diff --git a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx b/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx
index 1006e80fbccbc8f..63b07c17952d16b 100644
--- a/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx
+++ b/src/content/docs/cloudflare-one/insights/logs/gateway-logs/index.mdx
@@ -195,19 +195,19 @@ When an HTTP request results in an error, Gateway logs the first 512 bytes of th
#### Basic information
-| Field | Description |
-| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Host** | Hostname in the HTTP header for the HTTP request. Gateway will log the SNI in this field if it responded to the request with a Do Not Inspect action. If Gateway does not receive the SNI, this field will be empty. |
-| **Email** | Email address of the user who made the HTTP request. This is generated by the WARP client. |
-| **Action** | The Gateway [Action](/cloudflare-one/policies/gateway/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). |
-| **Request ID** | Unique ID of the request. |
-| **Time** | Date and time of the HTTP request. |
-| **Source internal IP** | Private IP address assigned by the user's local network. |
-| **User agent** | User agent header sent in the request by the originating device. |
-| **Policy details** | Policy corresponding to the decision Gateway made based on the traffic criteria of the request. |
-| **DLP profiles** | Name of the matched [DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). |
-| **DLP profile entries** | Name of the matched entry within the DLP profile. |
-| **Uploaded/downloaded file** | |
+| Field | Description |
+| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Host** | Hostname in the HTTP header for the HTTP request. Gateway will log the SNI in this field if it responded to the request with a Do Not Inspect action. If Gateway does not receive the SNI, this field will be empty. |
+| **Email** | Email address of the user who made the HTTP request. This is generated by the WARP client. |
+| **Action** | The Gateway [Action](/cloudflare-one/policies/gateway/dns-policies/#actions) taken based on the first rule that matched (such as Allow or Block). |
+| **Request ID** | Unique ID of the request. |
+| **Time** | Date and time of the HTTP request. |
+| **Source internal IP** | Private IP address assigned by the user's local network. |
+| **User agent** | User agent header sent in the request by the originating device. |
+| **Policy details** | Policy corresponding to the decision Gateway made based on the traffic criteria of the request. |
+| **DLP profiles** | Name of the matched [DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). |
+| **DLP profile entries** | Name of the matched entry within the DLP profile. |
+| **Uploaded/downloaded file** | Information about the file transferred in the request found by [enhanced file detection](#enhanced-file-detection). Details include: - File name
- File type
- File size
- File hash (for Allowed requests only)
- Content type
- Direction (Upload/Download)
- Action (Block/Allow)
|
#### Matched policies
diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx
index 75b12b1c03b27cd..e2da3f4c12d2221 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx
@@ -360,7 +360,13 @@ Use this selector to filter DNS responses by their `TXT` records.
### Indicator Feeds
-
+Use this selector to match against custom indicator feeds.
+
+You can use a [publicly available indicator feed](/security-center/indicator-feeds/#publicly-available-feeds) or a custom indicator feed assigned to your account by a designated third-party vendor. For more information on indicator feeds, refer to [Custom Indicator Feeds](/security-center/indicator-feeds/).
+
+| UI name | API example | Evaluation phase |
+| --------------- | -------------------- | --------------------- |
+| Indicator Feeds | `dns.indicator_feed` | Before DNS resolution |
diff --git a/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx b/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx
index 1b97d183cc19060..d6d4d4f9560356c 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/domain-categories.mdx
@@ -5,11 +5,13 @@ sidebar:
order: 10
---
-import { Render } from "~/components";
-
Cloudflare Gateway allows you to block known and potential security risks on the public Internet, as well as specific categories of content. Domains are categorized by [Cloudflare Radar](/radar/glossary/#content-categories).
-
+Cloudflare categorizes domains into content categories and security categories, which cover security risks and security threats:
+
+- **Content categories**: An upstream vendor supplies content categories for domains. These categories help us organize domains into broad topic areas. However, the specific criteria and methods used by our vendor may not be disclosed.
+- **Security risks**: Cloudflare determines security risks for domains using internal models. These models analyze various factors, including the age of a domain and its reputation. This allows us to identify potentially risky domains.
+- **Security threats**: To identify malicious domains that pose security threats, Cloudflare employs a mix of internal data sources, machine learning models, commercial feeds, and open-source threat intelligence.
You can block security and content categories by creating DNS or HTTP policies. Once you have configured your policies, you will be able to inspect network activity and the associated categories in your Gateway logs.
@@ -71,7 +73,6 @@ Subdomains that have not been assigned a category will inherit the category of t
| Violence | Sites hosting and/or promoting violent content. |
| Weather | Sites related to weather. |
-
### Miscellaneous subcategories
| Category | Definition |
diff --git a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx
index da36348972c1044..52c7ef2f609785d 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx
@@ -11,7 +11,7 @@ learning_center:
link: https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/
---
-import { GlossaryTooltip, Render } from "~/components";
+import { GlossaryTooltip, Render, Tabs, TabItem } from "~/components";
Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.
@@ -55,7 +55,65 @@ To verify your device is connected to Zero Trust:
## 3. Create your first DNS policy
-
+To create a new DNS policy:
+
+
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+2. In the **DNS** tab, select **Add a policy**.
+3. Name the policy.
+4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
+5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):
+
+6. Select **Create policy**.
+
+
+
+
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+
+ | Type | Item | Permission |
+ | ------- | ---------- | ---------- |
+ | Account | Zero Trust | Edit |
+
+2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/account/find-account-and-zone-ids/) and API token.
+3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):
+
+ ```sh title="curl API DNS policy example"
+ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
+ --header "Content-Type: application/json" \
+ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+ --data '{
+ "name": "Block security threats",
+ "description": "Block all default Cloudflare DNS security categories",
+ "precedence": 0,
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
+ "identity": ""
+ }'
+ ```
+
+ ```sh output
+ {
+ "success": true,
+ "errors": [],
+ "messages": []
+ }
+ ```
+
+ The API will respond with a summary of the policy and the result of your request.
+
+
+
+For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
## 4. Add optional policies
diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx
index e5816545e24a134..2298091a911ecac 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx
@@ -286,7 +286,11 @@ Gateway matches network traffic against the following selectors, or criteria.
### Detected Protocol
-
+The inferred network protocol based on Cloudflare's [protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/).
+
+| UI name | API example |
+| ----------------- | --------------------------------- |
+| Detected Protocol | `net.protocol.detection == "ssh"` |
### Device Posture
@@ -315,11 +319,23 @@ To enable Gateway filtering on TCP and UDP, go to **Settings** > **Network** > *
### SNI
-
+The host whose Server Name Indication (SNI) header Gateway will filter traffic against. This will allow for an exact match.
+
+This selector only applies to traffic on port `443`.
+
+| UI name | API example |
+| ------- | ----------------------------------- |
+| SNI | `net.sni.host == "www.example.com"` |
### SNI Domain
-
+The domain whose Server Name Indication (SNI) header Gateway will filter traffic against. For example, a rule for `example.com` will match `example.com`, `www.example.com`, and `my.test.example.com`.
+
+This selector only applies to traffic on port `443`.
+
+| UI name | API example |
+| ---------- | ---------------------------------- |
+| SNI Domain | `net.sni.domains == "example.com"` |
### Source Continent
diff --git a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-cipa-policy.mdx b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-cipa-policy.mdx
index 870a9c523311aa0..cd9dc522285ae25 100644
--- a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-cipa-policy.mdx
+++ b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-cipa-policy.mdx
@@ -10,7 +10,12 @@ import { Render } from "~/components";
## Create CIPA policy
1. Go to **Gateway** > **Firewall policies**.
-2. Create a policy to block using the CIPA filter:
+2. Create a policy to block using the CIPA filter:
+
+ | Selector | Operator | Value | Action |
+ | ------------------ | -------- | ------------- | ------ |
+ | Content Categories | in | _CIPA Filter_ | Block |
+
3. In **Logs** > **Gateway** > **DNS**, verify that you see the blocked domain.
Your environment is now protected against all of the subcategories listed in [Configuration](/fundamentals/reference/policies-compliances/cybersafe/#configuration).
diff --git a/src/content/partials/cloudflare-one/gateway/domain-categories.mdx b/src/content/partials/cloudflare-one/gateway/domain-categories.mdx
deleted file mode 100644
index 5d38d83a37f0064..000000000000000
--- a/src/content/partials/cloudflare-one/gateway/domain-categories.mdx
+++ /dev/null
@@ -1,9 +0,0 @@
----
-{}
----
-
-Cloudflare categorizes domains into content categories and security categories, which cover security risks and security threats:
-
-- **Content categories**: An upstream vendor supplies content categories for domains. These categories help us organize domains into broad topic areas. However, the specific criteria and methods used by our vendor may not be disclosed.
-- **Security risks**: Cloudflare determines security risks for domains using internal models. These models analyze various factors, including the age of a domain and its reputation. This allows us to identify potentially risky domains.
-- **Security threats**: To identify malicious domains that pose security threats, Cloudflare employs a mix of internal data sources, machine learning models, commercial feeds, and open-source threat intelligence.
diff --git a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx b/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx
deleted file mode 100644
index f0241fcb974b9c6..000000000000000
--- a/src/content/partials/cloudflare-one/gateway/get-started/create-dns-policy.mdx
+++ /dev/null
@@ -1,65 +0,0 @@
----
-{}
----
-
-import { Render, Tabs, TabItem } from "~/components";
-
-To create a new DNS policy:
-
-
-
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
-2. In the **DNS** tab, select **Add a policy**.
-3. Name the policy.
-4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
-5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):
-
-6. Select **Create policy**.
-
-
-
-
-
-1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
-
- | Type | Item | Permission |
- | ------- | ---------- | ---------- |
- | Account | Zero Trust | Edit |
-
-2. (Optional) Configure your API environment variables to include your [account ID](/fundamentals/account/find-account-and-zone-ids/) and API token.
-3. Send a `POST` request to the [Create a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/create/) endpoint. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):
-
- ```sh title="curl API DNS policy example"
- curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
- --header "Content-Type: application/json" \
- --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
- --data '{
- "name": "Block security threats",
- "description": "Block all default Cloudflare DNS security categories",
- "precedence": 0,
- "enabled": true,
- "action": "block",
- "filters": [
- "dns"
- ],
- "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
- "identity": ""
- }'
- ```
-
- ```sh output
- {
- "success": true,
- "errors": [],
- "messages": []
- }
- ```
-
- The API will respond with a summary of the policy and the result of your request.
-
-
-
-For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
diff --git a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx
index 87191d52418c492..167d094d1caac75 100644
--- a/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx
+++ b/src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx
@@ -183,7 +183,14 @@ If Gateway traffic is headed to a private IP address protected as an Access appl
Suppose you have a list of policies arranged in the following order of precedence:
-- DNS policies:
+- DNS policies:
+
+ | Precedence | Selector | Operator | Value | Action |
+ | ---------- | -------- | ------------- | ------------------ | ------ |
+ | 1 | Host | is | `example.com` | Block |
+ | 2 | Host | is | `test.example.com` | Allow |
+ | 3 | Domain | matches regex | `.\` | Block |
+
- HTTP policies:
| Precedence | Selector | Operator | Value | Action |
@@ -201,15 +208,16 @@ Suppose you have a list of policies arranged in the following order of precedenc
When a user goes to `https://test.example.com`, Gateway performs the following operations:
-1. Evaluate DNS request against DNS policies:
+1. Evaluate DNS request against DNS policies:
+ 1. Policy #1 does not match `test.example.com` — move on to check Policy #2.
+ 2. Policy #2 matches, so DNS resolution is allowed.
+ 3. Policy #3 is not evaluated because there has already been an explicit match.
2. Evaluate HTTPS request against HTTP policies:
-
1. Policy #2 is evaluated first because Do Not Inspect [always takes precedence](#http-policies) over Allow and Block. Since there is no match, move on to check Policy #1.
