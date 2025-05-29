Roles
Whenever you add a new member to your account, you can assign policies to those users and make use of the available roles. Roles can only ever be assigned to their given scope and multiple roles can be assigned to a given policy.
Account-scoped roles apply across an entire Cloudflare account, and through all domains in that account.
|Role
|Description
|Administrator
|Can access the full account and edit subscriptions. Cannot manage memberships nor billing profile.
|Super Administrator - All Privileges
|Can edit any Cloudflare setting, make purchases, update billing, and manage memberships. Super Administrators can revoke the access of other Super Administrators.
|Administrator Read Only
|Can access the full account in read-only mode.
|Analytics
|Can read Analytics.
|API Gateway
|Grants full access to API Gateway (including API Shield) for all domains in an account.
|API Gateway Read
|Grants read access to API Gateway (including API Shield) for all domains in an account.
|Audit Logs Viewer
|Can view Audit Logs.
|Bot Management (Account-wide)
|Can edit Bot Management (including Super Bot Fight Mode) configurations for all domains in account.
|Billing
|Can edit the account's billing profile and subscriptions
|Cloudflare Access
|Can edit Cloudflare Access and Cloudflare Tunnel.
|Cache Purge
|Can purge the edge cache and allows the reading of zone settings.
|Cloudflare DEX
|Can edit Cloudflare DEX.
|Cloudflare Gateway
|Can edit Cloudflare Gateway and read Access.
|Cloudflare Images
|Can access Cloudflare Images data.
|Cloudflare R2 Admin
|Can edit Cloudflare R2 buckets, objects, and associated configurations.
|Cloudflare R2 Read
|Can read Cloudflare R2 buckets, objects, and associated configurations.
|Cloudflare Stream
|Can edit Cloudflare Stream media.
|Cloudflare Workers Admin
|Can edit Cloudflare Workers, Pages, Durable Objects, KV and R2. Also provides read access to Zones, Zone Analytics and Page Rules.
|Cloudflare Zero Trust
|Can edit Cloudflare Zero Trust. Grants administrator access to all Zero Trust products including Access, Gateway, WARP, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email Security.
|Cloudflare Zero Trust DNS Locations Write
|Can view Gateway DNS locations and create and edit secure DNS locations.
|Cloudflare Zero Trust PII
|Can access Cloudflare Zero Trust PII.
|Cloudflare Zero Trust Read Only
|Can access Cloudflare Zero Trust read only mode.
|Cloudflare Zero Trust Reporting
|Can access Cloudflare Zero Trust reporting data.
|DNS
|Can edit DNS records.
|Email Configuration Admin
|Grants write access to all of Email Security, CASB, DLP, Gateway, and Tunnels, except Mail Preview, Raw Email, on-demand reports, actions on emails, and Submissions, Submission Transparency (Requires Cloudflare Zero Trust PII).
|Email Integration Admin
|Grants write access to Email Security account integration only, CASB, DLP, Gateway, and Tunnels.
|Email Security Analyst
|Grants write access to all of Email Security, except Settings which is read only (Requires Cloudflare Zero Trust PII).
|Email Security Read Only
|Grants read access to all of Email Security, but cannot see Raw Email, take action on emails, or make Submissions (Requires Cloudflare Zero Trust PII).
|Email Security Reporting
|Grants read access to Email Security Home, PhishGuard, and Submission Transparency.
|Firewall
|Can edit WAF, IP Access rules, Zone Lockdown settings, and Cache Rules.
|Load Balancer
|Can edit Load Balancers, Pools, Origins, and Health Checks.
|Log Share
|Can edit Log Share configuration.
|Log Share Reader
|Can read Enterprise Log Share.
|Magic Network Monitoring
|Can view and edit MNM configuration.
|Magic Network Monitoring Admin
|Can view, edit, create, and delete MNM configuration.
|Magic Network Monitoring Read-Only
|Can view MNM configuration.
|Network Services Write (Magic)
|Grants write access to network configurations for Magic services. Magic Tunnel health checks require the Analytics role for non-admin users.
|Network Services Read (Magic)
|Grants read access to network configurations for Magic services. Magic Tunnel health checks require the Analytics role for non-admin users.
|Minimal Account Access
|Can view account, and nothing else.
|Page Shield
|Grants write access to Page Shield across the whole account.
|Page Shield Read
|Grants read access to Page Shield across the whole account.
|Hyperdrive Read
|Grants read access to Hyperdrive database configuration.
|Hyperdrive Admin
|Grants write access to Hyperdrive database configuration.
|SSL/TLS, Caching, Performance, Page Rules, and Customization
|Can edit most Cloudflare settings except for DNS and Firewall.
|Secrets Store Admin
|Can create, edit, duplicate, delete, and view secrets metadata. Can also add a Secrets Store binding to a Worker.
|Secrets Store Deployer
|Can view secrets metadata but cannot create, edit, duplicate, nor delete secrets. Can also add a Secrets Store binding to a Worker.
|Secrets Store Reporter
|Can view secrets metadata. Cannot perform any actions (create, edit, duplicate, delete secrets), nor add a Secrets Store binding to a Worker.
|Security Center Brand Protection
|Can access the Brand Protection feature on the API and Cloudflare dashboard. Brand Protection role also gives you access to the Investigate platform.
|Security Center Cloudforce One Admin
|Grants write access to Cloudforce One.
|Security Center Cloudforce One Read
|Grants read access to Cloudforce One, and cannot create and/or edit RFIs or PIRs.
|Trust and Safety
|Can access trust and safety related services.
|Turnstile
|Grants full access to Turnstile.
|Turnstile Read
|Grants read access to Turnstile.
|Vectorize Admin
|Can edit Vectorize configurations.
|Vectorize Read only
|Can read Vectorize configurations.
|Waiting Room Admin
|Can edit Waiting Room configuration.
|Waiting Room Read
|Can read Waiting Room configuration.
|Zaraz Admin
|Can edit and publish Zaraz configuration.
|Zaraz Edit
|Can edit Zaraz configuration.
|Zaraz Read
|Can read Zaraz configuration.
|Zone Versioning (Account-Wide)
|Can view and edit Zone Versioning for all domains in account.
|Zone Versioning Read (Account-Wide)
|Can view Zone Versioning for all domains in account.
Domain-scoped roles apply for a given domain within an account.
|Role
|Description
|Bot Management
|Can edit Bot Management (including Super Bot Fight Mode) configurations.
|Cache Domain Purge
|Grants access to purge the edge cache for a specific domain and allows the reading of zone settings.
|Domain Administrator
|Grants full access to domains in an account, and read-only access to account-wide Firewall, Access, and Worker resources.
|Domain Administrator Read Only
|Grants read-only access to domains in an account, as well as account-wide Firewall, Access, and Worker resources.
|Domain API Gateway
|Grants full access to API Gateway (including API Shield).
|Domain API Gateway Read
|Grants read access to API Gateway (including API Shield).
|Domain DNS
|Grants access to edit DNS settings for domains in an account.
|Domain Page Shield
|Grants write access to Page Shield for domains in an account.
|Domain Page Shield Read
|Grants read access to Page Shield for domains in an account.
|Domain Waiting Room Admin
|Can edit waiting rooms configuration.
|Domain Waiting Room Read
|Can read waiting rooms configuration.
|Zone Versioning
|Grants full access to Zone Versioning.
|Zone Versioning Read
|Grants read-only access to Zone Versioning.
