Granular permissions for Tunnels and Mesh nodes
You can scope Cloudflare member permissions to individual Cloudflare Tunnel instances and Cloudflare Mesh nodes, instead of granting account-wide access to every Tunnel and Mesh node. This enables least-privilege delegation for private networking operations — for example, letting a support operator stream logs from a single Tunnel without exposing the rest of your account.
Granular permissions are a parallel layer to account-scoped roles — they do not replace them. Members who already hold an account-level role like Cloudflare Access or Cloudflare Zero Trust continue to have write access to every Tunnel and Mesh node in the account.
For any API request on a specific Tunnel or Mesh node, access is granted if the principal has either:
- An account-level role that covers the resource (for example,
Cloudflare AccessorCloudflare Zero Trust), or - A resource-scoped role bound to that specific Tunnel or Mesh node.
Resource enumeration endpoints (GET /accounts/{id}/cfd_tunnel, GET /accounts/{id}/warp_connector) return only the resources the principal has at least read access to.
Granular permissions are assigned through the standard member management flow.
- In the Cloudflare dashboard ↗, go to Manage Account > Members and select Invite Members, or open an existing member to edit their permissions.
- Add a permission policy and choose a resource-scoped role that targets Tunnels or Mesh nodes.
- In the Scope section, choose Specific resources.
- Set Resource type to one of:
- Cloudflare Tunnel instances — for individual Cloudflare Tunnel instances.
- Cloudflare Mesh nodes — for individual Cloudflare Mesh nodes.
- Select one or more specific Tunnels or Mesh nodes from the resource picker.
- Save the policy.
You can attach multiple granular policies to the same member to cover different Tunnels and Mesh nodes with different roles.
Listing endpoints are authorization-aware. When a principal calls a listing endpoint, the response is filtered to the resources they have at least read access to.
| Endpoint | Method | Returns |
|---|---|---|
/accounts/{account_id}/cfd_tunnel | GET | Cloudflare Tunnel instances the principal can read or manage. |
/accounts/{account_id}/warp_connector | GET | Cloudflare Mesh nodes the principal can read or manage. |
/accounts/{account_id}/teamnet/routes | GET | Routes attached to Tunnels the principal can read or manage. |
Members with an account-level role that covers Tunnels and Mesh continue to see all resources in the account.
- Existing account-level roles and API tokens continue to function as before.
- Existing automation that authenticates with an account-level token (for example, Terraform pipelines using a
Cloudflare Accesstoken) is unaffected. - Granular permissions are opt-in. Granting one to a member adds capability; it never removes capability that the member already has from an account-level role.
- Roles reference — the full list of Cloudflare roles, including resource-scoped roles for Tunnels and Mesh nodes.
- Role scopes — how policy scopes work across account, domain, and resource layers.
- Manage account members — the member invite and edit flow.
- Cloudflare Tunnel
- Cloudflare Mesh