> ## Documentation Index
> Fetch the complete documentation index at: https://cloudinary.com/documentation/llms.txt
> Use this file to discover all available pages before exploring further.

# Digital rights management


The Cloudinary Assets product provides ways to control digital rights for the assets in your product environment, including watermarks, asset expiration, access control, and roles and permissions.

In addition, Assets enterprise customers can request access to [FADEL’s Rights Cloud](dam_admin_fadel_integration) platform directly within Cloudinary.

## Access control modes

When working with Cloudinary's API, there are a few ways you can control who can access an asset and when:

* **Setting a delivery type**: You can store an asset with an authenticated or private delivery type to control who can access it. If you apply this delivery type, the asset’s delivery status displays in the Media Library with an icon. However, you can only apply or change this setting programmatically via the API, not through the Media Library. For more details, see [Media access control on delivery](control_access_to_media). 

* **Applying the `access_control` option**: You can apply an access control policy to an asset, allowing you to set whether it's publicly accessible or restricted, and optionally schedule when those settings apply. You can manage this option programmatically or directly from the Media Library.

The rest of this section focuses on working with the `access_control` option.

> **READING**:
>
> :no-title
> The **access control mode** feature is a premium offering for **Assets Enterprise** plans, and its availability depends on your account setup. If **access control mode** isn't yet enabled for your account and you'd like to enable it, please contact your Customer Success Manager.

### Setting access control from the Media Library

If the **access control** option is enabled for your account or product environment, a DAM administrator can change any asset's access control mode between **Public** and **Restricted** directly from the Media Library.

Setting an asset as **Restricted** means that people can only view that asset outside the Media Library if they have both the asset URL and an authentication token (a special type of validation for ensuring that a person requesting a URL is allowed to access it). Downloads are also restricted if you've turned on the **Block restricted asset downloads** option in the [Asset Visibility](https://console.cloudinary.com/app/assets/media_library/preferences/asset-visibility) page of the Media Library Preferences. The restrictions apply except during an optional time-limited date range when the asset is defined as publicly accessible. 

If your users need to allow someone access to a restricted asset via a URL outside the time range that an asset is set as public, work with the developers on your team to generate and distribute the required authentication token. For more details on authentication tokens, see [Authenticated access to media assets](control_access_to_media#authenticated_access_to_media_assets). 

![Access control settings dialog box](https://res.cloudinary.com/demo/image/upload/r_20/f_auto/q_auto/co_black,e_outline:1/docs/access_control_settings.png "thumb: w_350,dpr_2, width:350, with_code:false, with_url:false, popup:true")
Time-limited restricted access can be useful: 

* **If you have an image or video that's intended for a special campaign** or that shows a new product design, and it's imperative that no one shares the asset outside the organization prior to an official launch date. 
* **If you no longer want the public** to be able to view or share an asset after the content is obsolete.
* **If you need to enforce asset expiration dates.** For more information, see [Asset expiration](#asset_expiration).

When working with the `access_control` option, you can change assets from public to restricted, and add or change the time-limited access dates or times without changing the asset's URL in any way. This means that your developers don't need to change the URLs in their code when the access settings for that asset change.

> **NOTE**: When Access Control is set as the [primary attribute](dam_admin_media_library_options#primary_attribute), enhanced visibility labels provide clearer information about time-restricted assets, including "Public now" status for expired time restrictions and hover-over details for access time windows.

**To view or modify access control settings**: 

* **For a single asset**, open the access control settings dialog box (shown above) by clicking the **Public**  or **Restricted**  access control button in one of the following locations:
  * The **Summary** tab of the Media Library Preview pane
  * The Asset Management [Summary](dam_manage_individual_assets#drill_down_tabs) tab

* **For multiple assets**, select the assets you want to update and choose **Set Access Control** from the (3-dots) option menu on the assets toolbar.
  > **NOTE**: You can update access control for up to 300 assets at a time, including any derived assets generated from the originally selected assets. Derived assets are generated when you apply transformations and then use the resulting variations outside the Media Library (open in a browser tab, download, deliver in a website or app, etc.).

* From the dialog box that opens, you can view or change the access control mode between public and restricted, or adjust the time-limited access for restricted assets. 

When updating multiple assets, you'll receive an email notification upon completion, including a list of assets that couldn't be updated, if there are any.

### Uploading with access control

To apply the same access control settings to a set of assets uploaded to the Media Library, configure one or more [upload preset(s)](dam_admin_upload_presets#general) with the desired restrictions. Set these presets as the default Media Library upload presets, and Cloudinary automatically applies the required access control settings to all uploaded assets. You can designate different upload presets for video, image, and raw files. 

