Tiered policies
Gateway tiered policies allow you to share and enforce Gateway policies across multiple Zero Trust accounts. This enables centralized policy management for organizations that manage multiple accounts.
There are two approaches for setting up tiered policies, depending on your deployment model and policy requirements:
- Cloudflare Organizations — Share DNS, network, HTTP, and resolver policies across accounts in a Cloudflare Organization using the dashboard.
- Tenant API — Manage DNS policies across parent and child accounts for Managed Service Provider (MSP) deployments.
| Feature | Cloudflare Organizations | Tenant API |
|---|---|---|
| Supported policy types | DNS, Network, HTTP, Resolver | DNS only |
| Account model | Source / Recipient accounts | Parent / Child accounts |
| Shareable settings | Block pages, extended email matching | Block pages |
| Setup | Dashboard (self-serve) | API-only |
| Availability | Enterprise (beta) | Enterprise (GA) |