You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx
+10-3Lines changed: 10 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ sidebar:
9
9
Only available on Enterprise plans. For more information, contact your account team.
10
10
:::
11
11
12
-
Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or account level.
12
+
Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level.
13
13
14
14
The Tenant platform only supports [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post.
15
15
@@ -25,7 +25,14 @@ The Gateway Tenant platform supports tiered and siloed account configurations.
25
25
26
26
### Tiered accounts
27
27
28
-
In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still managed by the parent account.
28
+
In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account, including:
29
+
30
+
- Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/)
31
+
- Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/)
Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/).
29
36
30
37
Gateway evaluates parent account policies before any child account policies. To allow a child account to override a specific parent account policy, you can use the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`.
31
38
@@ -61,7 +68,7 @@ flowchart TD
61
68
62
69
### Siloed accounts
63
70
64
-
In a siloed account configuration, each account operates independently within the same tenant. Each account manages its own security policies, resources, and configurations separately.
71
+
In a siloed account configuration, each account operates independently within the same tenant. MSPs manage each account's own security policies, resources, and configurations separately.
0 commit comments