[WAF] Filter/hide API permissions (#23559)

Author: pedrosousa

src/content/docs/waf/account/custom-rulesets/create-api.mdx

@@ -48,6 +48,7 @@ The following example creates a custom ruleset with a single rule in the `rules`
 		],
 		phase: "http_request_firewall_custom",
 	}}
+	roles="account"
 />
 
 Save the ruleset ID in the response for the next step.
@@ -67,6 +68,7 @@ To deploy the custom ruleset, add a rule with `"action": "execute"` to the `http
     	parameters={{
     		ruleset_phase: "http_request_firewall_custom",
     	}}
+    	roles="account"
     />
 
     ```json output {4}
@@ -110,6 +112,7 @@ To deploy the custom ruleset, add a rule with `"action": "execute"` to the `http
     		},
     		enabled: true,
     	}}
+    	roles="account"
     />
 
     :::caution
@@ -142,6 +145,7 @@ To deploy the custom ruleset, add a rule with `"action": "execute"` to the `http
     		],
     		phase: "http_request_firewall_custom",
     	}}
+    	roles="account"
     />
 
 ## Next steps

src/content/docs/waf/account/managed-rulesets/index.mdx

@@ -33,15 +33,13 @@ The second rule logs any matches for PL4 rules, the most strict set of rules in
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
 1. Deploy the Cloudflare OWASP Core Ruleset by following the [dashboard instructions](/waf/account/managed-rulesets/deploy-dashboard/#deploy-a-managed-ruleset), customizing the ruleset behavior using these settings:
-
    - **OWASP Anomaly Score Threshold**: _Medium - 40 and higher_
    - **OWASP Paranoia Level**: _PL3_
    - **OWASP Action**: _Managed Challenge_
 
 2. Select **Deploy**.
 
 3. Repeat the deployment procedure for the OWASP ruleset, but with following ruleset configuration:
-
    - **OWASP Anomaly Score Threshold**: _Medium - 40 and higher_
    - **OWASP Paranoia Level**: _PL4_
    - **OWASP Action**: _Log_
@@ -102,6 +100,7 @@ The following `POST` request for the [Create an account ruleset](/api/resources/
 			},
 		],
 	}}
+	roles="account"
 />
 
 </TabItem> </Tabs>

src/content/docs/waf/account/rate-limiting-rulesets/create-api.mdx

@@ -64,6 +64,7 @@ The following example creates a rate limiting ruleset with a single rate limitin
 		],
 		phase: "http_ratelimit",
 	}}
+	roles="account"
 />
 
 The available characteristics depend on your Cloudflare plan and product subscriptions. Refer to [Availability](/waf/rate-limiting-rules/#availability) for more information.
@@ -85,6 +86,7 @@ To deploy the rate limiting ruleset, add a rule with `"action": "execute"` to th
     	parameters={{
     		ruleset_phase: "http_ratelimit",
     	}}
+    	roles="account"
     />
 
     ```json output {4}
@@ -129,6 +131,7 @@ To deploy the rate limiting ruleset, add a rule with `"action": "execute"` to th
     		},
     		enabled: true,
     	}}
+    	roles="account"
     />
 
     <Render file="account-enterprise-zones-only-api" />
@@ -159,6 +162,7 @@ To deploy the rate limiting ruleset, add a rule with `"action": "execute"` to th
     		],
     		phase: "http_ratelimit",
     	}}
+    	roles="account"
     />
 
 For examples of rate limiting rule definitions for the API, refer to the [zone-level API documentation](/waf/rate-limiting-rules/create-api/).

src/content/docs/waf/custom-rules/create-api.mdx

@@ -44,6 +44,7 @@ The new rule, which will be the last rule in the ruleset, will challenge request
 			'(ip.src.country eq "GB" or ip.src.country eq "FR") and cf.waf.score lt 20',
 		action: "challenge",
 	}}
+	roles={false}
 />
 
