2022-09-29
2 min read
Cloudflare’s mission is to help build a better Internet. Pair that with our core belief that security is something that should be accessible to everyone and the outcome is a better and safer Internet for all. Previously, our FREE and PAYGO customers didn’t have the flexibility to give someone control of just part of their account, they had to give access to everything.
Starting today, role based access controls (RBAC), and all of our additional roles will be rolled out to users on every plan! Whether you are a small business or even a single user, you can ensure that you can add users only to parts of Cloudflare you deem appropriate.
Why should I limit access?
It is good practice with security in general to limit access to what a team member needs to do a job. Restricting access limits the overall threat surface if a given user was compromised, and ensures that you limit the surface that mistakes can be made.
If a malicious user was able to gain access to an account, but it only had read access, you’ll find yourself with less of a headache than someone who had administrative access, and could change how your site operates. Likewise, you can prevent users outside their role from accidentally making changes to critical features like firewall or DNS configuration.
What are roles?
Roles are a grouping of permissions that make sense together. At Cloudflare, this means grouping permissions together by access to a product suite.
Cloudflare is a critical piece of infrastructure for customers, and roles ensure that you can give your team the access they need, scoped to what they’ll do, and which products they interact with.
Once enabled for Role Based Access Controls, by going to “Manage Account” and “Members” in the left sidebar, you’ll have the following list of roles available, which each grant access to disparate subsets of the Cloudflare offering.
| Role Name | Role Description |
|---|---|
| Administrator | Can access the full account, except for membership management and billing. |
| Administrator Read Only | Can access the full account in read-only mode. |
| Analytics | Can read Analytics. |
| Audit Logs Viewer | Can view Audit Logs. |
| Billing | Can edit the account’s billing profile and subscriptions. |
| Cache Purge | Can purge the edge cache. |
| Cloudflare Access | Can edit Cloudflare Access policies. |
| Cloudflare Gateway | Can edit Cloudflare Gateway and read Access. |
| Cloudflare Images | Can edit Cloudflare Images assets |
| Cloudflare Stream | Can edit Cloudflare Stream media. |
| Cloudflare Workers Admin | Can edit Cloudflare Workers. |
| Cloudflare Zero Trust | Can edit Cloudflare Zero Trust. |
| Cloudflare Zero Trust PII | Can access Cloudflare Zero Trust PII. |
| Cloudflare Zero Trust Read Only | Can access Cloudflare for Zero Trust read only mode. |
| Cloudflare Zero Trust Reporting | Can access Cloudflare for Zero Trust reporting data. |
| DNS | Can edit DNS records. |
| Firewall | Can edit WAF, IP Firewall, and Zone Lockdown settings. |
| HTTP Applications | Can view and edit HTTP Applications |
| HTTP Applications Read | Can view HTTP Applications |
| Load Balancer | Can edit Load Balancers, Pools, Origins, and Health Checks. |
| Log Share | Can edit Log Share configuration. |
| Log Share Reader | Can read Enterprise Log Share. |
| Magic Network Monitoring | Can view and edit MNM configuration |
| Magic Network Monitoring Admin | Can view, edit, create, and delete MNM configuration |
| Magic Network Monitoring Read-Only | Can view MNM configuration |
| Network Services Read (Magic) | Grants read access to network configurations for Magic services. |
| Network Services Write (Magic) | Grants write access to network configurations for Magic services. |
| SSL/TLS, Caching, Performance, Page Rules, and Customization | Can edit most Cloudflare settings except for DNS and Firewall. |
| Trust and Safety | Can view and request reviews for blocks |
| Zaraz Admin | Can edit Zaraz configuration. |
| Zaraz Readonly | Can read Zaraz configuration. |
If you find yourself on a team that is growing, you may want to grant firewall and DNS access to a delegated network admin, billing access to your bookkeeper, and Workers access to your developer.
Each of these roles provides specific access to a portion of your Cloudflare account, scoping them to the appropriate set of products. Even Super Administrator is now available, allowing you to provide this access to somebody without handing over your password and 2FA.
How to use our roles
The first step to using RBAC is an analysis and review of the duties and tasks of your team. When a team member primarily interacts with a specific part of the Cloudflare offering, start off by giving them only access to that part(s). Our roles are built in a way that allows multiple to be assigned to a single user, such that when they require more access, you can grant them an additional role.
Rollout
At this point in time, we will be rolling out RBAC over the next few weeks. When the roles become available in your account, head over to our documentation to learn about each of the roles in detail.