Assets (DAM)
Menu

User and group management

Last updated: Apr-20-2026

There are many types of users who play a part of any Assets (Digital Asset Management) workflow, each requiring access to different parts of the system.

You can control access and permissions for your users in the following ways:

  • User roles: Determine what users can access and do in the Cloudinary Console and product environments.
  • User groups: Organize users into groups to manage shared permissions efficiently, rather than configuring access for each user individually. For more details, see User group configuration.
  • Folder and collection permissions: Control which users and groups can access specific folders and collections, and what actions they can perform on their contents. See Access permissions via folder sharing and Access control via collections.

Notes
  • Every user who accesses the Console requires a separate seat license.
  • Users and user groups are configured on the account level, so you can manage them from within any of your product environments.

 

Cloudinary Academy

 

Check out the Introduction to Cloudinary Assets pathway in the Cloudinary Academy for free self-paced courses on DAM topics.

 

Roles and Permissions vs. legacy

Which permissions system do you have?
Use the rollout schedule to find out:
  • Enterprise accounts: Broad Enterprise migration hasn't started yet. If your team hasn't already been moved with Cloudinary's help, you're still on the legacy system.
  • Existing free and paid accounts: Migration starts May 12, 2026.
  • New free accounts (created since February 2026): You may already have the new system.

You can confirm which permissions system you have. Open Console Settings and look for Role Management. If it's listed, your account is on Roles and Permissions. If it isn't listed, you're still on the legacy permissions model.

Global role management

The migration is one-way — accounts can't revert to the legacy system.

The Roles and Permissions system provides more granular, flexible access control than the legacy system. Rather than a single role governing overall Console access, roles are defined at the account, product environment, and content (folder and collection) level, each consisting of specific permissions scoped to individual actions. You can assign roles to users and groups for Console access, and to API keys for programmatic access.

If your account is being migrated, see Migrating to Roles and Permissions to understand the changes, including how your existing roles map to the new system. This table provides a quick comparison:

Roles and Permissions Legacy
Roles All plans: Predefined system roles covering common access levels (Master Admin to Media Library User), assigned at the account or product environment level.

Enterprise: Custom roles built from individual permissions for precise, fine-grained control. For example, a role that allows uploading and editing metadata, but not managing Console settings or transformations.

 Fixed set of roles controlling which areas of the Console a user can access. See Role-based permissions (legacy).
Role assignment Multiple roles can be assigned to a user, group, or API key, allowing precise combinations of access. For example, a user can hold both the Distributor collection role (to share externally) and the Manager collection role (to remove assets or delete the collection). Each user is assigned a single role that defines their overall access level.
User groups Members inherit all role types assigned to the group, including global (account and product environment) and content (folder and collection) roles. Groups carry folder and collection access permissions only. Roles must be assigned to each user individually.
Access bundles Pairs an account-level and product environment-level system role for quick user setup when inviting new users. See access bundles. Not applicable. Each role defines its own fixed scope — some cover both account and product environment access (such as Master admin), others are product environment-only (such as Media Library user).
Folder and collection access Shared from the Media Library, as in the legacy system.

All plans: Predefined system content roles, backwards compatible with legacy permission levels.

Enterprise: Custom content roles built from granular folder and collection permissions to fit your exact needs. For example, view-only access to one folder, but upload rights in another.

 Managed by sharing folders and collections directly with Media Library user role members and groups from the Media Library. See folder sharing and collection sharing.

Note
Not all legacy roles map to both account and product environment levels. Admin-level roles (Master Admin, Admin, Tech Admin) get both an account-level and a product environment-level role. However, Billing and Reports roles map to account-level only (no product environment role), while Media Library Admin and Media Library User map to product environment-level only (no account role). See Role mapping reference for the full breakdown.

On this page:

Recommended workflow

It's important to carefully plan your setup so that your folder structure and the assets each folder contains correspond accurately with your users, groups, and the roles and permissions they'll have.

