From df3e4aeab506c6d89872a45c5ae410066c5802fd Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 17:51:41 -0600 Subject: [PATCH 01/11] Reorder pages --- .../policies/gateway/application-app-types.mdx | 2 +- .../cloudflare-one/policies/gateway/block-page.mdx | 2 +- .../policies/gateway/domain-categories.mdx | 2 +- .../policies/gateway/global-policies.mdx | 10 +--------- .../policies/gateway/identity-selectors.mdx | 2 +- .../policies/gateway/order-of-enforcement.mdx | 2 +- .../docs/cloudflare-one/policies/gateway/proxy.mdx | 2 +- 7 files changed, 7 insertions(+), 15 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx b/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx index 3ba48998e52941b..4b7c9ac1392fe0b 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Applications and app types sidebar: - order: 8 + order: 9 --- import { GlossaryDefinition, GlossaryTooltip } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx index 0bcf0888fa0834f..3972268233fc834 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx @@ -2,7 +2,7 @@ pcx_content_type: how-to title: Block page sidebar: - order: 11 + order: 14 banner: content: The default global Cloudflare root certificate expired on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. --- diff --git a/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx b/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx index 2cd51bdf1a54166..0e1a23edf1ff014 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Domain categories sidebar: - order: 9 + order: 10 --- import { Render } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx index f8bf4dca95234e0..22e766fcf7a5c56 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx @@ -2,8 +2,7 @@ pcx_content_type: reference title: Global policies sidebar: - order: 7 - + order: 8 --- Cloudflare Zero Trust applies a set of global policies to all accounts. @@ -14,8 +13,6 @@ The following policies are sorted by [order of precedence](/cloudflare-one/polic ## Network proxy policies - - | Name | ID | Criteria | Value | Action | Description | | --------------------------------- | -------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -------------------------------------------------------------------------------------------------------- | | Allow CF Network Error Logging L4 | `00000001-e4af-4b82-8f8c-c79c1d5d212e` | Hostname | `*.nel.cloudflare.com` | allow | Allows SNI domains for WARP registration. | @@ -24,12 +21,8 @@ The following policies are sorted by [order of precedence](/cloudflare-one/polic | Allow Zero Trust Services | `00000001-e1e8-421b-a0fe-895397489f28` | Hostname | `dash.teams.cloudflare.com`, `help.teams.cloudflare.com`, `blocked.teams.cloudflare.com`, `api.cloudflare.com`, `cloudflarestatus.com`, `www.cloudflarestatus.com`, and `one.dash.cloudflare.com` | allow | Allows Cloudflare Zero Trust services. | | Allow Access Apps L4 | `00000001-daa2-41e2-8a88-698af4066951` | Hostname | `*.cloudflareaccess.com` | allow | Allows [Cloudflare Access](/cloudflare-one/policies/access/) applications. | - - ## HTTP inspection policies - - | Name | ID | Criteria | Value | Action | Description | | -------------------------------------- | -------------------------------------- | ---------------- | ------------------------------------------------------------------ | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | Prevent Account Change Block | `00000001-d1f2-461a-8253-501c8d882a15` | Hostname | `*.cloudflareclient.com` | bypass | Ensures users cannot accidentally block themselves from making account changes. | @@ -49,4 +42,3 @@ The following policies are sorted by [order of precedence](/cloudflare-one/polic | Always Blocked Categories | `00000001-bed5-462e-b0f1-2e2c3555e9f7` | Content Category | Child Abuse | block | Blocks child abuse materials. | | Don't Isolate RBI Help Pages | `00000001-1a18-431f-9c9d-bce431f1002a` | Hostname | `developers.cloudflare.com` and `help.cloudflarebrowser.com` | noisolate | Prevents browser isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues. | | Don't AV Scan CF Speed | `00000001-c194-408f-87dd-9a366ce76e12` | Hostname | `speed.cloudflare.com` | noscan | Allows files transferred by the Cloudflare speed test. | - diff --git a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx index a656f174f6687a1..b517806d4dbee87 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Identity-based policies sidebar: - order: 10 + order: 7 --- import { Render } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/order-of-enforcement.mdx b/src/content/docs/cloudflare-one/policies/gateway/order-of-enforcement.mdx index 888924875b3844d..00663c799620567 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/order-of-enforcement.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/order-of-enforcement.mdx @@ -2,7 +2,7 @@ pcx_content_type: concept title: Order of enforcement sidebar: - order: 12 + order: 11 --- import { Render } from "~/components"; diff --git a/src/content/docs/cloudflare-one/policies/gateway/proxy.mdx b/src/content/docs/cloudflare-one/policies/gateway/proxy.mdx index 499d43e77d773d5..b230310d501cf32 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/proxy.