Create a Role

Only the stack owner, admins and users assigned “Developer” roles have the right to create a role in the stack.

To create a role, log in to your Contentstack account, and perform the following steps:

  1. Go to your stack, navigate to the “Settings” gear icon, and select Roles. Here, you will see the list of existing roles of the stack.
  2. Click on the + New Role button located at the top right corner of the Roles page.
  3. Enter a suitable Name and Description for the role.
  4. Under PERMISSIONS, define the permissions that you want to assign to the new role. You can set permissions on entries, assets, and asset folders.
    1. Permissions on entries: Set permissions for all entries of all/specific content types, or specific entries, or even specific fields. Refer to the “Permissions on entries” section to learn how you can use this permission.
    2. Permissions on assets: Set permissions on all/specific assets, or on specific assets’ folder. Refer to the “Permissions on assets” section to learn how you can use this permission.
    3. Exceptions: If you do not want any role to access data of certain entries and/or fields, or any assets, you can add exceptions.
  5. Finally, set the publishing rights for environments, and languages:
    1. Publishing Environments: Set on which environment(s) the role can publish content.
    2. Languages: Set to which language(s) the role has access to.

      Note: By default, the master language is accessible to all roles.

  6. Click Save to create the new role.

Permissions on Entries

You can set permissions on entries, i.e., you can allow a new role to “Read,” “Create,” “Update,” “Publish/Unpublish,” and/or “Delete” entries. The entry-/field-level permissions are categorized into three sections: “All Entries,” “Specific Entries,” and “Specific Fields.” Let’s look at them in detail.

  • All Entries of Content Types - Set what this role can do on all entries of one or more content types. For example, you can assign the "READ" permission to all entries of the "Blog" content type.
    All Entries of Content Types.png
  • Specific Entries - Set what this role can do on specific entries of one or more content types. For example, you can assign the "READ" and "UPDATE" permissions to "My First Article" and "My Second article" entries of the "Blog" content type.
    Specific entries.png
  • Specific Fields - Set what this role CANNOT do on specific fields of specific entries. You can apply these settings via the +Add Exceptions button when assigning Exceptions on Entries.

Permissions on Assets

You can create a custom user role that has permissions such as "Read," "Update," "Publish/Unpublish," and "Delete" on all or specific assets and asset folders.

The asset-level permissions are categorized into three sections: "All Assets and Folders," "Specific asset(s)," and "Specific Folder(s)." Let us look at them in detail.

  • All Assets and Folders: Set what a user role can do on all assets and folders of a stack. For example, you can create a user role with "Read" permission on all the assets and asset folders of your stack.
    all assets and asset folders
  • Specific Asset(s): Set what a user role can do on specific assets of a stack. For example, you can create a user role with "Publish" permission on "Image 1" and "Image 2" of your stack.
    specific assets
  • Specific Folder(s): Set what a user role can do on specific folders of a stack. All the individual assets and subfolders within that specific folder will have the same permissions.

    For example, you can create a user role with "Read" permission on the "Marketing Images" asset folder and "Publish" permission on the "InDesign Images" folder. The user role can access all the assets/subfolders within "Marketing Images" and "InDesign Images" with "Read" and "Publish" permissions, respectively.
    specific folders

Exceptions

Exceptions, as the name suggests, let you add an exception to existing permissions. It enables you to define what a role CANNOT do. For example, if a role can create entries for all content types, you can set an exception by restricting it from creating entries of a particular content type. For example, CANNOT "Create" entries for "Blog" content type.

You can apply exceptions at both the entry and asset level. Let’s look at them in detail.

Exceptions on Entries

You can disallow a new role to "Read," "Create," "Update," "Publish/Unpublish," and/or "Delete" entries or fields. These exceptions are further divided into the following categories:

  • All Entries of Content Types - Set what this role CANNOT do on all entries of one or more content types. For example, the role can "READ" the entries of the "Blog" content type but cannot "UPDATE" them.
    Exceptions - All Entries of Content Types.png
  • Specific Entries - Set what this role CANNOT do on specific entries of one or more content types. For example, the role can "Read" all the entries of the "Blog" content type but cannot "Update" two entries: "My First Article" and "My Second article."
    Exceptions - Specific Entries.png
  • Specific Fields - Set what this role CANNOT do on specific fields of one or more content types. For example, the role can "READ" but cannot "UPDATE" the "Author Name" field of all entries of the "Author" content type.
    Exceptions - Specific Fields.png

Exceptions on Assets

You can disallow a new role to "Read," "Create," "Update," "Publish/Unpublish," and "Delete" all or specific assets and asset folders. For example, the role can "Read" all assets and asset folders, but cannot "Publish" them.

These exceptions are further divided into the following categories:

  • All Assets and Folders: Set what this role CANNOT do on all assets and folders of a stack. For example, the role can "Read" all the assets and folders of a stack, but cannot "Update" them.
    exception on all the asset and asset folders
  • Specific Asset(s): Set what this role CANNOT do on specific assets of a stack. For example, the role can "Read" all the assets of a stack but cannot "Publish" the "Image1" asset of the stack.
    exceptions on specific assets
  • Specific Folder(s): Set what this role CANNOT do on specific folders of a stack. For example, the role can "Read" all the folders of a stack but cannot "Update" two folders: "Marketing Blogs" and "Sales Blogs." By default, the user cannot "Update" all the assets and/or subfolders within the "Marketing Blogs" and "Sales Blogs" folders.
    exceptions on specific folders

Tutorial Video

Let's create a new custom role, and give this role certain permissions on the News Articles content type as well as the assets associated with the content type.

How to create a Custom Role

API Reference

To perform the create action via API request, refer to the Create a Role API request.

On This Page

top-arrow