Role scopes
Scopes are one of three constituent parts of a policy that allows granting of access to users.
To allow for flexible combinations of access to users, Cloudflare currently has account-level scopes, domain scopes, and resource-specific scopes. Each scope is associated with a different set of roles.
Each policy has a limitation of a single scope, but you can assign multiple policies to a given user.
You can choose the scope of a policy when you add a member.
If you want the member to have a policy that applies across your account, use the following combination of fields.
| Field | Value |
|---|---|
| Operator | Include |
| Type | All domains |
If you want the member to have a policy that applies to a specific domain, use the following combination of fields. When applying these roles to this policy, only domain-scoped roles can be used.
| Field | Value |
|---|---|
| Operator | Include |
| Type | A specific domain |
| Name | A specific domain |
If you have a set of domains that are all categorized similarly (e.g. all of your sensitive/production domains, all domains around a given project or geography), you can pre-assign them into a domain group and then create policies that provide access to all domains within this group.
To create a domain group:
-
In the Cloudflare dashboard, go to the Settings > Lists page. (You must be logged in as a Super Administrator and have a verified email address).
Go to Configurations -
For Domain Group Manager, select Create.
-
Create your domain group:
- Select the domains to include.
- Add a Name.
- Select Create.
You can also edit and delete these groups as needed.
To assign a member permissions to a domain group, use the following combination of fields:
| Field | Value |
|---|---|
| Operator | Include |
| Type | Domain Group |
| Name | Example Group |
If you want the member to have a policy that applies to a specific resource, use the following combination of fields.
| Field | Value |
|---|---|
| Operator | Include |
| Type | Granular |
| Product | Product Name |
| Resource | Specific Resource |
You can assign the following resource-specific scopes to members:
| Scope | Description |
|---|---|
| Individual Access applications | Grant access to manage a specific Access application. |
| Individual Access identity providers (IdPs) | Grant access to manage a specific Cloudflare One identity provider (IdP). |
| Individual Access policies | Grant access to manage a specific Access policy. |
| Individual Access service tokens | Grant access to manage a specific Access service token. |
| Individual Access infrastructure targets | Grant access to manage a specific Access for Infrastructure target. |