Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Roles and permissions

When creating a Cloudflare Zero Trust account, you will be given the Super Administrator role. As a Super Administrator, you can invite members to join your Zero Trust account and assign them different roles. There is no limit to the number of members which can be added to a given account. Any members with the proper permissions will be able to make configuration changes while actively logged into Zero Trust (unless read-only mode is enabled).

To check the list of members in your account, or to manage roles and permissions, refer to our Account setup documentation.

​​ Zero Trust roles

Only Super Administrators will be able to assign or remove the following roles from users in their account. Scroll to the right to see a full list of permissions for each role.

Access ReadAccess EditGateway ReadGateway EditGateway ReportBilling ReadBilling Edit
Super Administrator
Cloudflare Zero Trust
Cloudflare Access
Cloudflare Gateway
Cloudflare Zero Trust Read Only
Cloudflare Zero Trust Reporting

​​ Cloudflare Zero Trust PII

By default, only Super Administrators can view end users’ PII in the Gateway activity logs, such as Device IDs, Source IPs, or user emails. No other roles will have the ability to read PII unless Super Administrators explicitly assign the Cloudflare Zero Trust PII role to them.

The Cloudflare Zero Trust PII role should be considered an add-on role, to be combined with any role from the table above. For example, Super Administrators may decide to assign the Cloudflare Gateway role to a user, and add the Cloudflare Zero Trust PII role to allow that user to access PII in the Gateway logs.