Roles help you control what users can view, create, update, publish, or delete within a stack. You can create custom roles to manage access for content teams, developers, translators, taxonomy managers, and other users.
Only stack Owners, Admins, and users assigned the Developer role can create roles in a stack.
To create a role, log in to your Contentstack account and perform the following steps:
Note: Publishing environment permissions apply to all language variants associated with the selected environments.
You can configure entry-level permissions to control what a role can do with entries in specific content types or taxonomies. Available permissions include Read, Create, Update, Publish/Unpublish, and Delete.
Entry permissions are divided into the following categories:
Use this option to define permissions for all entries of one or more content types or taxonomies.
For example:
Use this option to define permissions for selected entries within one or more content types.
For example, allow a role to Read and Update the “AI” entry from the “Marketing Blogs” content type.
Taxonomy permissions allow you to control access to taxonomy structures within a stack. These permissions are available only when taxonomy RBAC is enabled for your organization.
With taxonomy permissions, you can allow a role to perform the following actions:
Taxonomy permissions are divided into the following categories:
Use this option to define permissions for all taxonomies in the stack.
For example:
Use this option to define permissions for selected taxonomies.
For example, allow a role to Read and Update the “Regions” taxonomy.
Note:
You can configure asset-level permissions to control access to assets and asset folders within a stack.
Available permissions include Read, Create, Update, Publish/Unpublish, and Delete.
Asset permissions are divided into the following categories:
Use this option to define permissions for all assets and asset folders in the stack.
For example, allow a role to Read all assets and folders.
Use this option to define permissions for selected assets.
For example, allow a role to Read and Publish/Unpublish the “AI_1” asset.
Use this option to define permissions for selected asset folders.
Permissions applied to a folder also apply to all assets and subfolders within that folder.
For example:
Language permissions control access to localized versions of entries in the stack.
Available permissions include Read, Create, Update, and Delete.
Language permissions are divided into the following categories:
Use this option to define permissions for all language variants in the stack.
For example, allow a role to access all English and German entry variants.
Use this option to define permissions for selected language variants.
For example, allow a role to access only the “English - United States” language variant.
Note: Language permissions apply at the role level and cannot vary by content type.
Warning: If you deselect the master language, users cannot access unlocalized entries that inherit content from the master language.
To allow access to all available languages, select All Languages.
For more information about language-based access behavior, refer to the Language-Specific Restrictions on Entries Scenarios section.
Exceptions allow you to restrict actions that a role would otherwise be allowed to perform through assigned permissions.
For example, a role may have permission to create entries for all content types but be restricted from creating entries in the “Blog” content type.
You can configure entry exceptions to restrict a role from performing actions such as Read, Create, Update, Publish/Unpublish, and Delete.
Entry exceptions are divided into the following categories:
Use this option to restrict actions across all entries of one or more content types or taxonomies.
For example:
Use this option to restrict actions on selected entries.
For example, allow a role to read all entries but restrict updates to the “AI” entry from the “Marketing Blogs” content type.
Use this option to restrict actions on selected fields across entries.
For example, allow a role to read all entries from the “Marketing Blogs” content type but restrict updates to the “Multi Line Textbox” field.
You can configure taxonomy exceptions to restrict specific taxonomy management actions.
These exceptions apply only to taxonomy structures and do not affect entry-level taxonomy access.
Taxonomy exceptions are divided into the following categories:
Use this option to restrict actions across all taxonomies.
For example, allow a role to read all taxonomies but restrict delete access.
Use this option to restrict actions on selected taxonomies.
For example, allow a role to manage all taxonomies but restrict publishing or deletion of the “Regions” taxonomy.
You can configure asset exceptions to restrict actions on assets and asset folders.
Available restrictions include Read, Create, Update, Publish/Unpublish, and Delete.
Asset exceptions are divided into the following categories:
Use this option to restrict actions across all assets and folders.
For example, allow a role to read all assets and folders but restrict update access.
Use this option to restrict actions on selected assets.
For example, allow a role to read all assets but restrict publishing of the “Image1” asset.
Use this option to restrict actions on selected folders.
For example, allow a role to read and update all folders except the “Marketing Blogs” and “Sales Blogs” folders.
By default, users can still access assets and subfolders within those folders based on the configured exception settings.
You can configure language exceptions to restrict actions on localized entry variants.
Available restrictions include Create, Update, and Delete.
Language exceptions are divided into the following categories:
Use this option to restrict actions across all language variants.
For example, allow a role to read entries in all languages but restrict update access.
Use this option to restrict actions on selected language variants.
For example, allow a role to read English (United States) entry variants but restrict update access.
To create custom roles via API, refer to the Create a Role API request.