User and group management

Last updated: May-24-2023

There are many types of users who are a part of any Digital Asset Management workflow. You can set access and permission levels for each user to implement your governance policy for your data and assets.

When planning your governance policy, consider which processes or workflows are important to your business, which users need access to which assets, and what actions each user needs to perform.

Once you've analyzed your organization's governance needs, you can set access and permission levels for each user in the following ways:

User roles: When you define users in Cloudinary, you assign a role to each user. These roles control the areas of the Cloudinary Console that a user can access or modify.
User groups: The majority of your creative team will probably work primarily in the Media Library. When you assign users to the Media Library user role, you can streamline your workflow by defining folder access permissions to user groups, which can be associated with many users, as opposed to defining those permissions for one Media Library user at a time.
Folder and collection permissions: Within the Media Library, folders and collections provide a layer of security for the assets they contain. You can grant users and user groups permissions to specific folders and collections at varying levels, from full management control to view-only access.

Depending on their permission levels, users can then, in turn, share folders with other user groups or individual users, and invite teammates to collections, at varying levels of access permissions.

Notes

Every user who accesses the Media Library requires a separate seat license.
Users and user groups are configured on the account level, so you can manage them from within any of your product environments.
Users with the Master admin role have access to all product environments. Users with all other roles can be given access to all or to only selected product environments.

On this page:

Recommended workflow
User group configuration
Access control via folder sharing and permissions
Access control via collection sharing and permissions
User configuration
Role-based permissions

Recommended workflow

It's important to carefully plan your setup so that your folder structure and the assets each folder contains correspond accurately with your users and groups and the folders they'll be able to access.

It's recommended to follow a process similar to the following:

First understand the steps in the workflow and plan your DAM setup as described, then implement the steps in the same order. Follow the links for more information on each topic:

Define user groups: Think about the different teams in your organization. For example, do you have Designers? Marketers? Content managers? Your groups should represent teams of users who need to access the same assets.
Create folder structure: One of the main considerations when creating a folder structure is who will get access to each folder and the assets within it. Keep in mind that permissions cascade from folder to subfolder, meaning that if you grant a certain level of access to a folder, you can't restrict that access from any of its sub-folders.
Cloudinary's DAM provides an effective way to find your assets via powerful search capabilities and an advanced system for assigning metadata, so there's no need to design a deep folder structure to organize and categorize your assets. You can focus on using folders to set permission levels.
Add assets to folders: You've already planned who will get access to each folder. Add assets to the folders that will set the right access levels for them.
Share folders (and optionally collections) with user groups: For each folder, grant the permission level for each user group that you want to share it with.
Add and configure users: Consider each one of your users and assign roles and other permissions appropriate to their intended use of the Media Library:
- Users with an Admin role: These users will always have full access to all folders and assets in the Media Library, so granting folder permissions doesn't apply to them.
- Users with the Media Library user role: When you assign Media Library users to groups, the users automatically receive the groups' permission levels.
  If you do create a new user before setting up the folder structure, adding assets, and setting folder permissions for groups, that user may log into Cloudinary before receiving permission to view any content. In this case, the Media Library will appear completely empty for them.
Share folders (and optionally collections) with individual users: Grant folder permissions to individual Media Library users, if you have users who need permissions to folders that their groups don't have.

User group configuration

If you plan to create users with the Media Library user role, then it's recommended to first create all the user groups you expect to work with. For example, if you have different teams working on different product lines, you may want to ensure that only teammates from a particular product line can access folders related to those products or you may want to create a variety of dynamic collections to make it easy for relevant groups to find and view assets relevant to their tasks.

User groups can be assigned one of several access permission levels for each of the folders in your Media Library, and can separately be given varying permissions to work with each of the available collections. Consider the way you expect to sort your assets in folders and collections, and the different types of users who may be accessing those folders and collections, to determine the groups you will need. For more details, see Access control via folders and Access control via collections.
A user can belong to more than one group. In that case, if the permissions conflict between two groups, or between those for a group and those assigned to a specific user, then the higher level (less strict) permission will be applied.
You create and edit user groups in the Users page of your Console Settings, which you can navigate to by clicking the gear icon in the Console options sidebar. You can also see the number of members in each group.

Access control via folder sharing and permissions

You can control access to assets by sharing folders (and thus their contents) with selected users or user groups at varying levels of access permissions, from full management control to view-only access. Conversely, you can prevent access to a folder's contents by not sharing that folder with a specific user or user group at all.

As a DAM administrator, it's your responsibility to set up the folder structure and initially grant users permissions to the folders at the appropriate levels.

Keep in mind that, depending on the permission levels you've granted, users may, in turn, be able to share folders with other user groups or individual users at varying levels of access permissions. This means that additional users would receive permissions that you didn't grant to begin with.