It's recommended to follow a process similar to the following:

User and folder structure setup workflow

Plan your Assets setup as described, then implement the steps in the same order. Follow the links for more information on each topic:

  1. Define user groups: Think about the different teams in your organization — Designers, Marketers, Content managers, and so on. Groups should represent teams of users who need to access the same assets.
  2. (Roles and Permissions) Plan and create roles: Review the available system roles and decide which apply to each group and user type. Enterprise customers can also create custom global and content roles in Role Management to match their specific access requirements.
  3. (Roles and Permissions) Assign global roles to user groups: In the Groups tab of User Management, assign system roles or custom roles to each user group to define their account-level and product environment-level access.
  4. Add and configure users: Create user accounts and assign each user the appropriate groups and roles.
  5. Create folder structure: One of the main considerations when creating a folder structure is who gets access to each folder and the assets within it. Keep in mind that permissions cascade from folder to subfolder — if you grant access to a folder, you can't restrict it for any of its subfolders.

    The Cloudinary Assets product provides powerful search and metadata capabilities, so there's no need to design a deep folder structure for organization. You can focus on using folders to define access levels.
    Note
    Keep in mind that folder-based access control is only meaningful for non-admin users without full product environment access.
  6. Add assets to folders: Add assets to the folders that reflect the right access levels for them.
  7. Share folders (and optionally collections) with user groups and individual users: For each folder, grant the appropriate permission level to each user group that needs access.

User group configuration

User groups let you manage permissions for many users at once. Instead of configuring access user by user, you assign permissions to a group and all members inherit them automatically. You can assign a user to a group when inviting them, rather than assigning roles directly to the individual.

The role of groups differs between the two permissions systems:

  • Roles and Permissions: Groups can be assigned global roles, including system roles (all plans) or custom roles (Enterprise only). All group members inherit these roles, making groups the most efficient way to manage access at scale. Groups can also be assigned folder and collection content roles.
  • Legacy permissions: Groups are primarily used to manage folder and collection access for users with the Media Library user role. You can assign a group one of several permission levels for each folder and collection, rather than configuring access for each Media Library user individually.

Additional details that apply to both systems:

  • A user can belong to more than one group. If permissions conflict between two groups, or between a group and permissions assigned directly to a user, the higher (less strict) permission applies.
  • In the User Management page of Console Settings, you can create and delete user groups, view the number of members in each group, and edit group details. While editing, you can rename groups, view member lists, search for members by name or email, and add or remove members.

For details on granting groups access to folders and collections, see Access permissions via folder sharing and Access control via collections.

In Roles and Permissions, for instructions on creating groups, assigning global roles to groups, and managing group membership, see Create and manage groups.

User configuration

The My Profile page of Console Settings includes your personal profile details, email preferences, and two-factor authentication setup. Any user can update their personal information here.

To configure settings for all account users (adding, modifying, or removing users), you need user management permissions. In Roles and Permissions, the Master Admin and Admin system roles include this by default; Enterprise customers can also grant it via custom roles. In the legacy system, the Master admin or Admin role is required.

  • You can view and manage all account users, including adding users, removing users, changing their roles, and more.
  • You can activate SAML login for your organization from the Account Security page of the Console Settings.

Tip
If you want to add users over and above your plan's limit, you could either upgrade your plan, or, if you're on a paid plan, separately purchase additional user subscriptions. For more information, see Managing additional user subscriptions.

Root user

The Root User is automatically created in a Cloudinary account as the first user and holds permanent, full administrative access. This user is essential to account management, is clearly marked in the interface, and is the only user who can cancel the account. The Root User is subject to the following restrictions:

  • Can't be deleted, disabled, force-logged out, or have its password revoked

  • Can't be assigned to roles

  • Is always assigned to all product environments

Having a root user ensures there is always a reliable point of authority with full access to manage and maintain the account.

Note
Only accounts created on or after June 5, 2025 include a root user. If you have a root user, it's visibly labeled in the Console.

Managing users

You can add up to five users at a time via the Console, or provision users programmatically:

  • Console: Use the Invite New Users Console option or the Invite button on the User Management page in Console Settings.
  • SAML provisioning: Automatically provision users through any SAML-compliant identity provider. See SAML/SSO login.
  • Provisioning API: Add and manage users programmatically at scale. See Provisioning API.

Each new user logs in with their email address and receives a confirmation email when their account is created.

Note
To prevent users with your domain's email addresses from signing up for separate free accounts (which would block adding them to your main account), contact support.

In Roles and Permissions, for full instructions on inviting users, assigning roles, and managing groups, see Manage and assign roles.