If you don't set default Media Library upload presets, users can still apply restricted access control settings by uploading assets through the [Media Library Upload Widget](dam_upload_store_assets#media_library_upload_widget) and selecting the appropriate **Upload Preset**.
> **NOTE**:
>
> Depending on your product environment setup, the **Upload Presets** option may not be available in the **Advanced** options of the Media Library Upload Widget. If the option isn't there, you can submit a [support request](https://support.cloudinary.com/hc/en-us/requests/new) to activate it.

## Asset expiration

Managing asset expiration helps ensure outdated or licensed content isn't used beyond its intended timeframe. This is important for:

* Preventing accidental use of expired/licensed content, reducing legal risk.
* Keeping your DAM system clean by archiving or restricting outdated assets.
* Ensuring teams access only current, approved content.

As a basis for restricting expired assets, you can set [access control mode](#access_control_modes) to **Restricted** with a defined time range for being **Public**, label assets as **expired** using metadata fields, and move them to **Expired** folders. Cloudinary provides several tools to support these approaches, including:

* [EasyFlows](#automate_expiration_with_easyflows): Automate actions like restricting access, updating metadata, moving assets to folders, or sending expiration reminder emails based on metadata dates or folder activity.
* [Saved searches](#track_expirations_with_saved_searches): Track upcoming expirations by filtering on metadata dates. You can save and share these searches to keep teams aligned.
  
> **NOTE**:
>
> Once you've established a strategy for managing asset expiration, be sure to communicate it to your Media Library users. The success of the plan may depend on users entering valid metadata values (such as an expiration date) or following specific protocols, like when to change a **Status** metadata field value to **Expired**, or when to move assets to an **Expired** folder.

### Automate expiration with EasyFlows

For added flexibility, use EasyFlows to automate expiration-related actions based on changes in structured metadata, folder location, or other triggers.  

#### EasyFlows setup

1. Navigate to [MediaFlows](https://console.cloudinary.com/mediaflows) by selecting the MediaFlows icon from the left sidebar of your Console. Then, click **Create New** and select **EasyFlow**.
2. Select triggers and actions using the intuitive, real language instructions within the interface. You can follow the examples below.

> **NOTES**:
>
> * To use structured metadata for expiration, first create specific fields of the appropriate type, such as a `date` field labeled **Expiration date** or a `single select` field labeled **Visibility** with list values like **Visible** and **Hidden**. For more information about creating structured metadata fields, see [Structured metadata](dam_admin_structured_metadata).

> * To read the full EasyFlows documentation, see [Build an EasyFlow](mediaflows_easyflows).

#### Examples

Here are a few ways to trigger expiration workflows automatically using EasyFlows:

**Example 1: When an asset reaches its expiration date** 

When the value of a specified metadata field of type date, such as the **Expiration date** field, matches today’s date:

* Set the asset's access control to **Restricted**
* Move the asset to a restricted folder (e.g., **Expired assets**)
* Update the asset's structured metadata field value (e.g., **Status** = **Expired**)

![EasyFlows - when an expiration date arrives](https://cloudinary-res.cloudinary.com/image/upload/f_auto/q_auto/bo_1px_solid_grey/v1744020228/docs/DAM/easyflows_expiration.png "thumb:c_scale,w_400,dpr_2.0, width: 400, popup:true")

> **TIP**:
>
> * If you set the **Expiration date** field as the [primary attribute](dam_admin_structured_metadata#setting_a_primary_attribute), each asset's expiration date is visually marked to users in all Media Library views.

> * Depending on your account setup, you can determine that **Restricted** access control also applies to downloading assets from the Media Library in the [Asset Visibility](https://console.cloudinary.com/console/media_library/preferences/asset-visibility) page of the Media Library Preferences.

**Example 2: When assets approach their expiration date**

When the value of the expiration field falls within a set time range, such as **2 Weeks**:

* Automatically send a summary email listing assets that are about to expire
* Customize the email content to notify the appropriate teams

![EasyFlows - when assets approach expiration](https://cloudinary-res.cloudinary.com/image/upload/f_auto/q_auto/bo_1px_solid_grey/v1744206997/docs/DAM/asset_expiration_email.png "thumb:c_scale,w_400,dpr_2.0, width: 400, popup:true")

**Example 3: When an asset moves to a specific folder**

For example, when an asset moves to the **Expired assets** folder:

* Set access control to **Restricted**
* Update a structured metadata field value (e.g., **Status** = **Expired**)

![EasyFlows - when an asset moves to a certain folder](https://cloudinary-res.cloudinary.com/image/upload/f_auto/q_auto/bo_1px_solid_grey/v1744021503/docs/DAM/easyflows_move_folder.png "thumb:c_scale,w_400,dpr_2.0, width: 400, popup:true")

### Track expirations with saved searches 

Users can create saved searches to help users easily keep track of assets that are about to expire. Saved searches provide a consistent, easy-to-access way to monitor time-sensitive assets without requiring users to manually rebuild search filters every time.