 <Render file="api-create-ruleset-with-rule" />
@@ -70,6 +71,7 @@ The new rule, which will be the last rule in the ruleset, includes the definitio
 			},
 		},
 	}}
+	roles={false}
 />
 
 <Render file="api-create-ruleset-with-rule" />

src/content/docs/waf/custom-rules/skip/api-examples.mdx

@@ -41,6 +41,7 @@ This example invokes the [Create a zone ruleset rule](/api/resources/rulesets/su
 		expression: 'http.request.uri.path contains "/skip-current-ruleset/"',
 		description: "",
 	}}
+	roles={false}
 />
 
 ## Skip a phase
@@ -58,6 +59,7 @@ This example invokes the [Create a zone ruleset rule](/api/resources/rulesets/su
 		expression: 'http.request.uri.path contains "/skip-phase/"',
 		description: "",
 	}}
+	roles={false}
 />
 
 Refer to [Available skip options](/waf/custom-rules/skip/options/) for the list of phases you can skip.
@@ -83,6 +85,7 @@ This example invokes the [Create a zone ruleset rule](/api/resources/rulesets/su
 		expression: 'http.request.uri.path contains "/disable-logging/"',
 		description: "",
 	}}
+	roles={false}
 />
 
 Refer to [Available skip options: Logging](/waf/custom-rules/skip/options/#logging) for more information on disabling logging for requests that match a skip rule.
@@ -102,6 +105,7 @@ This example uses the [Create a zone ruleset rule](/api/resources/rulesets/subre
 		expression: 'http.request.uri.path contains "/skip-products/"',
 		description: "",
 	}}
+	roles={false}
 />
 
 Refer to [Available skip options](/waf/custom-rules/skip/options/) for the list of products you can skip.

src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx

@@ -75,6 +75,7 @@ This `POST` request example creates a new custom ruleset with a rule that checks
 		],
 		phase: "http_request_firewall_custom",
 	}}
+	roles="account"
 />
 
 The response returns the created ruleset. Note the presence of the `exposed_credential_check` object on the rule definition.
@@ -153,6 +154,7 @@ This `POST` request example creates a new custom ruleset with a rule that checks
 		],
 		phase: "http_request_firewall_custom",
 	}}
+	roles="account"
 />
 
 The response returns the created ruleset. Note the presence of the following elements in the rule definition:

src/content/docs/waf/managed-rules/payload-logging/configure-api.mdx

@@ -16,7 +16,6 @@ Use the [Rulesets API](/ruleset-engine/rulesets-api/) to configure payload loggi
 ## Configure and enable payload logging
 
 1. Use the [Get a zone entry point ruleset](/api/resources/rulesets/subresources/phases/methods/get/) operation to obtain the following IDs:
-
    - The ID of the [entry point ruleset](/ruleset-engine/about/rulesets/#entry-point-ruleset) of the `http_request_firewall_managed` [phase](/ruleset-engine/about/phases/).
    - The ID of the `execute` rule deploying the WAF managed ruleset, for which you want to configure payload logging.
 
@@ -48,14 +47,15 @@ To configure payload logging for a managed ruleset deployed at the account level
 
 This example configures payload logging for the [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/), which is already deployed for a zone with ID `$ZONE_ID`.
 
-1. Invoke the [Get a zone entry point ruleset](/api/resources/rulesets/subresources/phases/methods/get/) operation (a `GET` request) to obtain the rules currently configured in the entry point ruleset of the `http_request_firewall_managed` phase.
+1. Invoke the [Get a zone entry point ruleset](/api/resources/rulesets/subresources/phases/methods/get/) operation to obtain the rules currently configured in the entry point ruleset of the `http_request_firewall_managed` phase.
 
