::video::access
• cld::policy::global::video:video_analytics::view
• cld::policy::global::video:live_streams::manage
• cld::policy::global::video_player_profiles::manage
• cld::policy::global::media_flows::access
• cld::policy::global::media_flows::manage
Tech Admin - Full Policy List:
• cld::policy::global::basic_portals::access
• cld::policy::global::structured_metadata::access
• cld::policy::global::moderation_queue::access
• cld::policy::global::ml::access
• cld::policy::global::asset_relation::create
• cld::policy::global::marketplace:manage
• cld::policy::global::smd:bulk_upload
• cld::policy::global::delivery_url::access
• cld::policy::global::comments::delete
• cld::policy::global::assets::moderate
• cld::policy::global::folder_and_asset_management::delete
• cld::policy::global::folder_and_asset_management::view
• cld::policy::global::folder_and_asset_management::public::download
• cld::policy::global::folder_and_asset_management::restricted::download
• cld::policy::global::folder_and_asset_management::create_folder
• cld::policy::global::folder_and_asset_management::create_asset
• cld::policy::global::folder_and_asset_management::update
• cld::policy::global::folder_and_asset_management::update_access_control
• cld::policy::global:::restore
• cld::policy::global::public_links::manage
• cld::policy::global::folders::share
• cld::policy::global::collections::create
• cld::policy::global::collections::view
• cld::policy::global::collections::update
• cld::policy::global::collections::invite
• cld::policy::global::dynamic_collections::manage
• cld::policy::global::api_keys::view
• cld::policy::global::api_keys::manage
• cld::policy::global::upload_presets::manage
• cld::policy::global::backup_settings::Manage
• cld::policy::global::initiate_backup_settings::Manage
• cld::policy::global::optimization_settings::manage
• cld::policy::global::delivery_settings::manage
• cld::policy::global::webhook_notifications::view
• cld::policy::global::webhook_notifications::manage
• cld::policy::global::prodenv_security::manage
• cld::policy::global::reports::delivery::view
• cld::policy::global::reports::errors::view
• cld::policy::global::reports::usage::view
• cld::policy::global::unnamed_transformations::view
• cld::policy::global::unnamed_transformations::manage
• cld::policy::global::named_transformations::view
• cld::policy::global::named_transformations::delete
• cld::policy::global::named_transformations::update
• cld::policy::global::named_transformations::create
• cld::policy::global::video::access
• cld::policy::global::video:video_analytics::view
• cld::policy::global::video:live_streams::manage
• cld::policy::global::video_player_profiles::manage
Media Library Admin - Full Policy List:
• cld::policy::global::basic_portals::access
• cld::policy::global::moderation_queue::access
• cld::policy::global::ml::access
• cld::policy::global::asset_relation::create
• cld::policy::global::marketplace:manage
• cld::policy::global::smd:bulk_upload
• cld::policy::global::delivery_url::access
• cld::policy::global::comments::delete
• cld::policy::global::assets::moderate
• cld::policy::global::folder_and_asset_management::delete
• cld::policy::global::folder_and_asset_management::view
• cld::policy::global::folder_and_asset_management::public::download
• cld::policy::global::folder_and_asset_management::restricted::download
• cld::policy::global::folder_and_asset_management::create_folder
• cld::policy::global::folder_and_asset_management::create_asset
• cld::policy::global::folder_and_asset_management::update
• cld::policy::global::folder_and_asset_management::update_access_control
• cld::policy::global:::restore
• cld::policy::global::public_links::manage
• cld::policy::global::folders::share
• cld::policy::global::collections::create
• cld::policy::global::collections::view
• cld::policy::global::collections::update
• cld::policy::global::collections::invite
• cld::policy::global::dynamic_collections::manage
• cld::policy::global::unnamed_transformations::view
• cld::policy::global::unnamed_transformations::manage
• cld::policy::global::named_transformations::view
• cld::policy::global::named_transformations::delete
• cld::policy::global::named_transformations::update
• cld::policy::global::named_transformations::create
• cld::policy::global::reports::delivery::view
• cld::policy::global::reports::errors::view
• cld::policy::global::reports::usage::view
• cld::policy::global::unnamed_transformations::view
• cld::policy::global::video::access
• cld::policy::global::video:video_analytics::view
• cld::policy::global::media_flows::access
MediaFlow Admin - Full Policy List:
• cld::policy::global::structured_metadata::access
• cld::policy::global::ml::access
• cld::policy::global::automation::access
• cld::policy::global::api_keys::manage
• cld::policy::global::webhook_notifications::manage
• cld::policy::global::media_flows::access
• cld::policy::global::media_flows::manage
Contributor - Full Policy List:
• cld::policy::global::ml::access
• cld::policy::global::comments::delete
• cld::policy::global::folder_and_asset_management::view
• cld::policy::global::folder_and_asset_management::create_asset
• cld::policy::global::folders::share
• cld::policy::global::ml::access
• cld::policy::global::comments::delete
• cld::policy::global::assets::moderate
• cld::policy::global::folder_and_asset_management::delete
• cld::policy::global::folder_and_asset_management::view
• cld::policy::global::folder_and_asset_management::public::download
• cld::policy::global::folder_and_asset_management::restricted::download
• cld::policy::global::folder_and_asset_management::create_folder
• cld::policy::global::folder_and_asset_management::create_asset
• cld::policy::global::folder_and_asset_management::update
• cld::policy::global::folder_and_asset_management::update_access_control
• cld::policy::global:::restore
• cld::policy::global::folders::share
• cld::policy::global::moderation_queue::access
• cld::policy::global::ml::access
• cld::policy::global::asset_relation::create
• cld::policy::global::comments::delete
• cld::policy::global::assets::moderate
Delivery URL Viewer - Full Policy List:
• cld::policy::global::ml::access
• cld::policy::global::asset_relation::create
• cld::policy::global::delivery_url::access
• cld::policy::global::comments::delete
Collection Sharing - Full Policy List:
• cld::policy::global::ml::access
• cld::policy::global::asset_relation::create
• cld::policy::global::comments::delete
• cld::policy::global::collections::invite
Collection Creator - Full Policy List:
• cld::policy::global::ml::access
• cld::policy::global::asset_relation::create
• cld::policy::global::comments::delete
• cld::policy::global::collections::create
Folder roles
You can assign the permissions in this section to users, groups, or product environment API keys through folder roles.