**Example:** Save a search called **Expiring soon** to display all assets expiring within 30 days:

1. Go to the **Assets** tab of the Media Library. **Advanced** should be selected by default.
2. Select the relevant structured metadata field (e.g., **Expiration date**) from the **More** dropdown. The field is added to the filters.
3. Click the structured metadata filter (e.g., **Expiration date**), select **Within the next**, and select the range (e.g., **60 days**).
4. Click **Save**. 
5. In the **Save Your Search** dialog box, you can select to **Invite teammates** if you want to make the saved search available to others.
6. If you have an **Assets Enterprise** plan, you can display the saved search on your Homepage and in the left navigation menu by clicking the star next to its name to mark it as a favorite. ![Saved search - expiring soon](https://res.cloudinary.com/cloudinary/image/upload/f_auto/q_auto/bo_1px_solid_grey/v1/docs/DAM/saved_search_expiring_soon "thumb:c_scale,w_701,dpr_2.0, width: 701, popup:true")
7. Access your saved search anytime in the **Saved** drop-down list.

> **NOTES**:
>
> * To use structured metadata in a saved search, first create specific fields of the appropriate type, such as a `date` field labeled **Expiration date**.

> * For more information about saved searches, see [Saved searches](dam_advanced_search#saved_searches).

## Watermarks

Apply watermarks to your assets to help prevent unauthorized reuse and ensure branding or licensing requirements are visible.

There are a few ways to incorporate watermarks as part of your digital rights management strategy:

* **Transformation templates**: Apply watermark overlays using named transformations. You can define and reuse these templates in the Image Overlay tab in [Studio](https://console.cloudinary.com/console/media_library/studio) to ensure consistent application across assets. Here's an example of managing watermarks in Studio:![Studio - adding watermarks](https://cloudinary-res.cloudinary.com/image/upload/f_auto/q_auto/bo_1px_solid_grey/v1708965354/studio_templates.png "thumb:c_scale,w_800,dpr_2.0, width: 800, popup:true")

For more information, see [Studio](dam_admin_asset_management#studio).

* **Collection webpages**: When sharing collection webpages, you can prevent downloads of original assets and apply watermark transformations to all displayed versions. Here's an example of a publicly shared collection webpage that only allows downloading watermarked assets:![Collection webpages - only allow downloading with watermarks](https://cloudinary-res.cloudinary.com/image/upload/f_auto/q_auto/bo_1px_solid_grey/v1744027640/docs/DAM/shared_collections_watermark.png "thumb:c_scale,w_400,dpr_2.0, width: 400, popup:true")

For more information including how to set this up, see [Sharing collections externally via public links](dam_folders_collections_sharing#sharing_collections_externally_via_public_links).

* **Portals**: Use Portals to display only watermarked versions of assets, especially when asset protection is a priority for external sharing.To allow only watermarked asset downloads in your portal, select the **Allowed output format** that applies a watermark transformation template.**To set this up:**In the left navigation, expand **Settings** and select **Data sources**.Select **Asset access** for the relevant Cloudinary data source.Scroll down to the **Output formats** section and choose the format that applies the watermark.![Portals - only allowing watermarked asset downloads](https://cloudinary-res.cloudinary.com/image/upload/f_auto/q_auto/bo_1px_solid_grey/v1744028049/docs/DAM/portals_require_watermark_downloads.png "thumb:c_scale,w_700,dpr_2.0, width: 700, popup:true") 

For more information, see [Portals](dam_admin_portals).

## Roles and permissions

Controlling who can view, edit, or share assets is a core part of digital rights management. By assigning roles and setting folder-level permissions, you can ensure only the right people have access to the assets they need for their work—nothing more.

This helps:

* Prevent unauthorized access or changes to licensed or restricted assets

* Support team-specific workflows and content governance

* Reduce the risk of misuse or accidental distribution

For more information, see [User and group management](dam_admin_users_groups).

## Manage access to assets on your website programmatically

Cloudinary offers several options for protecting your assets at the delivery stage. For more information on how developers can manage digital rights when delivering media on your website, see [Media access methods](control_access_to_media).