Granular permissions
You can scope Cloudflare member permissions to individual Cloudflare Tunnel instances instead of granting account-wide access. This lets you delegate management of specific Tunnels — for example, letting an application team manage one Tunnel for its service without exposing every Tunnel in the account.
Granular permissions are a parallel layer to account-level roles — they do not replace them. Members who already hold an account-level role like Cloudflare Access retain write access to every Tunnel in the account.
For any API request on a specific Cloudflare Tunnel, access is granted if the principal has either:
- An account-level role that covers Tunnels (for example,
Cloudflare Access), or - A resource-scoped role bound to that specific Tunnel.
Listing endpoints (GET /accounts/{id}/cfd_tunnel, GET /accounts/{id}/teamnet/routes) return only the Tunnels and routes the principal has at least read access to.
Granular permissions are assigned through the standard member management flow.
- In the Cloudflare dashboard ↗, go to Manage Account > Members and select Invite Members, or open an existing member to edit their permissions.
- Add a permission policy and choose a resource-scoped role that targets Cloudflare Tunnel instances.
- In the Scope section, choose Specific resources.
- Set Resource type to Cloudflare Tunnel instances.
- Select one or more specific Tunnels from the resource picker.
- Save the policy.
You can attach multiple granular policies to the same member to cover different Tunnels with different roles.
Listing endpoints are authorization-aware. When a principal calls a listing endpoint, the response is filtered to the Tunnels and routes they have at least read access to.
| Endpoint | Method | Returns |
|---|---|---|
/accounts/{account_id}/cfd_tunnel | GET | Cloudflare Tunnel instances the principal can read or manage. |
/accounts/{account_id}/teamnet/routes | GET | Routes attached to Tunnels the principal can read or manage. |
Members with an account-level role that covers Tunnels continue to see all Tunnels in the account.
- Existing account-level roles and API tokens continue to function as before.
- Existing automation that authenticates with an account-level token (for example, Terraform pipelines using a
Cloudflare Accesstoken) is unaffected. - Granular permissions are opt-in. Granting one to a member adds capability; it never removes capability that the member already has from an account-level role.
- Roles reference — the full list of Cloudflare roles, including resource-scoped roles for Cloudflare Tunnel instances.
- Manage account members — the member invite and edit flow.
- Granular permissions for Cloudflare Tunnel and Cloudflare Mesh in Cloudflare One — the same RBAC capability applied to Cloudflare Mesh nodes alongside Tunnels.