| Role ID | Role Name | Description | Policy IDs |
|---|---|---|---|
| cld::role::folder::viewer | Viewer | View all assets but only download public ones. |
cld::policy::content::folder::view_downloadcld::policy::content::folder::download_public_assets
|
| cld::role::folder::contributor | Contributor | Viewer permissions, plus add assets and create subfolders. | 4 policies (see list below) |
| cld::role::folder::editor | Editor | Contributor permissions, plus replace, restore versions, and edit assets and subfolders. | 7 policies (see list below) |
| cld::role::folder::manager | Manager | Editor permissions, plus delete, share, and full download access. | 16 policies (see list below) |
• cld::policy::content::folder::view_download
• cld::policy::content::folder::download_public_assets
• cld::policy::content::folder::download_restricted_assets
• cld::policy::content::folder::add_assets
• cld::policy::content::folder::create_subfolders
• cld::policy::content::folder::update_assets
• cld::policy::content::folder::rename_subfolders
• cld::policy::content::folder::rename_assets
• cld::policy::content::folder::delete_assets
• cld::policy::content::folder::move_assets
• cld::policy::content::folder::delete
• cld::policy::content::folder::rename
• cld::policy::content::folder::move
• cld::policy::content::folder::manage_public_link
• cld::policy::content::folder::edit_access_control
• cld::policy::content::folder::invite
Contributor - Full Policy List:
• cld::policy::content::folder::view_download
• cld::policy::content::folder::download_public_assets
• cld::policy::content::folder::add_assets
• cld::policy::content::folder::create_subfolders
• cld::policy::content::folder::view_download
• cld::policy::content::folder::download_public_assets
• cld::policy::content::folder::add_assets
• cld::policy::content::folder::create_subfolders
• cld::policy::content::folder::update_assets
• cld::policy::content::folder::rename_subfolders
• cld::policy::content::folder::rename_assets
Collection roles
You can assign the permissions in this section to users and groups through collection roles.
| Role ID | Role Name | Description | Policy IDs |
|---|---|---|---|
| cld::role::collection::viewer | Viewer | View all assets but only download public ones. |
cld::policy::content::collection::viewcld::policy::content::collection::download_public_assets
|
| cld::role::collection::distributor | Distributor | Viewer permissions, plus share internally. | 4 policies (see list below) |
| cld::role::collection::collaborator | Collaborator | Viewer permissions, plus edit details and add assets. | 4 policies (see list below) |
| cld::role::collection::manager | Manager | Distributor and Collaborator permissions, plus remove assets, delete collection, share externally, and full download. | 9 policies (see list below) |
• cld::policy::content::collection::view
• cld::policy::content::collection::download_public_assets
• cld::policy::content::collection::download_restricted_assets
• cld::policy::content::collection::add_assets
• cld::policy::content::collection::remove_assets
• cld::policy::content::collection::update
• cld::policy::content::collection::delete
• cld::policy::content::collection::mange_public_link
• cld::policy::content::collection::invite
Collaborator - Full Policy List:
• cld::policy::content::collection::view
• cld::policy::content::collection::download_public_assets
• cld::policy::content::collection::add_assets
• cld::policy::content::collection::update
Distributor - Full Policy List:
• cld::policy::content::collection::view
• cld::policy::content::collection::download_public_assets
• cld::policy::content::collection::mange_public_link
• cld::policy::content::collection::invite
- Role-based permissions: An overview of Cloudinary's role-based permissions solution
- Role management in the Console: UI-based role management
- Manage roles: How to manage roles via API
- Assign roles: How to assign roles via API
- Permissions API reference: Full list of endpoints and schemas
- Define custom policies: Create and apply policies outside of roles
Error
Rate this page:
