Create a Role

Only the stack Owner, Admins and users assigned “Developer” roles have the right to create a role in the stack.

To create a role, log in to your Contentstack account, and perform the following steps:

1. Go to your stack, navigate to the “Settings” icon on the left navigation panel, and select Users & Roles. Here, you will see the list of existing users of the stack.
2. Select the Roles tab.
3. Click on the + New Role button located at the top right corner of the page.
4. Enter a suitable Name and Description for the role.
5. Under Permissions, define the permissions that you want to assign to the new role. You can set permissions on entries, assets, and asset folders.
   1. Permissions on entries: Set permissions for all entries of all/specific content types or taxonomies (and terms), or specific entries, or even specific fields. Refer to the Permissions on entries section to learn how you can use this permission.
   2. Permissions on assets: Set permissions on all/specific assets, or on specific assets’ folder. Refer to the “Permissions on assets” section to learn how you can use this permission.
   3. Exceptions: If you do not want any role to access data of certain entries, taxonomies and terms, fields, and/or any assets, you can add exceptions.
6. Under Publishing Environments, set on which environment(s) the role can publish content.

   Note: Once you set the environment-related permissions, the user role will be able to publish all language variants of entries in the stack to the selected environments.

7. Under Languages, define the language-related permissions you want to assign to the role.

   1. Permissions on languages: Set the language(s) to which the role should have "Update" rights.
      You can also restrict access for a specific role to the master language. To understand how language-specific restrictions affect a user's entry access permissions, refer to the Language-Specific Restrictions on Entries Scenarios section.
      

      Warning: If you deselect the master language, then any unlocalized language entry that inherits content from the master language will not be accessible.

      To provide access to all available languages, you can directly select the All Languages link.

   2. Exceptions: If you do not want any role to access data of certain language variants of entries in the stack, you can add exceptions. Refer to the Exceptions on Languages section to learn how you can add language-related exceptions.

8. Click Save to create the new role.

You can set permissions on entries, i.e., you can allow a new role to “Read, “Create,” “Update,” “Publish/Unpublish,” and/or “Delete” entries. The entry/field-level permissions are categorized into three sections: “All Entries,” “Specific Entries,” and “Specific Fields.” Let’s look at them in detail.

• All Entries of Content Types/Taxonomies: Set what this role can do on all entries of one or more content types or taxonomies. For example, you can assign the "Read" permission to all entries of the "Marketing Blogs" content type.

  Alternatively, you can assign permissions for all entries to all or specific taxonomies. For example, you can assign All Permissions to all entries that have a Specific Taxonomy, Regions with Specific Term North America associated with them.

  
• Specific Entries - Set what this role can do on specific entries of one or more content types. For example, you can assign the "Read" and "Update" permissions to "AI" entry of the "Marketing Blogs" content type.

• Specific Fields - Set what this role CANNOT do on specific fields of specific entries. You can apply these settings via the +Add Exceptions button when assigning Exceptions on Entries.

You can create a custom user role that has permissions such as "Read," "Create," "Update," "Publish/Unpublish," and "Delete" on all or specific assets and asset folders.

The asset-level permissions are categorized into three sections: "All Asset(s) and Folder(s)," "Specific Asset(s)," and "Specific Folder(s)." Let us look at them in detail.

• All Asset(s) and Folder(s): Set what a user role can do on all assets and folders of a stack. For example, you can create a user role with "Read" permission on all the assets and asset folders of your stack.
  
• Specific Asset(s): Set what a user role can do on specific assets of a stack. For example, you can create a user role with "Read" and "Publish/Unpublish" permission on "AI_1" of your stack.
• Specific Folder(s): Set what a user role can do on specific folders of a stack. All the individual assets and subfolders within that specific folder will have the same permissions.
  For example, you can create a user role with "Read" permission for a specific asset folder "Blogs" and "Read" and "Publish/Unpublish" permissions for the "Homepage" asset folder.

You can set permissions on language variants of entries, i.e., you can allow a new role to “Read,” “Create,” “Update” and/or “Delete” specific language versions of an entry. The language permissions are categorized into two sections: “All Languages” and “Specific Languages.” Let’s look at them in detail.

• All Languages of the Stack: Set what this role can do on all language variants of an entry of the stack. For example, you can provide permission to all the language variants of entries in the stack, such as English - United States and German.
  
• Specific Language(s) of the Stack: Set what this role can do on specific language variants of an entry of the stack. For example, you can provide permission to only the “English - United States” language variant of entries in the stack.

Note: Language permissions are applicable to the role. You cannot, however, have different language permissions for different content types. For example, you cannot allow access to language A for content type A and restrict access to language A for content type B. Read more to Manage Language Permissions.

Exceptions, as the name suggests, let you add an exception to existing permissions. It enables you to define what a role CANNOT do. If a role can create entries for all content types, you can set an exception by restricting it from creating entries of a particular content type or a particular taxonomy or term. For example, CANNOT "Create" entries for "Blog" content type.

You can apply exceptions at both the entry and asset level. Let’s look at them in detail.

You can disallow a role to "Read," "Create," "Update," "Publish/Unpublish," and/or "Delete" entries or fields. These exceptions are further divided into the following categories:

• All Entries of Content Types/Taxonomies: Set what this role CANNOT do on all entries of one or more content types. For example, the role can "Read" the entries of the "Blog" content type but cannot "Update" them.

  Alternatively, for example, the role can Read, Create, or Update all entries that have a Specific Taxonomy, Regions with Specific Term North America associated with them, but cannot "Publish/Unpublish" them.

  

• Specific Entries - Set what this role CANNOT do on specific entries of one or more content types. For example, the role can "Read" all the entries of all content type but cannot "Update" the "AI" entry from the "Marketing Blogs" content type.
• Specific Fields - Set what this role CANNOT do on specific fields of one or more content types. For example, the role can "Read" all entries from the "Marketing Blogs" content type, but cannot "Update" the "Multi Line Textbox" field of all entries of the "Marketing Blogs" content type.

You can disallow a role to "Read," "Create," "Update," "Publish/Unpublish," and "Delete" all or specific assets and asset folders. For example, the role can "Read" all assets and asset folders, but cannot "Publish" them.

These exceptions are further divided into the following categories:

• All Assets and Folders: Set what this role CANNOT do on all assets and folders of a stack. For example, the role can "Read" all the assets and folders of a stack, but cannot "Update" them.
• Specific Asset(s): Set what this role CANNOT do on specific assets of a stack. For example, the role can "Read" all the assets of a stack but cannot "Publish" the "Image1" asset of the stack.
• Specific Folder(s): Set what this role CANNOT do on specific folders of a stack. For example, the role can "Read" and "Update" all the folders of a stack except two folders: "Marketing Blogs" and "Sales Blogs." By default, the user can "Read" all the assets and/or subfolders within the "Marketing Blogs" and "Sales Blogs" folders but not "Update" them.

You can disallow a role to "Create," "Update," and/or "Delete" entries localized in the selected languages. For example, restrict a role from being able to "Create," "Update," or "Delete" entries localized in English (United States) or French (France).

These exceptions are further divided into the following categories:

• All Languages: Set what this role CANNOT do on all language variants of all entries in the stack. For example, the role can "READ" the entries present in all languages but cannot "UPDATE" them.
• Specific Language(s): Set what this role CANNOT do on specific language variants of all entries in the stack. For example, the role can "Read" all the English (United States) versions of entries of the stack but cannot "Update" them.

To perform the create action via API request, refer to the Create a Role API request.