    <APIRequest
    	path="/zones/{zone_id}/rulesets/phases/{ruleset_phase}/entrypoint"
    	method="GET"
    	parameters={{
    		ruleset_phase: "http_request_firewall_managed",
    	}}
+   	roles={false}
    />
 
    ```json output {3,12,20}
@@ -94,7 +94,6 @@ This example configures payload logging for the [Cloudflare Managed Ruleset](/wa
    ```
 
 2. Save the following IDs for the next step:
-
    - The ID of the entry point ruleset: `060013b1eeb14c93b0dcd896537e0d2c`
    - The ID of the `execute` rule deploying the Cloudflare Managed Ruleset: `1bdb49371c1f46958fc8b985efcb79e7`
 
@@ -105,7 +104,7 @@ This example configures payload logging for the [Cloudflare Managed Ruleset](/wa
    To get the IDs of existing WAF managed rulesets, refer to [WAF Managed Rules](/waf/managed-rules/#available-managed-rulesets) or use the [List account rulesets](/api/resources/rulesets/methods/list/) operation.
    :::
 
-3. Invoke the [Update a zone ruleset rule](/api/resources/rulesets/methods/update/) operation (a `PATCH` request) to update the configuration of the rule you identified. The rule will now include the payload logging configuration (`matched_data` object).
+3. Invoke the [Update a zone ruleset rule](/api/resources/rulesets/methods/update/) operation to update the configuration of the rule you identified. The rule will now include the payload logging configuration (`matched_data` object).
 
    <APIRequest
    	path="/zones/{zone_id}/rulesets/{ruleset_id}/rules/{rule_id}"
@@ -124,6 +123,10 @@ This example configures payload logging for the [Cloudflare Managed Ruleset](/wa
    		},
    		expression: "true",
    	}}
+   	code={{
+   		mark: [8, 9, 10],
+   	}}
+   	roles={false}
    />
 
    The response will include the complete ruleset after updating the rule.
@@ -136,11 +139,11 @@ For more information on deploying managed rulesets via API, refer to [Deploy a m
 
 To disable payload logging for a managed ruleset:
 
-1. Use the [Update a zone ruleset rule](/api/resources/rulesets/methods/update/) operation (a `PATCH` request) to update the rule deploying the managed ruleset (an `execute` rule).
+1. Use the [Update a zone ruleset rule](/api/resources/rulesets/methods/update/) operation to update the rule deploying the managed ruleset (a rule with `"action": "execute"`).
 
 2. Modify the rule definition so that there is no `matched_data` object in `action_parameters`.
 
-For example, the following `PATCH` request updates rule with ID `$RULE_ID` deploying the [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) so that payload logging is disabled:
+For example, the following `PATCH` request updates the rule with ID `$RULE_ID` deploying the [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) so that payload logging is disabled:
 
 <APIRequest
 	path="/zones/{zone_id}/rulesets/{ruleset_id}/rules/{rule_id}"
@@ -152,6 +155,7 @@ For example, the following `PATCH` request updates rule with ID `$RULE_ID` deplo
 		},
 		expression: "true",
 	}}
+	roles={false}
 />
 
 For details on obtaining the entry point ruleset ID and the ID of the rule to update, refer to [Configure and enable payload logging](/waf/managed-rules/payload-logging/configure-api/#configure-and-enable-payload-logging).

src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx

@@ -67,6 +67,7 @@ This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to
     	parameters={{
     		ruleset_phase: "http_request_firewall_managed",
     	}}
+    	roles={false}
     />
 
     ```json output {4}
@@ -111,6 +112,7 @@ This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to
     		description:
     			"Execute the Cloudflare Exposed Credentials Check Managed Ruleset",
     	}}
+    	roles={false}
     />
 
     ```json output
@@ -176,6 +178,7 @@ This example deploys the Cloudflare Exposed Credentials Check Managed Ruleset to
     			},
     		],
     	}}
+    	roles={false}
     />
 
 <Render

src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/configure-api.mdx

@@ -36,7 +36,11 @@ This example sets the Cloudflare OWASP Core Ruleset's paranoia level for a zone
 
 1.  Get the ID of the Cloudflare OWASP Core Ruleset using the [List account rulesets](/api/resources/rulesets/methods/list/) method, since WAF's managed rulesets exist at the account level. Alternatively, use the following ruleset ID directly: <RuleID id="4814384a9e5d4991b9815dcfc25d2f1f" />.
 
