Skip to content

Roles

Whenever you add a new member to your account, you can assign policies to those users and make use of the available roles. Roles can only ever be assigned to their given scope and multiple roles can be assigned to a given policy.

Account-scoped roles

Account-scoped roles apply across an entire Cloudflare account, and through all domains in that account.

RoleDescription
AdministratorCan access the full account and edit subscriptions. Cannot manage memberships nor billing profile.
Super AdministratorCan edit any Cloudflare setting, make purchases, update billing, and manage memberships. Super Administrators can revoke the access of other Super Administrators.
Administrator Read OnlyCan access the full account in read-only mode.
AnalyticsCan read Analytics.
API GatewayGrants full access to API Gateway (including API Shield) for all domains in an account.
API Gateway ReadGrants read access to API Gateway (including API Shield) for all domains in an account.
Audit Logs ViewerCan view Audit Logs.
Bot Management (Account-wide)Can edit Bot Management (including Super Bot Fight Mode) configurations for all domains in account.
BillingCan edit the account’s billing profile and subscriptions
Cloudflare AccessCan edit Cloudflare Access and Cloudflare Tunnel.
Cache PurgeCan purge the edge cache.
Cloudflare DEXCan edit Cloudflare DEX.
Cloudflare GatewayCan edit Cloudflare Gateway and read Access.
Cloudflare ImagesCan access Cloudflare Images data.
Cloudflare R2 AdminCan edit Cloudflare R2 buckets, objects, and associated configurations.
Cloudflare R2 ReadCan read Cloudflare R2 buckets, objects, and associated configurations.
Cloudflare StreamCan edit Cloudflare Stream media.
Cloudflare Workers AdminCan edit Cloudflare Workers, Pages, Durable Objects, KV and R2. Also provides read access to Zones, Zone Analytics and Page Rules.
Cloudflare Zero TrustCan edit Cloudflare for Zero Trust.
Cloudflare Zero Trust PIICan access Cloudflare for Zero Trust PII.
Cloudflare Zero Trust Read OnlyCan access Cloudflare for Zero Trust read only mode.
Cloudflare Zero Trust ReportingCan access Cloudflare for Zero Trust reporting data.
DNSCan edit DNS records.
Email Configuration AdminGrants write access to all of CES, CASB, DLP, Gateway, and Tunnels, except Mail Preview, Raw Email, on-demand reports, actions on emails, and Submissions, Submission Transparency (Requires Cloudflare Zero Trust PII).
Email Integration AdminGrants write access to CES account integration only, CASB, DLP, Gateway, and Tunnels.
Email Security AnalystGrants write access to all of CES, except Settings which is read only (Requires Cloudflare Zero Trust PII).
Email Security Read OnlyGrants read access to all of CES, but cannot see Raw Email, take action on emails, or make Submissions (Requires Cloudflare Zero Trust PII).
Email Security ReportingGrants read access to CES Home, PhishGuard, and Submission Transparency.
FirewallCan edit WAF, IP Access rules, Zone Lockdown settings, and Cache Rules.
Load BalancerCan edit Load Balancers, Pools, Origins, and Health Checks.
Log ShareCan edit Log Share configuration.
Log Share ReaderCan read Enterprise Log Share.
Magic Network MonitoringCan view and edit MNM configuration.
Magic Network Monitoring AdminCan view, edit, create, and delete MNM configuration.
Magic Network Monitoring Read-OnlyCan view MNM configuration.
Network Services Write (Magic)Grants write access to network configurations for Magic services.
Network Services Read (Magic)Grants read access to network configurations for Magic services.
Minimal Account AccessCan view account, and nothing else.
Page ShieldGrants write access to Page Shield across the whole account.
Page Shield ReadGrants read access to Page Shield across the whole account.
Hyperdrive ReadGrants read access to Hyperdrive database configuration.
Hyperdrive AdminGrants write access to Hyperdrive database configuration.
SSL/TLS, Caching, Performance, Page Rules, and CustomizationCan edit most Cloudflare settings except for DNS and Firewall.
Trust and SafetyCan access trust and safety related services.
TurnstileGrants full access to Turnstile.
Turnstile ReadGrants read access to Turnstile.
Vectorize AdminCan edit Vectorize configurations.
Vectorize Read onlyCan read Vectorize configurations.
Waiting Room AdminCan edit Waiting Room configuration.
Waiting Room ReadCan read Waiting Room configuration.
Zaraz AdminCan edit and publish Zaraz configuration.
Zaraz EditCan edit Zaraz configuration.
Zaraz ReadCan read Zaraz configuration.
Zone Versioning (Account-Wide)Can view and edit Zone Versioning for all domains in account.
Zone Versioning Read (Account-Wide)Can view Zone Versioning for all domains in account.

Domain-scoped roles

Domain-scoped roles apply for a given domain within an account.

RoleDescription
Bot ManagementCan edit Bot Management (including Super Bot Fight Mode) configurations.
Cache Domain PurgeGrants access to purge the edge cache for a specific domain.
Domain AdministratorGrants full access to domains in an account, and read-only access to account-wide Firewall, Access, and Worker resources.
Domain Administrator Read OnlyGrants read-only access to domains in an account, as well as account-wide Firewall, Access, and Worker resources.
Domain API GatewayGrants full access to API Gateway (including API Shield).
Domain API Gateway ReadGrants read access to API Gateway (including API Shield).
Domain DNSGrants access to edit DNS settings for domains in an account.
Domain Page ShieldGrants write access to Page Shield for domains in an account.
Domain Page Shield ReadGrants read access to Page Shield for domains in an account.
Domain Waiting Room AdminCan edit waiting rooms configuration.
Domain Waiting Room ReadCan read waiting rooms configuration.
Zone VersioningGrants full access to Zone Versioning.
Zone Versioning ReadGrants read-only access to Zone Versioning.