Roles and permissions overview

This guide describes the Roles and Permissions system. For details on all roles available in the legacy system, see Role-based permissions.

Overview

Cloudinary roles help you control who can do what in your account and product environments. You can assign roles to principals (users, groups, or API keys) to give them the right level of access to features, settings, and content, such as folders and collections. For example, you might give your design team access to edit images in specific folders, while limiting your marketing team to view-only access.

You can customize roles with granular permissions to fit how your teams work, whether you're managing different brands, assigning access based on job functions, or organizing teams by region or department.

Who you can assign roles to

Principals are actors in your Cloudinary account and product environments that you can assign roles to.

They can be:

• Users: Named users with login access to the Console.
  Roles control which areas of the Console a user can access.
• Groups: Groups of users.
  Roles assigned to a group apply to all users within it.
• Product environment API keys: Used for programmatic access to a product environment.
  Roles determine the actions the key can perform via the Admin and Upload APIs.
• Account Management Keys: Used to perform account administrative tasks, e,g. user provisioning.
  Roles determine the actions the key can perform via the Provisioning and Permissions APIs.

Key role attributes

Cloudinary supports three types of roles: global, folder, and collection.

Each type of role is scoped to either the account or one or more product environments, and is relevant to a different set of principals:

• How to manage roles with granular permissions

• How to assign those roles

System and custom roles

Each role is either a system or custom role type:

• System roles are predefined by Cloudinary and include a fixed set of permissions. They support most common workflows, and are immediately ready for you to assign.
  For a full list of available system roles and what each one allows, see System roles and permissions.
• Custom roles let you define your own roles based on what your team needs. You choose which set of permissions to include in each role.

System roles can apply globally (at the account level or per product environment), to folders, and to collections.

You can create custom roles that apply globally and to folders.

Quick setup with access bundles

The easiest way to get started with role assignment is using access bundles, predefined combinations of roles designed for common user types. Each bundle translates into a set of roles applied at the appropriate level — account or product environment — across all product environments.

Access bundles are ideal for:

• Teams with straightforward access needs
• Quick onboarding without diving into granular role management
• Organizations with fewer users who don't need custom role configurations

Available access bundles include:

• Master Admin: Full account and product environment access
• Admin: Full access except account management and billing
• Technical Admin: Full access except user/account management and billing
• Billing: Billing and usage reports only
• Reports: Reporting access only
• Media Library Admin: Full Media Library management
• Media Library User: Controlled Media Library access

You can select an access bundle when inviting new users, or customize access by manually assigning specific roles.

Concept summary

This table brings together all the key concepts covered on this page:

Next steps

• Role management: Manage your roles in the Console and assign them to users, groups, and API keys.
• System roles and permissions: Learn which roles and permissions Cloudinary offers and what each one allows.