There are many types of users who are a part of any Digital Asset Management workflow. You can set access and permission levels for each user in the following ways:
User groups: The majority of your creative team will probably work primarily in the Media Library. Thus, when you assign users to the Media Library user role, you can define another level of permissions within the Media Library by assigning Media Library users to one or more user groups.
Folder and collection permissions: Within the Media Library, folders and collections provide a layer of security for the assets they contain. You can grant users and user groups permissions to specific folders and collections at varying levels, from full management control to view-only access.Depending on their permission levels, users can then, in turn, share folders with other user groups or individual users, and invite teammates to collections, at varying levels of access permissions.
If you plan to create users with the Media Library user role, then it's recommended to first create all the user groups you expect to work with. For example, if you have different teams working on different product lines, you may want to ensure that only teammates from a particular product line can access folders related to those products or you may want to create a variety of dynamic collections to make it easy for relevant groups to find and view assets relevant to their tasks.
- User groups can be assigned one of several access permission levels for each of the folders in your Media Library, and can separately be given varying permissions to work with each of the available collections. Consider the way you expect to sort your assets in folders and collections, and the different types of users who may be accessing those folders and collections, to determine the groups you will need. For full details, see Folders and Collections.
- A user can belong to more than one group. In that case, if the permissions conflict between two groups, or between those for a group and those assigned to a specific user, then the higher level (less strict) permission will be applied.
- You create and edit user groups in the Users tab of the account settings. You can also see the number of members in each group.
It's recommended to create all required user groups and then set up folder and collection sharing for these user groups before creating new Media Library users and assigning them to groups.
Keep in mind that if you do create a new Media Library user and assign them to a new group before any folders or collections have been shared directly with them or with the groups they belong to, that user will get an email notification about their new account and may log into Cloudinary before they have permission to view any content. In this case, the Media Library will appear completely empty for them.
You can define and update account users in one of the following ways:
- Manually, in the Users tab of the account settings
- Automatically, using SAML provisioning with any SAML-compliant identity provider
- Via a script, using the Provisioning API
For each user, you can set:
- First and Last name: The user sees their name below your cloud name when they log into the console.
- E-mail: After creating a new user, that user will receive an email to this address to confirm their account. This email address is also used for logging in to Cloudinary.
- Role: Controls which areas the user can access and which operations they can perform in those areas. For details, see Role-based permissions below.
- Sub-account access: If your account includes one or more sub-accounts, you can define which sub-accounts each user can access. Users with the Master admin role always get full control in all sub-accounts. Therefore, this option is displayed only when you select a role other than Master admin. By default, users are given access (at the same role level) to all sub-accounts. Clear the check box to select which sub-accounts (if any) the user should have access to.
- User Groups: User groups are relevant only for users with the Media Library user role, so this option is displayed only when a Media Library user is selected. This section displays all User Groups that have already been defined. For details, see Group configuration.
- User Permissions: User permissions are relevant only for users with the Media Library user role, so this option is displayed only when a Media Library user is selected. This section includes permissions for creating and sharing collections. Without these permissions, a Media Library user can still view or contribute to collections shared with them, but without these permissions selected, they cannot create or share collections, even if they are assigned Owner level permissions for a collection. Note that users with Share collection permission can share collections both internally and externally.
Each user in your Cloudinary account is assigned a role. This role defines the operations a user can perform on your account, the areas of the Cloudinary console that they can view or change, and the settings they can control.
Below is a table summarizing the permission details for each role:
- If you do not add a Media Library user to any groups and/or if no folders are shared with those groups or directly with that user, the user will not see any content in the Media Library.
- The Media Library user role replaces the now obsolete 'Contributor' and 'Viewer' roles. For users who were assigned these roles, Cloudinary has made the following adjustments to ensure that the access permissions these users previously had remained unchanged:
- Users in either of these roles have been automatically migrated to the Media Library user role.
- Viewer and Contributor user groups were automatically created for your account and these users were added to the relevant group.
- The Home folder has been shared with these two user groups at the corresponding level (Can view or Can contribute). For more details, see Folder sharing and permissions.
The Users tab of the account settings includes your personal user profile details and email preferences. If you're an account administrator, this tab also includes settings that impact all account users as well as the option to add or modify individual users and permissions. The following may be useful for DAM account administration:
SAML login: This option enables the Cloudinary account administrator to activate SSO login. This can enable users in your organization to login using the same authentication system that you use for other SSO-supported applications. If you activate this option, you can globally select whether to Enforce SAML login or to allow users to potentially log in either via the SSO application or directly log in to the Cloudinary console. If you choose the latter ('Enforce' is disabled), then when creating new users, you can optionally select Send invitation email for that user. When selected, that user receives an email inviting them to create a console password.
- If you also use the SAML Provisioning feature, make sure the Two factor authentication user setting (2FA) is Disabled. You can configure two-factor authentication through your IdP, if required.
- The Two factor authentication (2FA) user setting is ignored when using SSO to log in to Cloudinary, as the SSO iDP is trusted.
- Even if you set Enforce SAML login to Enabled, any user created with the Master admin role will automatically get an invitation to set a console password and will be able to log in directly to the console, if needed.
List of users: Enables viewing and managing all account users, including adding users, removing users, changing their roles, and more. This list is visible only to users with a Master admin or Admin role.