In the legacy permissions system, see Adding and updating users (legacy) below for role assignment, product environment access, and Media Library user options.

Adding and updating users (legacy)

For each new user, assign a Role to control which areas they can access and which operations they can perform. For details, see Role-based permissions (legacy).

The following permission levels apply to all new users with common roles. If you want your new users to have different permissions or levels of access, you need to complete a separate form for each:

  • Product environment access1: If your account includes more than one product environment, you can define which product environments the new users can access.

    • Users with the Master admin role always get full control in all product environments, so this option is displayed only when you're adding at least one user with a role other than Master admin.
    • By default, users are granted access (at the same role level) to all product environments, even if your account has more than 30. If you'd prefer to limit access, clear the checkbox to manually select up to 30 product environments.
    Footnotes
    1. Product environments were previously referred to as sub-accounts.

    Additional options for users with the Media Library user role:

  • User groups: Assign the new user to one or more groups to inherit their folder and collection access permissions. For details, see User group configuration.

  • User permissions: Displayed as toggles when adding users with the Media Library user role. These apply to all new Media Library users you're adding:
    • Create collection: Enables a Media Library user to create non-dynamic collections.
    • Share collection: Enables a Media Library user with Owner, Can share or Can manage permissions on a non-dynamic collection to share that collection both internally and externally.
      Note
      Without these permissions, a Media Library user can still view or contribute to collections shared with them, but they can't create collections or share collections with others, even if they are assigned Owner level permissions for a collection.

      These permissions allow Media Library users to create and share only non-dynamic collections to help protect against unintended asset exposure. For more information about dynamic collections, see Dynamic collections.

    • Show delivery URL: Allows a Media Library user with Can edit or Can manage folder permissions to edit the asset's public ID. It also sets the main action on the card to Copy Delivery URL, which users can change individually.
      Note
      Depending on your setup, the Show delivery URL permission might not be available in your product environment. If it's not, Media Library users will be able to edit the public ID with only Can edit or Can manage permissions on the folder. To add this permission and control public ID editing, contact support.
    • Moderate asset: Enables the Media Library user to moderate assets in any folder that they have Can Edit or Can Manage permissions to.
      Note
      To enable Media Library users to access the moderation queue, contact support.
    • Create proof: Enables Media Library users to start a new proof and manage proofs they created. This permission is available only for Enterprise plans with the creative approval premium feature enabled. For more information, see Manage Creative Approval proofs.

Note
Several permission toggles from the legacy invite modal are now standalone global roles, assignable to users:
Standalone role What it enables Legacy toggle
Collection Creator Create non-dynamic collections Create collection
Delivery URL Viewer Edit an asset's public ID; sets the card's main action to Copy Delivery URL Show delivery URL
Moderator Moderate assets in the product environment Moderate asset
Proof Manager Start and manage proofs (Enterprise only, requires the creative approval feature) Create proof

Sharing collections is no longer a standalone toggle; it's handled by the Distributor collection role, which enables both internal and external collection sharing for a specific collection.

Updating users

You can update a user's details, including name, email, and group assignments, from the User Management page in Console Settings. To assign product environments, click the entry in the Product Environment column. You can assign a user access to all product environments, or manually select up to 30 specific ones.

Tip
Cloudinary re-sends an invite after saving, which is especially useful when updating contact information.

In Roles and Permissions, the Edit Details option in the (3-dots) option menu for the user allows you to edit basic details such as email, first name, last name, and groups. Manage user roles via the Assign Roles option. See Assign global roles to existing users.

In the legacy permissions system, the Edit form lets you update a user's details as well as role and permissions in one place. Note that if a user is a Master admin, the Product Environment value is All (full access) and can't be changed without first changing the user's role.

Resetting user passwords

You can initiate a password reset for an individual user to ensure account security.

To initiate a password reset, select Reset Password from the kebab menu at the end of a specific user's row in the User Management page within your Console Settings. This action:

  • Immediately terminates the user's active session.
  • Invalidates the old password, rendering it unusable for login. The user must set a new password to regain access.
  • Triggers an email containing a link that allows the user to set a new password. Alternatively, users can initiate the password reset process themselves by clicking on the Forgot your password link on the login page.

Users undergoing a password reset are marked with a specific status in the User Management table, clearly indicating that they are in the process of changing their password. This makes it easy to identify and manage such users.

