User and group management

There are many types of users who are a part of any Digital Asset Management workflow. You can set access and permission levels for each user to implement your governance policy for your data and assets.

When planning your governance policy, consider which processes or workflows are important to your business, which users need access to which assets, and what actions each user needs to perform.

Once you've analyzed your organization's governance needs, you can can set access and permission levels for each user in the following ways:

  • User roles: When you define users in Cloudinary, you assign a role to each user. These roles control the areas of the Cloudinary console that a user can access or modify.

  • User groups: The majority of your creative team will probably work primarily in the Media Library. When you assign users to the Media Library user role, you can streamline your workflow by defining folder access permissions to user groups, which can be associated with many users, as opposed to defining those permissions for one Media Library user at a time.

  • Folder and collection permissions: Within the Media Library, folders and collections provide a layer of security for the assets they contain. You can grant users and user groups permissions to specific folders and collections at varying levels, from full management control to view-only access.

    Depending on their permission levels, users can then, in turn, share folders with other user groups or individual users, and invite teammates to collections, at varying levels of access permissions.

Important
Every user who accesses the Media Library requires a separate seat license.

Recommended workflow

It's important to carefully plan your setup so that your folder structure and the assets each folder contains correspond accurately with your users and groups and the folders they'll be able to access.

It's recommended to follow a process similar to the following:

User and folder structure setup workflow

First understand the steps in the workflow and plan your account setup as described, then implement the steps in the same order. Follow the links for more information on each topic:

  • Define user groups: Think about the different teams in your organization. For example, do you have Designers? Marketers? Content managers? Your groups should represent teams of users who need to access the same assets.
  • Create folder structure: One of the main considerations when creating a folder structure is who will get access to each folder and the assets within it. Keep in mind that permissions cascade from folder to subfolder, meaning that if you grant a certain level of access to a folder, you can't restrict that access from any of its sub-folders.

    Cloudinary's DAM provides an effective way to find your assets via powerful search capabilities and an advanced system for assigning metadata, so there's no need to design a deep folder structure to organize and categorize your assets. You can focus on using folders to set permission levels.

  • Add assets to folders: You've already planned who will get access to each folder. Add assets to the folders that will set the right access levels for them.
  • Share folders (and optionally collections) with user groups: For each folder, grant the permission level for each user group that you want to share it with.
  • Add and configure users: Consider each one of your users and assign roles and other permissions appropriate to their intended use of the Media Library:
    • Users with an Admin role: These users will always have full access to all folders and assets in the Media Library, so granting folder permissions doesn't apply to them.
    • Users with the Media Library user role: When you assign Media Library users to groups, the users automatically receive the groups' permission levels.

      If you do create a new user before setting up the folder structure, adding assets, and setting folder permissions for groups, that user may log into Cloudinary before receiving permission to view any content. In this case, the Media Library will appear completely empty for them.

  • Share folders (and optionally collections) with individual users: Grant folder permissions to individual Media Library users, if you have users who need permissions to folders that their groups don't have.

User group configuration

If you plan to create users with the Media Library user role, then it's recommended to first create all the user groups you expect to work with. For example, if you have different teams working on different product lines, you may want to ensure that only teammates from a particular product line can access folders related to those products or you may want to create a variety of dynamic collections to make it easy for relevant groups to find and view assets relevant to their tasks.

  • User groups can be assigned one of several access permission levels for each of the folders in your Media Library, and can separately be given varying permissions to work with each of the available collections. Consider the way you expect to sort your assets in folders and collections, and the different types of users who may be accessing those folders and collections, to determine the groups you will need. For more details, see Access control via folders and Access control via collections.
  • A user can belong to more than one group. In that case, if the permissions conflict between two groups, or between those for a group and those assigned to a specific user, then the higher level (less strict) permission will be applied.
  • You create and edit user groups in the Users tab of the account settings. You can also see the number of members in each group.

Access control via folder sharing and permissions

You can control access to assets by sharing folders (and thus their contents) with selected users or user groups at varying levels of access permissions, from full management control to view-only access. Conversely, you can prevent access to a folder's contents by not sharing that folder with a specific user or user group at all.

