Contentful uses a two-level permission model: Organization-level roles control who can manage billing and create spaces, while Space-level roles control what users can do within individual content spaces. Custom roles with granular policies are available on higher-tier plans.
Permission model overview
Contentful structures access as:
- Organization -- Top-level account container. Controls billing, space creation, and SSO settings. Each organization has Organization-level roles.
- Spaces -- Individual content repositories. Each space has its own set of users, roles, and API keys. Users must be invited to each space separately.
- Environments -- Branches within a space (master, staging, dev). Environment access can be restricted per role on Enterprise plans.
Permissions in Contentful are deny-by-default. Users have no access until explicitly granted a role in a space.
Organization-level roles
- Owner -- Full control over the organization including billing, subscription changes, SSO configuration, and all spaces. Only one owner per organization.
- Admin -- Can manage organization settings, create and delete spaces, and invite members to the organization. Cannot change billing or transfer ownership.
- Member -- Basic organization membership. Cannot manage organization settings. Must be separately invited to specific spaces to do anything useful.
Space-level roles (built-in)
Each space has these predefined roles:
- Admin -- Full access within the space: manage content types, entries, assets, API keys, webhooks, locales, and user roles. Can invite and remove space members.
- Editor -- Create, edit, and publish all entries and assets. Cannot modify content types, manage API keys, or change space settings.
- Author -- Create and edit entries. Can only publish their own entries. Cannot modify other users' content or manage assets beyond uploading.
- Translator -- Edit specific fields on existing entries (typically localized fields). Cannot create entries or modify non-translatable fields.
Custom roles (Team and Enterprise plans)
Custom roles use a policy-based system where you define allow/deny rules for specific actions on specific content types:
Configurable actions include:
- Create, Read, Update, Delete, Publish, Unpublish, Archive, Unarchive for entries
- Scoped by content type (e.g., "can only edit Blog Post entries")
- Scoped by field (e.g., "can edit the body field but not the slug")
- Filtered by entry state (draft, published, archived)
- Asset management (upload, edit, delete, publish)
Create custom roles under Space Settings > Roles & Permissions > Add Role.
Managing users
Inviting a user to the organization:
- Go to Organization Settings > Users (
app.contentful.com/account/organizations/{orgId}/users) - Click Invite Users
- Enter email addresses and select the organization role
- The user receives an email invitation
Adding a user to a space:
- Within a space, go to Settings > Users and roles (
/spaces/{spaceId}/settings/users) - Click Add Users
- Select existing organization members or invite new ones
- Assign a space role (Admin, Editor, Author, or custom)
- Save -- the user gains access immediately
Removing a user:
- Remove from individual spaces under Space Settings > Users and roles
- Remove from the organization under Organization Settings > Users
- Review and rotate any API keys the user had access to
API keys and tokens
Contentful has multiple API types with separate credentials:
- Content Delivery API (CDA) keys -- Read-only access to published content. Created under Space Settings > API Keys. Each key has a space ID and access token.
- Content Preview API (CPA) keys -- Read-only access to draft/preview content. Created alongside CDA keys.
- Content Management API (CMA) tokens -- Read-write access for managing content, content types, and space configuration. Personal access tokens are created per-user under Account Settings > Personal Access Tokens. These inherit the permissions of the user who creates them.
- OAuth apps -- For third-party integrations. Configured under Organization Settings.
CDA and CPA keys are space-level and not tied to individual users. CMA tokens are user-specific -- when a user leaves, their personal tokens should be revoked.
Analytics and tracking permissions
Contentful is a headless CMS, so analytics tracking is implemented in your frontend application, not in Contentful itself:
- Content modeling for analytics -- Creating content types for tracking configuration (e.g., a "Tracking Scripts" content type) requires Admin or Editor roles with content type management permissions
- Webhook configuration -- Contentful can trigger webhooks on content events (publish, unpublish, etc.) for analytics pipelines. Configured under Space Settings > Webhooks. Requires Space Admin.
- CDA tokens for analytics queries -- To query content for analytics enrichment, create a dedicated CDA key with descriptive naming. Any space admin can create these.
- Usage analytics -- Contentful provides usage statistics (API calls, asset bandwidth) under Organization Settings > Usage. Requires Organization Admin.
Since frontend code handles the actual analytics implementation (GTM, GA, etc.), the relevant permission is who can edit template or configuration content in the space, not a Contentful-specific analytics permission.
SSO and security
- SSO via SAML 2.0 is available on Enterprise plans. Configured under Organization Settings > SSO.
- SCIM provisioning is supported on Enterprise for automated user lifecycle management.
- Two-factor authentication can be enforced organization-wide under Organization Settings > Security.
- Audit logs are available on Premium/Enterprise plans under Organization Settings > Audit Logs, showing user actions across all spaces.
- Personal access tokens can be viewed and revoked under Account Settings > Personal Access Tokens.
Sub-pages in this section
- Roles and Permissions -- Custom role policy configuration, environment-level access, and permission patterns for common team structures
- Adding and Removing Users -- Invitation workflows, space onboarding, and secure offboarding procedures