Users will the following roles (and permissions) can also share folders:

Any of the admin roles
A Media Library user role with Can Manage permissions on the folder.

Folder sharing and permissions video tutorial

This tutorial walks you through the steps involved in this workflow.

After watching this overview video, continue reading the sections below to learn all of the details and considerations related to folder sharing and permissions.

How to share folders

To share a folder, do one of the following:

Select Share from the options drop-down next to the current folder path at the top of the Media Library
Select Share from the kebab menu available in the Folders grid.

Folder permission levels

When you, and other Media Library users with the relevant permissions, select to share a folder, you can set one of the following permission levels (applies to the folder and all its sub-folders): Can view, Can contribute, Can edit, Can Manage.

The table below summarizes the permissions available to each level:

	Can View	Can Contribute	Can Edit	Can Manage
View assets	✔	✔	✔	✔
Download assets	✔	✔	✔	✔
Edit transformations¹ (via Edit Transformation page or directly in browser URL)	✔	✔	✔	✔
Comment on assets	✔	✔	✔	✔
Search (including Advanced Search)²	✔	✔	✔	✔
Upload assets		✔	✔	✔
Create sub-folders		✔	✔	✔
Overwrite existing on upload			✔	✔
Edit assets³ (tags, custom metadata, rename, move to another folder)			✔	✔
Moderate assets⁴			✔	✔
Delete assets				✔
Delete the folder				✔
Share the folder				✔

Footnotes

Editing transformations does not have any impact on the original asset, but any new transformations that are generated are counted against your monthly transformation quota.
Search results will include only assets where the user has at least Can view permissions.
Users with Can Contribute permissions can use the Add tags option in the Media Library upload widget while uploading, but cannot add tags to existing assets.
Media Library users with the Moderate asset administrator permission can access the Moderation page and moderate assets in folders that they have Can Edit or Can Manage permissions to. Media Library users will only be able to see the assets that they have permission to moderate from the moderation queue.

Folder sharing guidelines and best practices

When planning your folder sharing strategy, consider the following:

Sharing rights:
- Users that have the Media Library user role with Can manage permissions for a folder can share that folder and its sub-folders. Users with lower level permissions cannot share a folder.
- Any user in a role other than Media Library user, Reports, or Billing can access, share, and manage all folders and assets in the Media Library.
- Only a user with the share permissions mentioned above can see which user groups a folder is shared with, and how many users are in each of those groups.
Sharing with multiple groups: You can share a folder with multiple users and user groups at the same or at different levels.
Permissions on subfolders:
- When you share a folder at a certain level, that permission level cascades down to all subfolders under it.
- You can increase the permission level for a particular user or group in a sub-folder of a folder they already have access to, but you cannot decrease their permission level.
  For this reason, it's recommended to minimize permissions given to Media Library users at high-level folders, and especially on the Home (root) folder.
- Best practice: If you're setting up folder permissions for a new product environment where no assets are yet in production, it's recommended not to store assets directly in the Home (root) folder, and to avoid sharing the Home folder with all or most Media Library users or user groups.
- If you don't share a folder (nor any parent of that folder) with a particular user or group at all, those users will not be able to see that folder or the contents inside it. Even when performing a search on all folders, the results will only include folders where the user has at least view permissions.
  Similarly, if you don't share any folders with a particular user or user group, then those users won't have access to any assets in the Media Library.
  Exception: If assets from a particular folder are included in a collection, and that collection is shared with a user group or users who otherwise do not have access to that folder, those users will still be able to view and download (but not modify) the assets in that collection.
Multiple user groups and permission levels: If a user belongs to multiple groups, and the same folder is shared to each of those groups at different permission levels (which are higher than the permissions they may have received individually), then the highest of those permission levels applies to the user.

Access control via collection sharing and permissions

Collections often represent a group of assets targeted for a particular purpose, and are a dynamic way to create conceptual groupings of assets, regardless of their folder structure. Collections provide a convenient way for users to collaborate with others either inside or outside of the organization regarding the compiled set of assets.

You can use collections to provide users access to assets in your product environment at different permission levels. A Media Library user that has access to assets by virtue of collection permissions only can never modify the original assets; minimum permissions to a collection include viewing and downloading.

Keep in mind that, depending on the permission levels you've granted, users may be able to share collections with other user groups or individual users at varying levels of access levels, granting additional users permissions that you hadn't assigned to begin with, or create collections on their own. Media Library users may also be able to publish the collections, exposing assets externally.

Users in an admin role can create new collections, view and download, invite teammates to, and publish all collections.
However, as a DAM administrator, you can restrict Media Library users from performing some actions:
- Media Library users can create their own collections only if you've assigned them Create collection permissions.
- Media Library users can invite teammates and publish a collection only if both conditions are met:
  - You assign the user Share collection permissions.
  - The user is the creator of the collection or you or another user with relevant permissions has granted Can manage permissions on the collection they want to share.

