You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx
+53-5Lines changed: 53 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,17 +9,17 @@ sidebar:
9
9
Only available on Enterprise plans. For more information, contact your account team.
10
10
:::
11
11
12
-
Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an organization. Tiered Gateway policies with Organizations support [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies.
12
+
Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an Organization. Tiered Gateway policies with Organizations support [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies.
13
13
14
14
Managed service providers (MSPs) that are Cloudflare Partners can use tiered or siloed Gateway accounts with the Tenant API. For more information, refer to [Managed service providers (MSPs)](/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers/).
15
15
16
16
## Get started
17
17
18
-
To set up Cloudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/).
18
+
To set up Cloudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your Organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/).
19
19
20
20
## Account types
21
21
22
-
Accounts in organizations include source accounts and recipient accounts.
22
+
Zero Trust accounts in Cloudflare Organizations include source accounts and recipient accounts.
23
23
24
24
In a tiered policy configuration, a top-level source account can share Gateway policies with its recipient accounts. Recipient accounts can add policies as needed while still being managed by the source account. Organization owners can also configure other settings for recipient accounts independently from the source account, including:
25
25
@@ -28,7 +28,7 @@ In a tiered policy configuration, a top-level source account can share Gateway p
Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each recipient account in an organization. Each recipient account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/).
31
+
Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each recipient account in an Organization. Each recipient account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/).
32
32
33
33
Gateway evaluates source account policies before any recipient account policies. In a Cloudflare Organization, recipient accounts cannot bypass or modify source account policies. All traffic and corresponding policies, logs, and configurations for a recipient account will be contained to that recipient account. Organization owners can view logs for recipient accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately.
34
34
@@ -82,4 +82,52 @@ flowchart TD
82
82
Tiered policies do not support egress policies, device posture selectors, private apps, or virtual networks.
83
83
:::
84
84
85
-
## Share policy
85
+
## Manage policies
86
+
87
+
You can make changes to your tiered policies in the source account for your Cloudflare Organization.
88
+
89
+
### Share policy
90
+
91
+
To share a Gateway policy from a source account to a recipient account:
92
+
93
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
94
+
2. Choose the policy type you want to share. If you want to share a resolver policy, go to **Gateway** > **Resolver policies**.
95
+
3. Find the policy you want to share from the list.
96
+
4. In the three-dot menu, select **Share**.
97
+
5. In **Select account**, choose the accounts you want to share the policy with. To share the policy with all of the recipient accounts in your Organization, choose _Select all accounts in org_.
98
+
6. Select **Continue**, then select **Share**.
99
+
100
+
{/* TODO: Find actual time estimate. */}
101
+
102
+
A sharing icon will appear next to the policy's name. After a few minutes, the policy will appear in the recipient accounts' Gateway policies. Shared policies will appear grayed out in the recipient account's list of Gateway policies.
103
+
104
+
If a policy fails to share to recipient accounts, Gateway will retry deploying the policy automatically unless the error is unrecoverable.
105
+
106
+
### Edit share recipients
107
+
108
+
To change or remove recipients for a Gateway policy:
109
+
110
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
111
+
2. Choose the policy type you want to edit. If you want to edit a resolver policy, go to **Gateway** > **Resolver policies**.
112
+
3. Find the policy you want to edit from the list.
113
+
4. In the three-dot menu, select **Edit shared configuration recipients**.
114
+
5. In **Select account**, choose the accounts you want to share the policy with. To remove a recipient, select **Remove** next to the recipient account's name.
115
+
6. Select **Continue**, then select **Save**.
116
+
117
+
After a few minutes, the policy sharing will update across the configured recipient accounts.
118
+
119
+
### Remove policy share
120
+
121
+
To stop sharing a policy with all recipient accounts:
122
+
123
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
124
+
2. Choose the policy type you want to remove. If you want to remove a resolver policy, go to **Gateway** > **Resolver policies**.
125
+
3. Find the policy you want to remove from the list.
126
+
4. In the three-dot menu, select **Unshare**.
127
+
5. Select **Unshare**.
128
+
129
+
After a few minutes, Gateway will stop sharing the policy with all recipient accounts and only apply the policy to the source account.
130
+
131
+
### Edit shared policy
132
+
133
+
When you edit or delete a shared policy in a source account, Gateway will require confirmation before making any changes. Changes made to shared policies will apply to all recipient accounts. Deleting a shared policy will delete the policy from both the source account and all recipient accounts.
0 commit comments