As an administrator, it's your responsibility to set up the folder structure and initially grant users permissions to the folders at the appropriate levels.

Keep in mind that, depending on the permission levels you've granted, users may, in turn, be able to share folders with other user groups or individual users at varying levels of access permissions. This means that additional users would receive permissions that you didn't grant to begin with.

Users will the following roles (and permissions) can also share folders:

  • Any of the admin roles
  • A Media Library user role with Can Manage permissions on the folder.

Folder sharing and permissions video tutorial

This tutorial walks you through the steps involved in this workflow.

After watching this overview video, continue reading the sections below to learn all of the details and considerations related to folder sharing and permissions.

How to share folders

To share a folder, do one of the following:

  • Select Share from the options drop-down next to the current folder path at the top of the Media Library
  • Select Share from the kebab menu available in the Folders grid.
Folder path drop-down Folder grid options

Folder permission levels

When you, and other Media Library users with the relevant permissions, select to share a folder, you can set one of the following permission levels (applies to the folder and all its sub-folders): Can view, Can contribute, Can edit, Can Manage.

The table below summarizes the permissions available to each level:

Can View Can Contribute Can Edit Can Manage
View assets
Download assets
Edit transformations1
(via Edit Transformation page or directly in browser URL)
Comment on assets
Search (including Advanced Search)2
Upload assets
Create sub-folders
Overwrite existing on upload
Edit assets3 (tags, custom metadata, rename, move to another folder)
Moderate assets4
Delete assets
Delete the folder
Share the folder

Footnotes

  1. Editing transformations does not have any impact on the original asset, but any new transformations that are generated are counted in the account's monthly transformations counts.
  2. Search results will include only assets where the user has at least Can view permissions.
  3. Users with Can Contribute permissions can use the Add tags option in the Media Library upload widget while uploading, but cannot add tags to existing assets.
  4. Media Library users with the Moderate asset administrator permission can access the Moderation page and moderate assets in folders that they have Can Edit or Can Manage permissions to. Media Library users will only be able to see the assets that they have permission to moderate from the moderation queue.

Folder sharing guidelines and best practices

When planning your folder sharing strategy, consider the following:

  • Sharing rights:
    • Users that have the Media Library user role with Can manage permissions for a folder can share that folder and its sub-folders. Users with lower level permissions cannot share a folder.
    • Any user in a role other than Media Library user, Reports, or Billing can access, share, and manage all folders and assets in the Media Library.
    • Only a user with the share permissions mentioned above can see which user groups a folder is shared with, and how many users are in each of those groups.
  • Sharing with multiple groups: You can share a folder with multiple users and user groups at the same or at different levels.

  • Permissions on subfolders:

    • When you share a folder at a certain level, that permission level cascades down to all subfolders under it.
    • You can increase the permission level for a particular user or group in a sub-folder of a folder they already have access to, but you cannot decrease their permission level.
      For this reason, it's recommended to minimize permissions given to Media Library users at high-level folders, and especially on the Home (root) folder.
    • Best practice: If you are setting up folder permissions for a new account where no assets are yet in production, it's recommended not to store assets directly in the Home folder, and to avoid sharing the Home folder with all or most Media Library users or user groups.
    • If you don't share a folder (nor any parent of that folder) with a particular user or group at all, those users will not be able to see that folder or the contents inside it. Even when performing a search on all folders, the results will only include folders where the user has at least view permissions.

      Similarly, if you don't share any folders with a particular user or user group, then those users won't have access to any assets in the Media Library.

      Exception: If assets from a particular folder are included in a collection, and that collection is shared with a user group or users who otherwise do not have access to that folder, those users will still be able to view and download (but not modify) the assets in that collection.

  • Multiple user groups and permission levels: If a user belongs to multiple groups, and the same folder is shared to each of those groups at different permission levels (which are higher than the permissions they may have received individually), then the highest of those permission levels applies to the user.