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/proxy.mdx @@ -2,7 +2,7 @@ pcx_content_type: concept title: Proxy sidebar: - order: 14 + order: 12 --- import { Badge } from "~/components"; From f6797a74d402bbc13662a734e406c01dee3c26c6 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 18:13:39 -0600 Subject: [PATCH 02/11] Add rought draft --- .../gateway/managed-service-providers.mdx | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx new file mode 100644 index 000000000000000..530d01114371baa --- /dev/null +++ b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx @@ -0,0 +1,24 @@ +--- +pcx_content_type: how-to +title: Managed service providers (MSPs) +sidebar: + order: 15 +--- + +:::note[Gateway DNS only] +Gateway only supports MSP-tenant account structures for DNS filtering. +::: + +Gateway supports the Cloudflare Tenant API, which allows managed service providers (MSPs) to implement parent-child policy structures, supporting large-scale multi-tenant deployments with centralized policy control and account-level overrides. + +## Account types + +The Gateway tenant platform supports parent-child and siloed accounts. Each account type offers different benefits based on organizational needs. + +### Parent-child accounts + +A hierarchical model where a parent account enforces global security policies that apply to all child accounts. Child accounts can override or supplement policies as needed while remaining under the parent account's management. + +### Siloed accounts + +Each account operates independently within the same tenant. Each account manages its own security policies, resources, and configurations separately. From 28b227e2e7f26f700e59dc11de2480d03fb3268e Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 11 Feb 2025 18:16:00 -0600 Subject: [PATCH 03/11] Add order of enforcement --- .../policies/gateway/managed-service-providers.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx index 530d01114371baa..b11ffe44b764b1e 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx @@ -19,6 +19,8 @@ The Gateway tenant platform supports parent-child and siloed accounts. Each acco A hierarchical model where a parent account enforces global security policies that apply to all child accounts. Child accounts can override or supplement policies as needed while remaining under the parent account's management. +Parent account policy is evaluated before a child account policy. If the parent policy has selected 'allow child bypass' the child can override the parent policy. + ### Siloed accounts Each account operates independently within the same tenant. Each account manages its own security policies, resources, and configurations separately. From d2470ec07cf9f70f4c0710f9ad10a45f9cab77ec Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 12 Feb 2025 14:16:24 -0600 Subject: [PATCH 04/11] Change availability note --- .../policies/gateway/managed-service-providers.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx index b11ffe44b764b1e..809b19526dd38b0 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx @@ -5,8 +5,8 @@ sidebar: order: 15 --- -:::note[Gateway DNS only] -Gateway only supports MSP-tenant account structures for DNS filtering. +:::note +Only available on Enterprise plans. For more information, contact your account team. ::: Gateway supports the Cloudflare Tenant API, which allows managed service providers (MSPs) to implement parent-child policy structures, supporting large-scale multi-tenant deployments with centralized policy control and account-level overrides. From 27a1428eee42e21366b5b671647a96a2de02c6ed Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 12 Feb 2025 14:38:15 -0600 Subject: [PATCH 05/11] Refine wording --- .../policies/gateway/managed-service-providers.mdx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx index 809b19526dd38b0..4fcfafd4c0c47a2 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx @@ -9,11 +9,13 @@ sidebar: Only available on Enterprise plans. For more information, contact your account team. ::: -Gateway supports the Cloudflare Tenant API, which allows managed service providers (MSPs) to implement parent-child policy structures, supporting large-scale multi-tenant deployments with centralized policy control and account-level overrides. +Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. Tenants can create Zero Trust deployments with centralized Gateway policy control and account-level overrides. + +The Tenant platform only supports creating Gateway DNS policies. ## Account types -The Gateway tenant platform supports parent-child and siloed accounts. Each account type offers different benefits based on organizational needs. +The Gateway Tenant platform supports parent-child and siloed accounts. Each account type offers different benefits based on organizational needs. ### Parent-child accounts From ec0ee39abea0f15957331202be24f48659ec446a Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 12 Feb 2025 15:21:41 -0600 Subject: [PATCH 06/11] Add get started --- .../gateway/managed-service-providers.mdx | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx index 4fcfafd4c0c47a2..bb5dc1eb9f6a961 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx @@ -9,20 +9,30 @@ sidebar: Only available on Enterprise plans. For more information, contact your account team. ::: -Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. Tenants can create Zero Trust deployments with centralized Gateway policy control and account-level overrides. +Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With Tenant, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a organization group or account level. -The Tenant platform only supports creating Gateway DNS policies. +The Tenant platform only supports Gateway DNS policies. + +## Get started + +{/* */} + +To set up the Tenant API, refer to [Get started](/tenant/get-started/). + +Once you have provisioned your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). ## Account types -The Gateway Tenant platform supports parent-child and siloed accounts. Each account type offers different benefits based on organizational needs. +The Gateway Tenant platform supports parent-child and siloed accounts. ### Parent-child accounts -A hierarchical model where a parent account enforces global security policies that apply to all child accounts. Child accounts can override or supplement policies as needed while remaining under the parent account's management. +In a parent-child configuration, a top-level parent account enforces global security policies that apply to all child accounts. Child accounts can configure, override, or add policies as needed while still managed by the parent account. Parent account policy is evaluated before a child account policy. If the parent policy has selected 'allow child bypass' the child can override the parent policy. +{/* */} + ### Siloed accounts Each account operates independently within the same tenant. Each account manages its own security policies, resources, and configurations separately. From 29549c29bce903f0eec371a64f62255c3c06e7d9 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 12 Feb 2025 17:12:10 -0600 Subject: [PATCH 07/11] Add info about tiered accounts --- .../policies/gateway/managed-service-providers.mdx | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx index bb5dc1eb9f6a961..c292a4da3f32967 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx @@ -23,16 +23,18 @@ Once you have provisioned your customer's Cloudflare accounts, you can create [D ## Account types -The Gateway Tenant platform supports parent-child and siloed accounts. +The Gateway Tenant platform supports tiered and siloed accounts. -### Parent-child accounts +### Tiered accounts -In a parent-child configuration, a top-level parent account enforces global security policies that apply to all child accounts. Child accounts can configure, override, or add policies as needed while still managed by the parent account. +{/* */} -Parent account policy is evaluated before a child account policy. If the parent policy has selected 'allow child bypass' the child can override the parent policy. +In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still managed by the parent account. -{/* */} +Gateway evaluates parent account policies before a child account policies. To allow a child account to override a parent account's policy, you can use the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`. ### Siloed accounts +{/* */} + Each account operates independently within the same tenant. Each account manages its own security policies, resources, and configurations separately. From fde958ce506f0d53982f2c4b3547c0725f89e0ee Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 13 Feb 2025 11:54:20 -0600 Subject: [PATCH 08/11] Update notes --- .../policies/gateway/managed-service-providers.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx index c292a4da3f32967..0f8fa256421799e 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx @@ -15,7 +15,7 @@ The Tenant platform only supports Gateway DNS policies. ## Get started -{/* */} +{/* Don't need to surface much of the policy creation flow here */} To set up the Tenant API, refer to [Get started](/tenant/get-started/). @@ -27,7 +27,7 @@ The Gateway Tenant platform supports tiered and siloed accounts. ### Tiered accounts -{/* */} +{/* TODO: convert first diagram from blog post to mermaid flowchart */} In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still managed by the parent account. @@ -35,6 +35,6 @@ Gateway evaluates parent account policies before a child account policies. To al ### Siloed accounts -{/* */} +{/* TODO: convert second diagram from blog post to mermaid flowchart */} Each account operates independently within the same tenant. Each account manages its own security policies, resources, and configurations separately. From 358015e610fbd426a936e1755805dd4014c0b282 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 13 Feb 2025 17:29:57 -0600 Subject: [PATCH 09/11] Add flowchart 1 --- .../gateway/managed-service-providers.mdx | 46 +++++++++++++++---- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx index 0f8fa256421799e..1b25bd44915ff71 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx @@ -9,32 +9,58 @@ sidebar: Only available on Enterprise plans. For more information, contact your account team. ::: -Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With Tenant, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a organization group or account level. +Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or account level. -The Tenant platform only supports Gateway DNS policies. +The Tenant platform only supports [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. ## Get started {/* Don't need to surface much of the policy creation flow here */} -To set up the Tenant API, refer to [Get started](/tenant/get-started/). - -Once you have provisioned your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). +To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). ## Account types -The Gateway Tenant platform supports tiered and siloed accounts. +The Gateway Tenant platform supports tiered and siloed account configurations. ### Tiered accounts -{/* TODO: convert first diagram from blog post to mermaid flowchart */} - In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still managed by the parent account. -Gateway evaluates parent account policies before a child account policies. To allow a child account to override a parent account's policy, you can use the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`. +Gateway evaluates parent account policies before any child account policies. To allow a child account to override a specific parent account policy, you can use the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`. + +```mermaid +flowchart TD +%% Accessibility + accTitle: How Gateway policies work in a tiered account configuration + accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration. + +%% Flowchart + subgraph s1["Parent account"] + n1["Block malware"] + n2["Block DNS tunnel"] + n3["Block spyware"] + end + subgraph s2["Child account A"] + n4["Block social media"] + end + subgraph s3["Child account B"] + n5["Block instant messaging"] + end + n1 ~~~ n2 + n2 ~~~ n3 + A["Tenant"] --Administers--> s1 + s1 --> s2 & s3 + + n1@{ shape: lean-l} + n2@{ shape: lean-l} + n3@{ shape: lean-l} + n4@{ shape: lean-l} + n5@{ shape: lean-l} +``` ### Siloed accounts {/* TODO: convert second diagram from blog post to mermaid flowchart */} -Each account operates independently within the same tenant. Each account manages its own security policies, resources, and configurations separately. +In a siloed account configuration, each account operates independently within the same tenant. Each account manages its own security policies, resources, and configurations separately. From 56313340ea788aa6d4cc129fc56b9617b676e117 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 18 Feb 2025 15:48:49 -0600 Subject: [PATCH 10/11] Add siloed account flowchart --- .../gateway/managed-service-providers.mdx | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx index 1b25bd44915ff71..9c814075e8e26be 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx @@ -50,7 +50,7 @@ flowchart TD n1 ~~~ n2 n2 ~~~ n3 A["Tenant"] --Administers--> s1 - s1 --> s2 & s3 + s1 -- "Applies policies to" --> s2 & s3 n1@{ shape: lean-l} n2@{ shape: lean-l} @@ -61,6 +61,27 @@ flowchart TD ### Siloed accounts -{/* TODO: convert second diagram from blog post to mermaid flowchart */} - In a siloed account configuration, each account operates independently within the same tenant. Each account manages its own security policies, resources, and configurations separately. + +```mermaid +flowchart TD +%% Accessibility + accTitle: How Gateway policies work in a siloed account configuration + accDescr: Flowchart describing the order of precedence Gateway applies policies in a siloed account configuration. + +%% Flowchart + subgraph s1["Siloed account A"] + n1["Block social media"] + end + subgraph s2["Siloed account C"] + n2["Block instant messaing"] + end + subgraph s3["Siloed account B"] + n3["Block news"] + end + A["Tenant"] -- Administers --> s1 & s3 & s2 + + n1@{ shape: lean-l} + n2@{ shape: lean-l} + n3@{ shape: lean-l} +``` From 3c22308b0f372ff4dc13bb0f5810b8448fe8bca6 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 18 Feb 2025 16:08:58 -0600 Subject: [PATCH 11/11] Improve MSP control messaging --- .../policies/gateway/managed-service-providers.mdx | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx index 9c814075e8e26be..4b944890e769614 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx @@ -9,7 +9,7 @@ sidebar: Only available on Enterprise plans. For more information, contact your account team. ::: -Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or account level. +Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level. The Tenant platform only supports [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. @@ -25,7 +25,14 @@ The Gateway Tenant platform supports tiered and siloed account configurations. ### Tiered accounts -In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still managed by the parent account. +In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account, including: + +- Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/) +- Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/) +- Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) +- Creating [lists](/cloudflare-one/policies/gateway/lists/) + +Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). Gateway evaluates parent account policies before any child account policies. To allow a child account to override a specific parent account policy, you can use the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`. @@ -61,7 +68,7 @@ flowchart TD ### Siloed accounts -In a siloed account configuration, each account operates independently within the same tenant. Each account manages its own security policies, resources, and configurations separately. +In a siloed account configuration, each account operates independently within the same tenant. MSPs manage each account's own security policies, resources, and configurations separately. ```mermaid flowchart TD