Note
The password reset action applies exclusively to users who originally registered with a username and password. Users who signed up through Google, Github, or SAML do not fall under this category.

Force immediate logout

You can initiate a force logout for an individual user to ensure account security. This feature is particularly helpful when you prefer not to require a password reset, or for users logged in via Google, GitHub, or SAML, who lack passwords, making it impossible to link session termination with a password reset.

To force a user to logout, select Force Logout from the kebab menu at the end of a specific user's row in the User Management page within your Console Settings. This action terminates the user's active session within ten minutes.

Tip
To efficiently terminate sessions for multiple users without the need to do it individually, contact support.

Deleting users

To delete a user, select Delete from the kebab menu at the end of a specific user's row in the User Management page within your Console Settings.

When a user leaves your organization and needs to be removed from your system, certain information about them must still be retained. This includes details like the collections they created and the assets they uploaded.

To address those needs, user deletion is handled in the following ways:

  • The deleted user's status is changed to Inactive. This status is permanent, and the user can't be reactivated.
  • Throughout the user interface, a label indicating Inactive is displayed wherever the deleted user is mentioned.
  • Deleted users no longer count against your account's user quota.
  • You have the option to reuse the deleted user's email and assign it to a completely new user.
  • In the Activity Reports, actions performed by a deleted user are still attributed to them.
  • Collections the deleted user created, assets they uploaded or replaced, and comments they made are still attributed to them.
  • In the Assets, Collections and Moderation views, it's still possible to filter content by a deleted user.

Note
There is an option to temporarily disable users programmatically using the Provisioning API.

Managing additional user subscriptions

You can see the maximum number of users that you're eligible for via your base plan in the panel on the right side of your Account Settings page of the Cloudinary Console. If you need to increase your user limit, you can upgrade your plan by clicking the Change Plan button.

Alternatively, you can purchase additional user subscriptions over and above your plan's limit. If you've reached the maximum number of users allowed for your plan, a banner will appear in the User Management page within your Console Settings. Click the Change user limit link displayed in the banner. You can extend your limit by up to 20 additional user subscriptions, with no need to switch plans.

Afterwards, you can increase or decrease the number of additional user subscriptions on your account anytime.

Note
This option is available only to customers that subscribed to Cloudinary directly (not via a different provider like Heroku or AWS), are on a paid plan, and aren't on an Enterprise or custom plan.

For additional help, or to add more than 20 additional users, contact support.

Access permissions to assets via folder sharing

Share folders with users or user groups to control access to their contents, from full management to view-only. As an administrator, set up your folder structure first, then grant users access at the appropriate permission levels.

Note
Folder sharing is meaningful for non-admin users. Users with admin-level system roles (Master Admin, Admin, Tech/Technical Admin, or Media Library Admin) already have access to all folders.

For non-admin users, the two systems differ:

  • Legacy permissions system: Folder sharing only grants meaningful access to users with the Media Library User role.
  • Roles and Permissions: Folder roles (Viewer, Contributor, Editor, Manager) can be assigned to non-admin users regardless of their primary global role.

    Enterprise customers can also use custom global roles to grant permissions across all folders, eliminating the need for individual folder sharing.

Depending on the permissions you grant, users may be able to re-share folders with others, extending access beyond your original assignments. Users who can share folders include:

  • In Roles and Permissions: Users with any of the following:
  • In the legacy permissions system: Users with any admin role, or users with the Media Library user role and Can Manage permissions on the folder.

How to share folders

To share one or more folders:

  • Select one or multiple folders using one of the following methods:
    • For a single folder, select Share from the options drop-down next to the current folder path at the top of the Media Library.

      Folder path drop-down

      OR

      From the Folders grid, select Share from the kebab menu.

      Folder grid options

    • For multiple folders from the Folders grid, select the folders, then select Share from the kebab menu.

      Share multiple folders

  • Select the users and/or user groups you want to share the folder(s) with, as well as the permission level for each.

    An email notification is automatically sent to anyone you've shared with who hasn't opted out of receiving emails in the My Profile page of the Console Settings.

  • Make changes using the Share dialog box:

    Share Folders

To adjust or remove access levels for users who already have access:

Note
You can only adjust or remove access levels for one folder at a time.