Notes

For more information on what users can do with collections, see Collection management.
For instructions on how to create and add assets to collections, see Create and add assets to collections.

Setting user permissions via collections

To share a collection internally, invite teammates (Media Library users or user group members) to it. Users can see the collection that they've been invited to and the collection creator's name in the main Collections view, as shown in View collections available to you.

To invite teammates to collections:

Select Collections from the Navigation pane to open the main collection view.
Open the Invite Teammates dialog box:
- From the main Collection view, right-click or click the (3-dots) options menu of a collection and select Invite Teammates.
- From the main Collection view, select a collection and click Invite teammates in the Preview pane. (If the Preview pane is closed, click the Open Preview button Preview Pane toggle button to display it.)
Select the users and/or user groups you want to invite to your collection, as well as the permission level for each.

Collection permissions

When inviting teammates to collections, you, and Media Library users with relevant permissions, can set one of the following permission levels:
Can view, Can share, Can collaborate, Can manage.

The table below summarizes the permissions available to each level:

	Can view	Can share	Can collaborate	Can manage
View assets in the collection¹	✔	✔	✔	✔
Download assets in the collection	✔	✔	✔	✔
Invite teammates to a collection²		✔		✔
Publish a collection²		✔		✔
Add assets to the collection			✔	✔
Remove assets from collection				✔
Rename the collection				✔
Delete collection				✔

Footnotes

Anyone with Can view or higher permissions to a collection can view (but not otherwise modify) all assets in that collection, even if they don't have Can view permissions for the folders containing those assets.
Even if a user group or Media Library user was invited to a collection at Can manage level permissions, the user must also have Share collection permissions (set by an administrator) in order to invite teammates or publish the collection.

Collection sharing guidelines and best practices

Depending on the user's collection sharing permissions, Media Library users may be able to take actions that can affect asset access in the following ways:
- Viewing and downloading assets: Media Library users that are invited to collections can view and download assets in those collections, even if they don't have permission to access those assets via their folders.
- Inviting teammates to collections: May expose assets in the collection to other users that couldn't access those assets originally.
- Publishing the collection via a link to a generated web page: Exposes assets in the collection externally.
- Creating a collection: May expose assets in the new collection to internal users that couldn't access those assets originally, as well as to external stakeholders, if the new collection is then shared.
- Adding assets to collections: Potentially exposes assets that you might not want to expose.
  For example, if assets from a particular folder are added to a collection, and that collection is shared with a user group or users who otherwise can't access that folder, those users will still be able to view and download (but not modify) the assets in that collection.
- Removing assets from collections and deleting collections: Assets may become unexpectedly unavailable to internal or external stakeholders.
  For example, if a user deletes a collection that was included as part of a Media Portal, the collection will no longer be available to external stakeholders via the portal.
You can restrict a Media Library users' ability to Create collections and/or Share collections internally and externally when you configure the user.

User configuration

The Users page of your Console Settings, which you can navigate to by clicking the gear icon in the Console Options sidebar, includes your personal user profile details and email preferences. You, and account users with any role, can update personal information here.

As a user with a Master admin or Admin role, you can also configure settings that impact all account users as well as the option to add or modify individual users and permissions:

You can view and manage all account users, including adding users, removing users, changing their roles, and more.
You can activate SAML login for your organization.

Tip

If you want to add users over and above your plan's limit, you could either upgrade your plan, or, if you're on a paid plan, separately purchase additional user subscriptions. For more information, see Managing additional user subscriptions.

Managing users

You can define and update account users in one of the following ways:

Manually, in the Users page of your Console Settings
Automatically, using SAML provisioning with any SAML-compliant identity provider
Via a script, using the Provisioning API

Tip

Regardless of which method you use to define (provision) the users in your account, you can optionally enable users to log in with an SSO provider by providing your provider's SAML details, as described in SAML/SSO login.

To create and manage users manually, scroll down to the Users heading in the Users page of the Console Settings. Click Add new user or click an existing user's name to edit configuration for an existing user.

