You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/fundamentals/manage-members/policies.mdx
+15-1Lines changed: 15 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ Policies define what access a given user has to your account or domains, and are
15
15
2. A `ResourceGroup` (a scope).
16
16
3. A `PermissionGroup` (roles).
17
17
18
-
An account member can have one or several of these policies to represent the most appropriate access.
18
+
An account member can have one or several of these policies to represent the most appropriate access. A member’s effective permissions are the union of all policies assigned to them—whether directly, or through group membership.
19
19
20
20
To increase the usability and flexibility of Cloudflare's role system, changes to the API have been made to expose these underlying data principles and allow users to interact with them.
21
21
@@ -29,3 +29,17 @@ A set of standard API endpoints is present on every account that allow access to
29
29
* A `permissionGroup` is a unique identifier for the set of roles that are assigned to a given policy.
30
30
31
31
Refer to the [API documentation](/api/) for more information.
32
+
33
+
## Viewing Effective Permissions
34
+
35
+
Cloudflare supports assigning permissions to members both directly and through [User Groups](/fundamentals/manage-members/user-groups/). A member’s effective permissions are additive; they represent the union of all permissions granted directly to a member and those inherited through a member's group membership.
36
+
37
+
:::note
38
+
To understand a member’s full access, check both the **Members** and **User Groups** views:
39
+
40
+
- The **Members** view shows only the permissions explicitly assigned to the user.
41
+
- Permissions inherited through [User Groups](/fundamentals/manage-members/user-groups/) are not shown on the Members page. To see these, go to the Groups tab, find the groups the user belongs to, and review the policies assigned to each group.
42
+
43
+
Cloudflare is actively working on improvements to consolidate this view in a future update.
User Groups are a collection of [account members](/fundamentals/manage-members/) that are treated equally from an access control perspective. User Groups can be assigned permission policies, with individual members in the group receiving all permissions of the roles assigned to the User Group.
13
13
14
14
:::note
15
-
If you use the [Cloudflare dashboard SCIM integration](/fundamentals/account/account-security/scim-setup/), you can sync Groups from an upstream Identity Provider via SCIM. This allows you to centralize user and group management at your identity provider.
15
+
User Group permissions are inherited by each member of the group but are not currently reflected in the role field on the **Members** page. To view a member’s full set of permissions, check both:
16
16
17
-
Additionally, when you manage User Groups with SCIM, you cannot change the name, members, or delete a group through either the Cloudflare dashboard or API.
17
+
- The **Members** page for any directly assigned policies
18
+
- The **Groups** tab to identify which groups the member belongs to, and the policies applied to those groups
19
+
20
+
Cloudflare is actively working on improving this experience to make inherited and direct permissions easier to view.
18
21
:::
19
22
20
23
## Create a User Group manually
@@ -80,10 +83,17 @@ PAYLOAD
80
83
81
84
Customers with the SCIM integration configured can sync User Groups from an upstream identity provider to Cloudflare. Cloudflare's SCIM integration requires one external application per account.
82
85
86
+
83
87
:::note
84
-
Cloudflare's SCIM integration requires one external application per account.
88
+
If you use the [Cloudflare dashboard SCIM integration](/fundamentals/account/account-security/scim-setup/), you can sync Groups from an upstream Identity Provider. This allows you to centralize user and group management at your identity provider.
89
+
90
+
Note that when managing User Groups via SCIM:
91
+
- You cannot change the name, members, or delete the group manually from the Cloudflare dashboard or API.
92
+
- The integration requires one external SCIM application per Cloudflare account.
93
+
- Cloudflare does not currently support updating user profile fields (`firstName`, `lastName`, or `email`) via SCIM. If those attributes change in your IdP, they will not be updated in Cloudflare. These values are only set during initial provisioning.
85
94
:::
86
95
96
+
87
97
To set up a user group with SCIM, refer to the [Provisioning with SCIM guide](/fundamentals/account/account-security/scim-setup/).
0 commit comments