  • Do one of the following:

    • Click Access Details from the Share dialog box.

    • Click Access Details from the folder Preview Pane.

      Folder Preview Pane

  • Make changes using the Access Details dialog box:

    Access Details

Note
If a user or group inherits a permission from a parent folder higher up in the hierarchy, the inherit icon indicates that you can't edit the permission at the subfolder level. To modify the permission, update the permission in the parent folder that grants it.

Folder permission levels

The permission levels available when sharing a folder depend on your permissions system:

In Roles and Permissions

Folder access is controlled by folder roles, including the Viewer, Distributor, Contributor, Editor, and Manager system roles. Each role maps to a specific set of folder permissions. See Folder roles for the full breakdown.

Enterprise customers create custom folder roles with the specific permissions they need.

For details on which actions are available at each folder permission level, see Folder permissions by role.

In the legacy permissions system

When you share a folder, you can set one of the following permission levels (applies to the folder and all its sub-folders): Can view, Can contribute, Can edit, Can manage.

The table below summarizes the actions available at each legacy folder permission level.

Can View Can Contribute Can Edit Can Manage
View assets
View who else has access
Download assets
Edit transformations1
(via Edit Transformation page or directly in browser URL)
Comment on assets
Search (including Advanced Search)2
View version history
Upload assets
Create sub-folders
Overwrite existing on upload
Edit assets3 (including original asset, tags, structured and contextual metadata, rename, move to another folder)
Restore previous versions
Moderate assets4
Delete assets
Delete the folder
Share the folder

Footnotes
  1. Editing transformations doesn't have any impact on the original asset, but any new transformations that are generated are counted against your monthly transformation quota.
  2. Search results include only assets in folders where the user has at least Can view access.
  3. Users with Can contribute access or higher can use the Add a tag option in the Media Library upload widget while uploading, and, depending on admin preferences, may be prompted to fill in metadata fields before uploading. However, Can edit permissions or higher are needed to add tags to existing assets.
  4. Media Library users with the Moderate asset administrator permission can access the Moderation page and moderate assets in folders where they have Can Edit or Can Manage access. Users will only see assets they have permission to moderate from the moderation queue.

Folder sharing guidelines and best practices

When planning your folder sharing strategy, consider the following:

  • Sharing rights:
    • Users can share a folder only if they have share-level permissions on it. Users with lower-level permissions cannot share a folder.
      • Legacy: Users with Can Manage permissions on the folder.
      • Roles and Permissions: Users with the Manager folder role, or a custom folder role that includes the Share with users/groups permission.
    • Only users with share permissions can see which user groups a folder is shared with, and how many users are in each of those groups.

  • Sharing with multiple groups: You can share a folder with multiple users and user groups at the same or at different levels.

  • Permissions on subfolders:

    • When you share a folder at a certain level, that permission level cascades down to all subfolders under it.
    • You can increase the permission level for a particular user or group in a sub-folder of a folder they already have access to, but you can't decrease their permission level.
      For this reason, it's recommended to minimize folder access granted to users at high-level folders, and especially on the Home (root) folder.
    • Best practice: If you're setting up folder permissions for a new product environment where no assets are yet in production, it's recommended not to store assets directly in the Home (root) folder, and to avoid sharing the Home folder with all or most users or user groups.
    • If you don't share a folder (nor any parent of that folder) with a particular user or group at all, those users won't be able to see that folder or the contents inside it. Even when performing a search on all folders, the results include only folders where the user has at least view permissions.

      Similarly, if you don't share any folders with a particular user or user group, then those users won't have access to any assets in the Media Library.

      Exception: If assets from a particular folder are also part of a collection, and a user group or users who otherwise don't have access to that folder receive an invite to that collection, those users are still able to view and download (but not modify) the assets in that collection.

  • Multiple user groups and permission levels: If a user belongs to multiple groups, and each of those groups has the folder shared with it at different permission levels (which are higher than the permissions they may have received individually), then the highest of those permission levels applies to the user.

Access control via collection sharing and permissions

Collections are a dynamic way to group assets regardless of folder structure, making it easy to collaborate with others inside or outside your organization. You can grant access to collections at varying permission levels. Users with access only through collection roles can view and download assets but can't modify the originals.