For each user, you can set:

First and Last name: The user sees their name below your cloud name when they log into the Console.
E-mail: After creating a new user, that user will receive an email that requires confirmation to this address. This email address is also used for logging in to Cloudinary.
Role: Controls which areas the user can access and which operations they can perform in those areas. For details, see Role-based permissions below.
Product environment access¹: If your account includes more than one product environment, you can define which product environments each user can access. Users with the Master admin role always get full control in all product environments. Therefore, this option is displayed only when you select a role other than Master admin. By default, users are given access (at the same role level) to all product environments. Clear the check box to select which product environments (if any) the user should have access to.
Footnotes
1. Product environments were previously referred to as sub-accounts.
Additional options for users with the Media Library user role:
User Groups: User groups are relevant only for users with the Media Library user role, so this option is displayed only when a Media Library user is selected. This section displays all User Groups that have already been defined. For details, see User group configuration.
User Permissions: User permissions are relevant only for users with the Media Library user role, so this option is displayed only when a Media Library user is selected. This section includes the following permissions:
- Create collection: Enables a Media Library user to create collections.
- Share collection: Enables a Media Library user with Owner, Can share or Can manage permissions on a collection to share that collection both internally and externally.
  
  Note
  Without these permissions, a Media Library user can still view or contribute to collections shared with them, but they can't create collections or share collections with others, even if they are assigned Owner level permissions for a collection.
- The standard setup allows Media Library users to view or copy asset delivery URLs, adjust the asset access control settings, and edit public IDs if they have the necessary folder permissions. However, an alternative setup allows you to restrict or enable those actions using the Enable delivery URL options user permission. If you don't see this setting in the Media Library user role options and would like to use it, contact support.
- Moderate asset: Enables the Media Library user to moderate assets in any folder that they have Can Edit or Can Manage permissions to.
  
  Note
  To enable Media Library users to access the moderation queue, contact support.

Managing additional user subscriptions

You can see the maximum number of users that you're eligible for via your base plan in the panel on the right side of your Account Settings page of the Cloudinary Console. If you need to increase your user limit, you can upgrade your plan by clicking the Change Plan button.

Alternatively, you can purchase additional user subscriptions over and above your plan's limit by clicking on the Change user limit link from the Users Settings page of the Cloudinary Console. You can extend your limit by up to 20 additional user subscriptions, with no need to switch plans.

Afterwards, you can increase or decrease the number of additional user subscriptions on your account anytime.

Note

This option is available only to customers that subscribed to Cloudinary directly (not via a different provider like Heroku or AWS), are on a paid plan, and aren't on an Enterprise or custom plan.

For additional help, or to add more than 20 additional users, contact support.

Role-based permissions

Each user in your Cloudinary account is assigned a role. This role defines the operations a user can perform, the areas of the Cloudinary Console that they can view or change, and the settings they can control.

Whereas Master admins have access to all product environments, users with other roles can be set to have access to all or only specified product environments. Users have the same role in all product environments they have access to.

Below are tables summarizing the permission details for each role, divided by Console areas:

The Digital Asset Management product
The Programmable Media product
Account and product environment Settings

Permissions for Digital Asset Management

Footnotes

1 The Dashboard is available only to DAM customers on a paid plan.

2 The Activity Reports feature is available only to customers on an Enterprise plan upon request.

Additional DAM role considerations and guidelines

If you do not add a Media Library user to any groups and/or if no folders are shared with those groups or directly with that user, the user will not see any content in the Media Library.
The Media Library user role replaces the now obsolete 'Contributor' and 'Viewer' roles. For users who were assigned these roles, Cloudinary has made the following adjustments to ensure that the access permissions these users previously had remained unchanged:
- Users in either of these roles have been automatically migrated to the Media Library user role.
- Viewer and Contributor user groups were automatically created and these users were added to the relevant group.
- The Home folder has been shared with these two user groups at the corresponding level (Can view or Can contribute). For more details, see Folder sharing and permissions.

Permissions for Programmable Media

Permissions for Console Settings

SAML/SSO login

Find the option to activate SAML (SSO) login in the Users page of the Console Settings:

SAML login: This option enables the administrator to activate SAML (SSO) login. This can enable users in your organization to log in using the same authentication system that they use for other SSO-supported applications. If you activate this option, you can globally select whether to Enforce SAML login or to allow users to choose whether to log in either via the SSO application or via the Cloudinary Console login window. If you choose the latter ('Enforce' is disabled), then when creating new users, you can optionally select Send invitation email for that user. When selected, that user receives an email inviting them to create a Console password.

Notes

If your account has SAML (SSO) login enabled and you use the Media Library Widget or one of our Platform Integrations, you must whitelist the domain console.cloudinary.com. If you need assistance, contact Support.
If you also use the SAML Provisioning feature, make sure the Two factor authentication user setting (2FA) is Disabled. You can configure two-factor authentication through your IdP, if required.
The Two factor authentication (2FA) user setting is ignored when using SAML login to log in to Cloudinary, as the SSO IdP is trusted.
Even if you set Enforce SAML login to Enabled, any user created with the Master admin role will automatically get an invitation to set a Console password and will be able to log in directly to the Console, if needed.

✔️ Feedback sent!

✖️

Error

Unfortunately there's been an error sending your feedback.

Rate this page: