Role scopes
Scopes are one of three constituent parts of a policy that allows granting of access to users.
To allow for flexible combinations of access to users, Cloudflare currently has two types of scopes (Account and Domain), with different sets of roles for each scope.
Each policy has a limitation of a single scope, but you can assign multiple policies to a given user.
You can choose the scope of a policy when you add a member.
If you want the member to have a policy that applies across your account, use the following combination of fields.
| Field | Value |
|---|---|
| Operator | Include |
| Type | All domains |
If you want the member to have a policy that applies to a specific domain, use the following combination of fields. When applying these roles to this policy, only domain-scoped roles can be used.
| Field | Value |
|---|---|
| Operator | Include |
| Type | A specific domain |
| Name | A specific domain |
If you have a set of domains that are all categorized similarly (e.g. all of your sensitive/production domains, all domains around a given project or geography), you can pre-assign them into a domain group and then create policies that provide access to all domains within this group.
To create a domain group:
-
Log in to the Cloudflare dashboard ↗ and select your account (you must be logged in as a Super Administrator and have a verified email address).
-
Go to Manage Account > Configurations > Lists.
-
For Domain Group Manager, select Create.
-
Create your domain group:
- Select the domains to include.
- Add a Name.
- Select Create.
You can also edit and delete these groups as needed.
To assign a member permissions to a domain group, use the following combination of fields:
| Field | Value |
|---|---|
| Operator | Include |
| Type | Domain Group |
| Name | Example Group |