Note
Collection sharing is meaningful for non-admin users. Users with admin-level system roles (Master Admin, Admin, Tech/Technical Admin, or Media Library Admin) already have access to all collections.

For non-admin users, the two systems differ:

  • Legacy permissions system: Inviting a user to a collection only grants meaningful access to users with the Media Library User role.
  • Roles and Permissions: Collection roles (Viewer, Distributor, Collaborator, Manager) can be assigned to non-admin users regardless of their primary global role.

    For Enterprise customers, users with custom global roles that cover all collections don't need individual sharing. Those whose global roles don't cover all collections do benefit from it.

Depending on the access you've granted, users may be able to share collections with others at equal or lower permission levels, or create collections on their own. Users with sharing permissions can also share collections externally via public links.

In Roles and Permissions, collection access is controlled by collection roles, including the Viewer, Collaborator, Distributor, and Manager system roles. Enterprise customers can also create custom collection roles from the available collection permissions.

  • Multiple roles: Unlike legacy, you can assign multiple collection roles to the same user. For example, assign both Distributor (external sharing) and Manager (to remove assets, delete the collection, or download restricted assets), since neither covers all of those actions alone.
  • Create: Requires the Collection Creator standalone global role. Users with the Media Library User system role who aren't assigned this role can't create collections.
  • Share internally: Requires the Distributor or Manager role. Users can only grant permissions equal to or lower than their own.
  • Share externally: Requires the Distributor role only. Manager does not include external sharing.

In the legacy permissions system, you control what users can do by assigning specific permissions:

Notes

Setting user permissions via collections

To share a collection internally, invite teammates (users or user group members) to it. Along with initially inviting teammates to collections, you can later adjust or remove access levels for users who were already invited.

Your teammates can see the collection that they've been invited to and the collection creator's name in the main Collections view, as shown in View collections available to you.

To invite teammates to collections:

  1. Open the Invite Teammates dialog box:

    • From the main Collection view, right-click or click the (3-dots) options menu of a collection and select Invite.
    • From the main Collection view, select a collection and click Invite teammates in the Preview pane. (If the Preview pane is closed, click the Open Preview Pane toggle button to display it.)
    • When viewing the contents of a collection, click the Share drop-down button and select Invite.

      Invite Teammates dialog box

  2. Select the users and/or user groups you want to invite to your collection, as well as the permission level for each.

    An email notification is automatically sent to all the invitees who haven't opted out of receiving emails in the My Profile page of the Console Settings.

To adjust or remove access levels for users who were already invited:

  1. Open the Access Details dialog box by clicking Access Details from the Invite Teammates dialog box or from the collection's Preview Pane.
  2. Click the pencil edit icon next to the permissions you'd like to change and delete or switch permissions.

    Manage collection access

Collection permissions

The permission levels available when inviting teammates to a collection depend on your permissions system:

In Roles and Permissions

Collection access is controlled by collection roles, including the Viewer, Collaborator, Distributor, and Manager system roles. See Collection roles for the full breakdown.

Enterprise customers create custom collection roles with the specific permissions they need.

In the legacy permissions system

When inviting teammates to collections, you can set one of the following permission levels: Can view, Can share, Can collaborate, Can manage.

The table below summarizes the permissions available to each level:

Can view Can share Can collaborate Can manage
View assets in the collection1
Download assets in the collection
View who else has access
Invite teammates to a collection2
Publish a collection2
Add assets to the collection
Remove assets from collection
Rename the collection
Delete collection

Footnotes
  1. Anyone with Can view or higher permissions to a collection can view (but not otherwise modify) all assets in that collection, even if they don't have Can view permissions for the folders containing those assets.
  2. Even if a user group or Media Library user was invited to a collection at Can manage level permissions, the user must also have Share collection permissions (set by an administrator) in order to invite teammates or publish the collection.

Collection sharing guidelines and best practices

Depending on the permissions you grant users via folder and collection roles, users may be able to take actions that affect asset access in the following ways. Be mindful of which permissions you assign.

  • Viewing and downloading assets: Users that receive invites to collections can view and download assets in those collections, even if they don't have permission to access those assets via their folders.
  • Inviting teammates to collections: May expose assets in the collection to other users that couldn't access those assets originally.
  • Publishing the collection via a link to a generated web page: Exposes assets in the collection externally.
  • Creating a collection: May expose assets in the new collection to internal users that couldn't access those assets originally, as well as to external stakeholders, if the new collection is then shared.
  • Adding assets to collections: Potentially exposes assets that you might not want to expose.