Access control via collection sharing and permissions

Collections often represent a group of assets targeted for a particular purpose, and are a dynamic way to create conceptual groupings of assets, regardless of their folder structure. Collections provide a convenient way for users to collaborate with others either inside or outside of the organization regarding the compiled set of assets.

You can use collections to provide users access to assets in your account at different permission levels. A Media Library user that has access to assets by virtue of collection permissions only can never modify the original assets; minimum permissions to a collection include viewing and downloading.

Keep in mind that, depending on the permission levels you've granted, users may be able to share collections with other user groups or individual users at varying levels of access levels, granting additional users permissions that you hadn't assigned to begin with, or create collections on their own. Media Library users may also be able to publish the collections, exposing assets externally.

  • Users in an admin role can create new collections, view and download, invite teammates to, and publish any collection in the account.

  • However, as an administrator, you can restrict Media Library users from performing some actions:

    • Media Library users can create their own collections only if you've assigned them Create collection permissions.
    • Media Library users can invite teammates and publish a collection only if both conditions are met:
      • You assign the user Share collection permissions.
      • The user is the creator of the collection or you or another user with relevant permissions has granted Can manage permissions on the collection they want to share.

Notes

Setting user permissions via collections

To share a collection internally, invite teammates (Media Library users or user group members) to it. Users can see the collection that they've been invited to and the collection creator's name in the main Collections view, as shown in View collections available to you.

To invite teammates to collections:

  1. Select Collections from the Navigation pane to open the main collection view.
  2. Open the Invite Teammates dialog box:

    • From the main Collection view, right-click or click the (3-dots) options menu of a collection and select Invite Teammates.
    • From the main Collection view, select a collection and click Invite teammates in the Preview pane. (If the Preview pane is closed, click the Open Preview button Preview Pane toggle button to display it.)

      Invite Teammates dialog box
  3. Select the users and/or user groups you want to invite to your collection, as well as the permission level for each.

Collection permissions

When inviting teammates to collections, you, and Media Library users with relevant permissions, can set one of the following permission levels:
Can view, Can share, Can collaborate, Can manage.

The table below summarizes the permissions available to each level:

Can view Can share Can collaborate Can manage
View assets in the collection1
Download assets in the collection
Invite teammates to a collection2
Publish a collection2
Add assets to the collection
Remove assets from collection
Rename the collection
Delete collection

Footnotes

  1. Anyone with Can view or higher permissions to a collection can view (but not otherwise modify) all assets in that collection, even if they don't have Can view permissions for the folders containing those assets.
  2. Even if a user group or Media Library user was invited to a collection at Can manage level permissions, the user must also have Share collection permissions (set by an account user administrator) in order to invite teammates or publish the collection.

Collection sharing guidelines and best practices

  • Depending on the user's permissions, Media Library users may be able to take actions that can affect your account in the following ways:

    • Viewing and downloading assets: Media Library users that are invited to collections can view and download assets in those collections, even if they don't have permission to access those assets via their folders.
    • Inviting teammates to collections: May expose assets in the collection to other users that couldn't access those assets originally.
    • Publishing the collection via a link to a generated web page: Exposes assets in the collection externally.
    • Creating a collection: May expose assets in the new collection to internal users that couldn't access those assets originally, as well as to external stakeholders, if the new collection is then shared.
    • Adding assets to collections: Potentially exposes assets that you might not want to expose.

      For example, if assets from a particular folder are added to a collection, and that collection is shared with a user group or users who otherwise can't access that folder, those users will still be able to view and download (but not modify) the assets in that collection.

    • Removing assets from collections and deleting collections: Assets may become unexpectedly unavailable to internal or external stakeholders.

      For example, if a user deletes a collection that was included as part of a Media Portal, the collection will no longer be available to external stakeholders via the portal.

  • You can restrict a Media Library users' ability to Create collections and/or Share collections internally and externally when you configure the user.

User configuration

The Users tab of the account settings (which you can navigate to by clicking the gear icon) includes your personal user profile details and email preferences. You, and account users with any role, can update personal information here.

