Learn about roles and how to assign and revoke roles to users.

Manage Roles

User roles define the information that a specific user assigned to the role can view and what they can do in Cloud Elements. Each role includes a list of privileges that you can add or remove depending on how you want to manage roles in your organization.

Cloud Elements supports the following roles:

  • Organization Administrator — Manage all aspects of security; create elements, formula templates, and virtual data resources for the organization; and can access all logs in Activity.
  • Account Administrator — Performs the same function of the Organization Administrator, but only on the account where they are the administrator. Account Administrator cannot create or manage accounts or set security rules.
  • Default User — A non-administrator role for users in non-default accounts.
    Note: You cannot manually set default-user roles for the users in your account. This is intentional behavior, as the default-user role is system-assigned.
  • Organization User — A non-administrator user is a system assigned account. Users with the Organization User account have no different privileges than other default users as the system generates their access levels with respect to the default settings.

Update User Roles 

You can assign a user as an organization or account administrator or remove roles. If you want to assign a user as an organization administrator, they must be in the Company Default Account.

Using our APIs?

Change a users role with PATCH /users/{id} .

Remove a role with DELETE /users/{userId}/roles/{roleKey}.

Assign a role with PUT /users/{userId}/roles/{roleKey}.

Note: Using APIs, you can manually assign the default-user and org roles to a new user, but this overrides the system’s assignment of the roles and is not recommended.

To update a user's role or information:

  1. Access the Accounts Edit page.
  2. Click the Edit icon.
  3. Update the user role or information. To reassign the user to be an organization or account administrator, select Org Admin or Account Admin.

Managing Roles for Multiple Users

Cloud Elements supports configuring permissions for different roles, which can be used to assign varying levels of access to users that need to interact with the Cloud Elements platform. There are four roles that can be configured: Organization Administrator, Account Administrator, Default User, and Organization User.


  • Only Organization Administrator (`org-admin`) and Account Administrator (`admin`) can be manually assigned to users. 
  • Default User (`default-user`) and Organization User (`org`), are assigned by the system. This does not mean you cannot use these roles.

Here is how you can use the roles to meet the use-case to have two “levels” of users:

  • A `default-user` is system-assigned when a user is created in a non-default account (the original account your organization was created with). A user with the `default-user` role would be best suited to permissions at the account-level. 
  • An `org` user is system-assigned when a user is created in the default account. A user with the `org` role would be best suited to permissions at the org-level.

Here is an example on how the roles can be defined and assigned in a business:

  • Administrator / power user: A user that can perform any action, in any account, to any resource or artifact at the organization and account level.
    • Organization Administrator (`org-admin`)
  • Account-level administrator user: A user that can perform any action in their specific account to any resource or organization that exists in their account.
    • Account Administrator (`admin`)
  • Integration / support specialist: A user that can perform specific actions to customize resources and artifacts at a granular level for different customers across numerous accounts, but not affect resources and artifacts at the organization or account level. This user could possibly also have permissions to view logs / activity for troubleshooting and support purposes.
    • Auto-assigned Organization User (`org`)
  • API User: A user that is used by your external software to access resources (like VDRs, Formulas, and Element API requests) from Cloud Elements.
    • Auto-assigned Default User (`default-user`)

To create a user as an `org` user (the integration / support specialist mentioned above), create a new user in the default account and do not assign other roles.

To create a user as a `default-user` (the API User mentioned above), create a new user in a non-default account and do not assign other roles.

In case of more roles

You can use the same role for multiple types of users. For example, API User can also have the same privileges as one of the other roles as you can customize their access manually. 

Update Permissions Assigned to Roles

You can customize the permissions assigned to the Cloud Elements roles. You can grant access to new permissions or remove access from existing permissions. This is applicable to all the roles.

To update permissions assigned to roles:

  1. Access the Security page.

    Note: If you don't see Security, your assigned role does not have access to it. 

  2. Click the Roles tab.
  3. Click the check boxes to assign or remove permissions.
  4. Click Update Roles.

Role-Based Access Control to Element Instances

The Cloud Elements platform allows users to view, use, modify, and delete element instances from the same account, provided the user has a role with one or more of these privileges active:

viewAccountElementInstancesAbility to view instances from users of the same account
useAccountElementInstancesAbility to use instances from users of the same account
editAccountElementInstancesAbility to modify instances from users of the same account
deleteAccountElementInstancesAbility to delete instances from users of the same account

Changing User Permissions

While these element-related privileges are granted to account administrators by default, but they and other permissions can be disabled. In order to enable or disable changes to user permissions, users must have the necessary permissions to do so. To enable or disable element-related or other permissions, follow these steps:

  1. After logging in to Cloud Elements, navigate to the Security page.
    Security button

  2. From the Security page, click the Roles tab.
    Security page Roles button

  3. On the Roles tab, toggle permissions on and off using the checkboxes in the Enabled column, and then click Update Roles.
    Update Roles button

Role-Based Element Listing

The Role Based Element Listing feature provides the ability for users to control listing elements at organizational level; that is, the ability to control what elements at organization level can be viewed by all the accounts and users under an organization.

To list elements of your preference, you need to enable the Manage Element Org Lists privilege. You require this privilege to add, update and delete elements for listing elements as per your requirements. 

  • On Cloud Elements UI, click the Security option on the navigational panel to your left.
  • Switch to the Roles tab on the console that opens.
  • Ensure that the Manage Element Org Lists privilege is enabled.

This privilege is enabled for Organization Administrators by default. Organization administrators can use the listing APIs without having to explicitly enable this privilege as mentioned above. 

This feature makes use of the following APIs:

  1. Get Element Safelists - GET/url/organisations/{organisationId}/elements-safelist - Gets the list of safelisted elements for the provided organization id.
  2. Update Element Safelists - PUT/url/organisations/{organisationId}/elements-safelist - Adds elements to be safelisted for the provided organization id.
  3. Patch Element Safelists - PATCH/url/organisations/{organisationId}/elements-safelist - Adds elements to elements saflisted in an organization.
  4. Delete Element Safelists - DELETE/url/organisations/{organisationId}/elements-safelist - Deletes elements from the list of safelisted elements in an organization.
  5. Delete Element Safelists by Element Id - DELETE/url/organisations/{organisationId}/elements-safelist/{ element Id} - Deletes the element corresponding to the element Id, from the list of safelisted elements in an organization.

Points to note:

  • Cloud Elements also has a feature to add elements to a Denylist at the super-organization level. This feature is implemented only for whitelabel partners, using which they can make sure an element is not visible to any of the organizations under the super-organization.
  • If a whitelabel super-organization which contains multiple organizations has added an element to it denylist at the super-organization level, that element cannot be safelisted for any of its organizations. Both the safelist and denylist are mutually exclusive to each other for a given organization. An error message appears when you try adding an element to a denylist when it is already added to a safelist and vice versa.
  • When elements are added to safelist by an organization, all the accounts and users under the organization will only be able to see the safelisted elements. Any user who has private elements in an organization, will not see them.
  • This privilege is enabled by default for an organization administrator and can be enabled for other roles by enabling the configure_roles privilege. Hence this feature is not tied to any particular role and is at the discretion of the organization administrator.
  • To remove elements from the safelist of an organization, you will need to use the DELETE API and delete the elements from the safelist. The privilege does not directly impact the behaviour of this functionality, so enabling or disabling the privilege would not change what is on the list.