    For example, if assets from a particular folder are part of a collection, and a user group or users who otherwise can't access that folder receive an invite to that collection, those users are still able to view and download (but not modify) the assets in that collection.
  • Removing assets from collections and deleting collections: Assets may become unexpectedly unavailable to internal or external stakeholders.

    For example, if a user deletes a collection that's part of a Media Portal, the collection is no longer be available to external stakeholders via the portal.

In the legacy permissions system only: The Create collections and Share collections checkboxes (set when you configure the user) act as overrides. Without them, a Media Library user can't create collections or share them with others, even if they have Can manage permissions on a collection. With them, users with Can share or Can manage permissions can share collections both internally and externally.

In Roles and Permissions, these capabilities are handled by standalone global roles (Collection Creator for creating, Distributor/Manager collection roles for sharing), which can be assigned to any user via Role Management.

Role-based permissions (legacy permissions system)

Note
If your product environment uses the Roles and Permissions system, see System roles and permissions for the full list of roles and permissions available.

Each user in your Cloudinary account is assigned a role. This role defines the operations a user can perform, the areas of the Cloudinary Console that they can view or change, and the settings they can control.

Whereas Master admins have access to all product environments, users with other roles can be set to have access to all or only specified product environments. Users have the same role in all product environments they have access to.

Below are tables summarizing the permission details for each role, divided by Console areas:

Note
For permission details related to the other product Console areas, see Role-based permissions on the User provisioning page.

Permissions for the Assets digital asset management product

Table summarizing role-based permissions for Assets

Footnotes

1 In the Assets Free plan, the Getting Started page isn't available.

2 The Dashboard is unavailable in the Assets Free plan. For more options and information, contact us.

3 The Activity Reports feature is a premium offering for Assets Enterprise plans, and its availability depends on your account setup. The feature is unavailable in the Assets Free plan. For more information, see Assets activity reports.

4 In the Assets Free plan, you can access the Transformations page only via the Manage Transformations option in the Image product.

Note
For accounts that have a Basic Portals option, see Basic portals for more information.

Additional Assets role considerations and guidelines

  • If you don't add a Media Library user to any groups and/or if you haven't shared any folders with those groups or directly with that user, the user won't see any content in the Media Library.
  • The Media Library user role replaces the now obsolete 'Contributor' and 'Viewer' roles. For users with these roles, Cloudinary has made the following adjustments to ensure that the access permissions these users previously had remained unchanged:
    • Users in either of these roles have been automatically migrated to the Media Library user role.
    • Viewer and Contributor user groups were automatically created and these users are now included in the relevant group.
    • These two user groups have permissions to the Home folder at the corresponding level (Can view or Can contribute). For more details, see Folder sharing and permissions.

Permissions for Console Settings

Table summarizing role-based permissions for Settings

SAML/SSO login

Find the option to activate SAML (SSO) login in the Account Security page of the Console Settings:

SAML Login: This option enables the administrator to activate SAML (SSO) login. This can enable users in your organization to log in using the same authentication system that they use for other SSO-supported applications. If you activate this option, you can globally select whether to Enforce SAML login or to allow users to choose whether to log in either via the SSO application or via the Cloudinary Console login window. If you choose the latter ('Enforce' is disabled), then when creating new users, you can optionally select Send invitation email for that user. When selected, that user receives an email inviting them to create a Console password.

Notes
  • If your account has SAML (SSO) login enabled and you use the Media Library Widget or one of our Integrations, you must allowlist the domain console.cloudinary.com. If you need assistance, contact Support.
  • If you also use the SAML Provisioning feature, make sure the Two-Factor Authentication user setting (2FA) is Disabled. You can configure two-factor authentication through your IdP, if required.
  • The two-factor authentication (2FA) user setting is ignored when using SAML login to log in to Cloudinary, as the SSO IdP is trusted.
  • Even if you set Enforce SAML login to Enabled, any user created with the Master admin role will automatically get an invitation to set a Console password and will be able to log in directly to the Console, if needed.

✔️ Feedback sent!

Rate this page:

one star two stars three stars four stars five stars