As a user with a Master admin or Admin role, you can also configure settings that impact all account users as well as the option to add or modify individual users and permissions:

Managing users

You can define and update account users in one of the following ways:

Tip
Regardless of which method you use to define (provision) the users in your account, you can optionally enable users to log in with an SSO provider by providing your provider's SAML details, as described in SAML/SSO login.

To create and manage users manually, scroll down to the Users heading in the Users page of the account settings. Click Add new user or click an existing user's name to edit configuration for an existing user.

For each user, you can set:

  • First and Last name: The user sees their name below your cloud name when they log into the console.
  • E-mail: After creating a new user, that user will receive an email to this address to confirm their account. This email address is also used for logging in to Cloudinary.
  • Role: Controls which areas the user can access and which operations they can perform in those areas. For details, see Role-based permissions below.
  • Sub-account access: If your account includes one or more sub-accounts, you can define which sub-accounts each user can access. Users with the Master admin role always get full control in all sub-accounts. Therefore, this option is displayed only when you select a role other than Master admin. By default, users are given access (at the same role level) to all sub-accounts. Clear the check box to select which sub-accounts (if any) the user should have access to.

    Additional options for users with the Media Library user role:
  • User Groups: User groups are relevant only for users with the Media Library user role, so this option is displayed only when a Media Library user is selected. This section displays all User Groups that have already been defined. For details, see User group configuration.
  • User Permissions: User permissions are relevant only for users with the Media Library user role, so this option is displayed only when a Media Library user is selected. This section includes the following permissions:
    • Create collection: Enables a Media Library user to create collections.
    • Share collection: Enables a Media Library user with Owner, Can share or Can manage permissions on a collection to share that collections both internally and externally.
      Note
      Without these permissions, a Media Library user can still view or contribute to collections shared with them, but they can't create collections or share collections with others, even if they are assigned Owner level permissions for a collection.
    • Moderate asset: Enables the Media Library user to moderate assets in any folder that they have Can Edit or Can Manage permissions to.
      Note
      To enable Media Library users to access the moderation queue, contact support.

Tip
Regardless of which method you use to define the users in your account, you can optionally enable SAML login, as described in User settings below.

Role-based permissions

Each user in your Cloudinary account is assigned a role. This role defines the operations a user can perform on your account, the areas of the Cloudinary console that they can view or change, and the settings they can control.

Below is a table summarizing the permission details for each role:

Table summarizing all role-based permissions

Notes

  • If you do not add a Media Library user to any groups and/or if no folders are shared with those groups or directly with that user, the user will not see any content in the Media Library.
  • The Media Library user role replaces the now obsolete 'Contributor' and 'Viewer' roles. For users who were assigned these roles, Cloudinary has made the following adjustments to ensure that the access permissions these users previously had remained unchanged:
    • Users in either of these roles have been automatically migrated to the Media Library user role.
    • Viewer and Contributor user groups were automatically created for your account and these users were added to the relevant group.
    • The Home folder has been shared with these two user groups at the corresponding level (Can view or Can contribute). For more details, see Folder sharing and permissions.

SAML/SSO login

Find the option to activate SAML (SSO) login in the Users tab of the account settings:

SAML login: This option enables the Cloudinary account administrator to activate SAML (SSO) login. This can enable users in your organization to log in using the same authentication system that they use for other SSO-supported applications. If you activate this option, you can globally select whether to Enforce SAML login or to allow users to choose whether to log in either via the SSO application or via the Cloudinary console login window. If you choose the latter ('Enforce' is disabled), then when creating new users, you can optionally select Send invitation email for that user. When selected, that user receives an email inviting them to create a console password.

Notes

  • If you also use the SAML Provisioning feature, make sure the Two factor authentication user setting (2FA) is Disabled. You can configure two-factor authentication through your IdP, if required.
  • The Two factor authentication (2FA) user setting is ignored when using SAML login to log in to Cloudinary, as the SSO IdP is trusted.
  • Even if you set Enforce SAML login to Enabled, any user created with the Master admin role will automatically get an invitation to set a console password and will be able to log in directly to the console, if needed.

✔️ Feedback sent!

Rate this page: