Cloudflare changelogs for Cloudflare Meshhttps://developers.cloudflare.com/changelog/https://developers.cloudflare.com/changelog/post/2026-05-21-tunnel-mesh-granular-permissions/https://developers.cloudflare.com/changelog/post/2026-05-21-tunnel-mesh-granular-permissions/<p>You can now scope Cloudflare permissions to individual <a href="https://developers.cloudflare.com/tunnel/">Cloudflare Tunnel</a> instances and <a href="https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/">Cloudflare Mesh</a> nodes. Administrators can delegate access to specific Tunnels or Mesh nodes without granting account-wide control over private networking.</p> <h4>What is new</h4> <p>When you <a href="https://developers.cloudflare.com/fundamentals/manage-members/manage/">add a member</a> or create a <a href="https://developers.cloudflare.com/fundamentals/manage-members/policies/">permission policy</a>, the resource picker now lists <a href="https://developers.cloudflare.com/tunnel/">Cloudflare Tunnel</a> instances and <a href="https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/">Cloudflare Mesh</a> nodes as scopable resource types. You can:</p> <ul> <li>Grant a read-only role on a single Cloudflare Tunnel instance to a support operator for log streaming and diagnostics — without exposing other Tunnels or destructive actions.</li> <li>Grant a write role on a specific Cloudflare Mesh node to an application team — without giving them access to the rest of your private network.</li> <li>Scope a single policy to one or many Tunnels and Mesh nodes at once.</li> </ul> <h4>How it works</h4> <p>Granular permissions are a parallel layer to existing account-level roles — they do not replace them.</p> <ul> <li><strong>Existing account-level roles continue to work.</strong> A member with <code>Cloudflare Access</code> or <code>Cloudflare Zero Trust</code> retains write access to every Tunnel and Mesh node in the account. This ensures backward compatibility for existing automation and tokens.</li> <li><strong>Granular permissions are additive.</strong> For any API request on a specific Tunnel or Mesh node, access is granted if the principal has <strong>either</strong> the account-level role <strong>or</strong> a granular permission for that resource.</li> <li><strong>Resource enumeration is authorization-aware.</strong> Listing endpoints (<code>GET /accounts/{id}/cfd_tunnel</code>, <code>GET /accounts/{id}/warp_connector</code>) return only the resources the principal has at least read access to.</li> </ul> <h4>Get started</h4> <ul> <li>Configure <a href="https://developers.cloudflare.com/tunnel/advanced/granular-permissions/">granular permissions for Cloudflare Tunnel</a>.</li> <li>Configure <a href="https://developers.cloudflare.com/cloudflare-one/networks/connectors/granular-permissions/">granular permissions for Cloudflare Tunnel and Cloudflare Mesh in Cloudflare One</a>.</li> <li>Review the <a href="https://developers.cloudflare.com/fundamentals/manage-members/roles/#resource-scoped-roles">resource-scoped roles</a> on the Cloudflare role reference.</li> </ul>Thu, 21 May 2026 00:00:00 GMTCloudflare FundamentalsCloudflare FundamentalsCloudflare OneCloudflare Tunnel for SASECloudflare TunnelCloudflare Mesh