update tunnel permissions (#18739)

ranbel · web-flow · commit eccaa1509311 · 2024-12-17T17:49:59.000-05:00
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions.mdx
@@ -6,6 +6,8 @@ sidebar:
 
 ---
 
+import { Render } from "~/components";
+
 Tunnel permissions determine who can run and manage a Cloudflare Tunnel. Two files control permissions for a locally-managed tunnel:
 
 * **An account certificate** (`cert.pem`) is issued for a Cloudflare account when you login to `cloudflared`.  Make sure you are intentional about the locations and machines you store this certificate on, as this certificate allows users to create, delete, and manage all tunnels for the account.
@@ -26,8 +28,10 @@ Refer to the table below for a comparison between the two files and the purposes
 | **Valid for**           | At least 10 years, and the service token it contains is valid until revoked                                                      | Does not expire                                                                                                                  |
 | **Needed to**           | Manage tunnels (for example, create, route, delete and list tunnels)                                                             | Run a tunnel. Create a config file.                                                                                              |
 
-
-
 ## Tunnel ownership
 
 Tunnel ownership is bound to the Cloudflare account for which the `cert.pem` file was issued upon authenticating `cloudflared`. If a user in a Cloudflare account creates a tunnel, any other user in the same account who has access to the `cert.pem` file for the account can delete, list, or otherwise manage tunnels within it.
+
+## Account-scoped roles
+
+<Render file="tunnel/account-scoped-roles" />
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx
@@ -5,7 +5,7 @@ sidebar:
   order: 1
 ---
 
-import { TabItem, Tabs } from "~/components";
+import { TabItem, Tabs, Render } from "~/components";
 
 If you created a Cloudflare Tunnel [from the dashboard](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/), the tunnel runs as a service on your OS.
 
@@ -310,4 +310,4 @@ The tunnel token is now fully rotated. The old token is no longer in use.
 
 ### Account-scoped roles
 
-Account members with [Cloudflare Access](/cloudflare-one/roles-permissions/) and [DNS](/fundamentals/setup/manage-members/roles/) permissions will be able to create, delete, and configure all tunnels for the account.
+<Render file="tunnel/account-scoped-roles" />
diff --git a/src/content/docs/fundamentals/setup/manage-members/roles.mdx b/src/content/docs/fundamentals/setup/manage-members/roles.mdx
@@ -25,7 +25,7 @@ Account-scoped roles apply across an entire Cloudflare account, and through all
 | Audit Logs Viewer                                            | Can view [Audit Logs](/fundamentals/setup/account/account-security/review-audit-logs/).                                                                                                                                                                                                                                                                                                                |
 | Bot Management (Account-wide)                                | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/pro/)) configurations for all domains in account.                                                                                                                                                                                                                                          |
 | Billing                                                      | Can edit the account’s [billing profile](/fundamentals/subscriptions-and-billing/create-billing-profile/) and subscriptions                                                                                                                                                                                                                                                                            |
-| Cloudflare Access                                            | Can edit [Cloudflare Access](/cloudflare-one/policies/access/) policies.                                                                                                                                                                                                                                                                                                                               |
+| Cloudflare Access                                            | Can edit [Cloudflare Access](/cloudflare-one/policies/access/) and [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/).                                                                                                                                                                                                                                                                                                                               |
 | Cache Purge                                                  | Can purge the edge cache.                                                                                                                                                                                                                                                                                                                                                                              |
 | Cloudflare DEX                                               | Can edit [Cloudflare DEX](/cloudflare-one/insights/dex/).                                                                                                                                                                                                                                                                                                                                              |
 | Cloudflare Gateway                                           | Can edit [Cloudflare Gateway](/cloudflare-one/policies/gateway/) and read [Access](/cloudflare-one/identity/).                                                                                                                                                                                                                                                                                         |
diff --git a/src/content/partials/cloudflare-one/tunnel/account-scoped-roles.mdx b/src/content/partials/cloudflare-one/tunnel/account-scoped-roles.mdx
@@ -0,0 +1,10 @@
+---
+{}
+
+---
+
+Minimum permissions needed to create, delete, and configure tunnels for an account:
+- [Cloudflare Access](/cloudflare-one/roles-permissions/)
+
+Additional permissions needed to [route traffic to a public hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/):
+- [DNS](/fundamentals/setup/manage-members/roles/)
