To create a role, log in to your Contentstack account, and perform the following steps:
Go to your stack, navigate to the “Settings” icon on the left navigation panel, and select Users & Roles. Here, you will see the list of existing roles of the stack.
Select the Roles tab.
Click on the + New Role button located at the top right corner of the page.
Enter a suitable Name and Description for the role.
Under PERMISSIONS, define the permissions that you want to assign to the new role. You can set permissions on entries, assets, and asset folders.
Permissions on entries: Set permissions for all entries of all/specific content types, or specific entries, or even specific fields. Refer to the “Permissions on entries” section to learn how you can use this permission.
Permissions on assets: Set permissions on all/specific assets, or on specific assets’ folder. Refer to the “Permissions on assets” section to learn how you can use this permission.
Exceptions: If you do not want any role to access data of certain entries and/or fields, or any assets, you can add exceptions.
Under Publishing Environments, set on which environment(s) the role can publish content.
Note: Once you set the environment-related permissions, the user role will be able to publish all language variants of entries in the stack to the selected environments.
Under Languages, define the language-related permissions you want to assign to the role.
Permissions on languages: Set the language(s) to which the role should have "Update" rights. You can also restrict access for a specific role to the master language. To understand how language-specific restrictions affect a user's entry access permissions, refer to the Language-Specific Restrictions on Entries Scenarios section.
Warning: If you deselect the master language, then any unlocalized language entry that inherits content from the master language will not be accessible.
To provide access to all available languages, you can directly select the All Languages checkbox.
Exceptions: If you do not want any role to access data of certain language variants of entries in the stack, you can add exceptions. Refer to the Exceptions on Languages section to learn how you can add language-related exceptions.
Click Save to create the new role.
Permissions on Entries
You can set permissions on entries, i.e., you can allow a new role to “Read, “Create,” “Update,” “Publish/Unpublish,” and/or “Delete” entries. The entry-/field-level permissions are categorized into three sections: “All Entries,” “Specific Entries,” and “Specific Fields.” Let’s look at them in detail.
All Entries of Content Types - Set what this role can do on all entries of one or more content types. For example, you can assign the "Read" permission to all entries of the "Blog" content type.
Specific Entries - Set what this role can do on specific entries of one or more content types. For example, you can assign the "Read" and "Update" permissions to "My First Article" and "My Second article" entries of the "Blog" content type.
Specific Fields - Set what this role CANNOT do on specific fields of specific entries. You can apply these settings via the +Add Exceptions button when assigning Exceptions on Entries.
Permissions on Assets
You can create a custom user role that has permissions such as "Read," "Update," "Publish/Unpublish," and "Delete" on all or specific assets and asset folders.
The asset-level permissions are categorized into three sections: "All Assets and Folders," "Specific asset(s)," and "Specific Folder(s)." Let us look at them in detail.
All Assets and Folders: Set what a user role can do on all assets and folders of a stack. For example, you can create a user role with "Read" permission on all the assets and asset folders of your stack.
Specific Asset(s): Set what a user role can do on specific assets of a stack. For example, you can create a user role with "Publish" or "Unpublish" permission on "Image 1" and "Image 2" of your stack.
Specific Folder(s): Set what a user role can do on specific folders of a stack. All the individual assets and subfolders within that specific folder will have the same permissions. For example, you can create a user role with "Read" permission for all asset folders and "Publish/Unpublish" permission on the "Sales Blogs" folder. This user role will be able to only read all the assets/subfolders within "Marketing Blogs" but work on all assets of the "Sales Blogs" with the "Read" and "Publish/Unpublish" permissions, respectively.
Permissions on Languages
You can set permissions on language variants of entries, i.e., you can allow a new role to “Read,” “Create,” “Update” and/or “Delete” specific language versions of an entry. The language permissions are categorized into two sections: “All Languages” and “Specific Languages.” Let’s look at them in detail.
All Languages of the Stack: Set what this role can do on all language variants of an entry of the stack. For example, you can provide permission to all the language variants of entries in the stack, such as English - United States, French - France, Japanese - Japan, and Spanish - Spain.
Specific Language(s) of the Stack: Set what this role can do on specific language variants of an entry of the stack. For example, you can provide permission to only the “English - United States” and “French - France” language variants of entries in the stack.
Note: Language permissions are applicable to the role. You cannot, however, have different language permissions for different content types. For example, you cannot allow access to language A for content type A and restrict access to language A for content type B. Read more to Manage Language Permissions.
Exceptions
Exceptions, as the name suggests, let you add an exception to existing permissions. It enables you to define what a role CANNOT do. For example, if a role can create entries for all content types, you can set an exception by restricting it from creating entries of a particular content type. For example, CANNOT "Create" entries for "Blog" content type.
You can apply exceptions at both the entry and asset level. Let’s look at them in detail.
Exceptions on Entries
You can disallow a role to "Read," "Create," "Update," "Publish/Unpublish," and/or "Delete" entries or fields. These exceptions are further divided into the following categories:
All Entries of Content Types - Set what this role CANNOT do on all entries of one or more content types. For example, the role can "Read" the entries of the "Blog" content type but cannot "Update" them.
Specific Entries - Set what this role CANNOT do on specific entries of one or more content types. For example, the role can "Read" all the entries of the "Blog" content type but cannot "Update" two entries: "My First Article" and "My Second article."
Specific Fields - Set what this role CANNOT do on specific fields of one or more content types. For example, the role can "Read" but cannot "Update" the "Author Name" field of all entries of the "Author" content type.
Exceptions on Assets
You can disallow a role to "Read," "Create," "Update," "Publish/Unpublish," and "Delete" all or specific assets and asset folders. For example, the role can "Read" all assets and asset folders, but cannot "Publish" them.
These exceptions are further divided into the following categories:
All Assets and Folders: Set what this role CANNOT do on all assets and folders of a stack. For example, the role can "Read" all the assets and folders of a stack, but cannot "Update" them.
Specific Asset(s): Set what this role CANNOT do on specific assets of a stack. For example, the role can "Read" all the assets of a stack but cannot "Publish" the "Image1" asset of the stack.
Specific Folder(s): Set what this role CANNOT do on specific folders of a stack. For example, the role can "Read" and "Update" all the folders of a stack except two folders: "Marketing Blogs" and "Sales Blogs." By default, the user can "Read" all the assets and/or subfolders within the "Marketing Blogs" and "Sales Blogs" folders but not "Update" them.
Exceptions on Languages
You can disallow a role to "Create," "Update," and/or "Delete" entries localized in the selected languages. For example, restrict a role from being able to "Create," "Update," or "Delete" entries localized in English (United States) or French (France).
These exceptions are further divided into the following categories:
All Languages: Set what this role CANNOT do on all language variants of all entries in the stack. For example, the role can "READ" the entries present in all languages but cannot "UPDATE" them.
Specific Language(s): Set what this role CANNOT do on specific language variants of all entries in the stack. For example, the role can "Read" all the English (United States) versions of entries of the stack but cannot "Update" them.
Tutorial Video
Let's create a new user and add roles.
API Reference
To perform the create action via API request, refer to the Create a Role API request.