-    <APIRequest path="/accounts/{account_id}/rulesets" method="GET" />
+    <APIRequest
+    	path="/accounts/{account_id}/rulesets"
+    	method="GET"
+    	roles={false}
+    />
 
     ```json output {4-5}
     {
@@ -67,6 +71,7 @@ This example sets the Cloudflare OWASP Core Ruleset's paranoia level for a zone
     	parameters={{
     		ruleset_phase: "http_request_firewall_managed",
     	}}
+    	roles={false}
     />
 
     ```json output {3,12,14-16}
@@ -133,6 +138,7 @@ This example sets the Cloudflare OWASP Core Ruleset's paranoia level for a zone
     		expression: "true",
     		enabled: true,
     	}}
+    	roles={false}
     />
 
 For more information on creating overrides, refer to [Override a managed ruleset](/ruleset-engine/managed-rulesets/override-managed-ruleset/).
@@ -150,7 +156,11 @@ This example configures the managed ruleset score threshold and the performed ac
 
 1. Get the ID of the Cloudflare OWASP Core Ruleset using the [List account rulesets](/api/resources/rulesets/methods/list/) method, since WAF's managed rulesets exist at the account level. Alternatively, use the following ruleset ID directly: <RuleID id="4814384a9e5d4991b9815dcfc25d2f1f" />.
 
-   <APIRequest path="/accounts/{account_id}/rulesets" method="GET" />
+   <APIRequest
+   	path="/accounts/{account_id}/rulesets"
+   	method="GET"
+   	roles={false}
+   />
 
    ```json output {4-5}
    {
@@ -179,6 +189,7 @@ This example configures the managed ruleset score threshold and the performed ac
    	path="/accounts/{account_id}/rulesets/{ruleset_id}"
    	method="GET"
    	parameters={{ ruleset_id: "$OWASP_RULESET_ID" }}
+   	roles={false}
    />
 
    ```json output {12,16}
@@ -220,6 +231,7 @@ This example configures the managed ruleset score threshold and the performed ac
    	parameters={{
    		ruleset_phase: "http_request_firewall_managed",
    	}}
+   	roles={false}
    />
 
    ```json output {3,12,14-16}
@@ -258,7 +270,6 @@ This example configures the managed ruleset score threshold and the performed ac
    ```
 
 4. Update the rule you identified in the entry point ruleset using the [Update a zone ruleset rule](/api/resources/rulesets/methods/update/) operation, adding a rule override for the last rule in the OWASP ruleset (identified in step 2) with the following properties and values:
-
    - `"score_threshold": 60`
    - `"action": "managed_challenge"`
 
@@ -286,6 +297,7 @@ This example configures the managed ruleset score threshold and the performed ac
    		expression: "true",
    		enabled: true,
    	}}
+   	roles={false}
    />
 
 ## More resources

src/content/docs/waf/managed-rules/reference/sensitive-data-detection.mdx

@@ -81,6 +81,7 @@ This example deploys the Cloudflare Sensitive Data Detection managed ruleset to
     	parameters={{
     		ruleset_phase: "http_response_firewall_managed",
     	}}
+    	roles={false}
     />
 
     ```json output {4}
@@ -124,6 +125,7 @@ This example deploys the Cloudflare Sensitive Data Detection managed ruleset to
     		description:
     			"Execute the Cloudflare Sensitive Data Detection managed ruleset",
     	}}
+    	roles={false}
     />
 
     ```json output
@@ -189,6 +191,7 @@ This example deploys the Cloudflare Sensitive Data Detection managed ruleset to
     			},
     		],
     	}}
+    	roles={false}
     />
 
 <Render