2. Policy #1 does not match `test.example.com`. Since there are no matching Block policies, the request passes the HTTP filter and moves on to network policy evaluation.
3. Evaluate HTTPS request against network policies:
-
1. Policy #1 does not match because port 80 is used for standard HTTP, not HTTPS.
2. Policy #2 matches, so the request is allowed and proxied to the upstream server.
3. Policy #3 is not evaluated because there has already been an explicit match.
diff --git a/src/content/partials/cloudflare-one/gateway/order-of-precedence-dns-order.mdx b/src/content/partials/cloudflare-one/gateway/order-of-precedence-dns-order.mdx
deleted file mode 100644
index 644525867c0d49c..000000000000000
--- a/src/content/partials/cloudflare-one/gateway/order-of-precedence-dns-order.mdx
+++ /dev/null
@@ -1,8 +0,0 @@
----
-{}
-
----
-
-1. Policy #1 does not match `test.example.com` — move on to check Policy #2.
-2. Policy #2 matches, so DNS resolution is allowed.
-3. Policy #3 is not evaluated because there has already been an explicit match.
diff --git a/src/content/partials/cloudflare-one/gateway/order-of-precedence-dns.mdx b/src/content/partials/cloudflare-one/gateway/order-of-precedence-dns.mdx
deleted file mode 100644
index c36d7f052008caf..000000000000000
--- a/src/content/partials/cloudflare-one/gateway/order-of-precedence-dns.mdx
+++ /dev/null
@@ -1,10 +0,0 @@
----
-{}
-
----
-
-| Precedence | Selector | Operator | Value | Action |
-| ---------- | -------- | ------------- | ------------------ | ------ |
-| 1 | Host | is | `example.com` | Block |
-| 2 | Host | is | `test.example.com` | Allow |
-| 3 | Domain | matches regex | `.\` | Block |
diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-cipa.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-cipa.mdx
deleted file mode 100644
index e4763c549421e62..000000000000000
--- a/src/content/partials/cloudflare-one/gateway/policies/block-cipa.mdx
+++ /dev/null
@@ -1,7 +0,0 @@
----
-{}
----
-
-| Selector | Operator | Value | Action |
-| ------------------ | -------- | ------------- | ------ |
-| Content Categories | in | _CIPA Filter_ | Block |
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/indicator-feeds.mdx b/src/content/partials/cloudflare-one/gateway/selectors/indicator-feeds.mdx
deleted file mode 100644
index 8b277a733a3d29b..000000000000000
--- a/src/content/partials/cloudflare-one/gateway/selectors/indicator-feeds.mdx
+++ /dev/null
@@ -1,13 +0,0 @@
----
-inputParameters: API_param
----
-
-import { Markdown } from "~/components";
-
-Use this selector to match against custom indicator feeds.
-
-You can use a [publicly available indicator feed](/security-center/indicator-feeds/#publicly-available-feeds) or a custom indicator feed assigned to your account by a designated third-party vendor. For more information on indicator feeds, refer to [Custom Indicator Feeds](/security-center/indicator-feeds/).
-
-| UI name | API example | Evaluation phase |
-| --------------- | --------------------------------------- | --------------------- |
-| Indicator Feeds | {props.one}.indicator_feed | Before DNS resolution |
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/protocol-detection.mdx b/src/content/partials/cloudflare-one/gateway/selectors/protocol-detection.mdx
deleted file mode 100644
index 00ead569dc9ea4f..000000000000000
--- a/src/content/partials/cloudflare-one/gateway/selectors/protocol-detection.mdx
+++ /dev/null
@@ -1,9 +0,0 @@
----
-{}
----
-
-The inferred network protocol based on Cloudflare's [protocol detection](/cloudflare-one/policies/gateway/network-policies/protocol-detection/).
-
-| UI name | API example |
-| ----------------- | --------------------------------- |
-| Detected Protocol | `net.protocol.detection == "ssh"` |
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/sni-domain.mdx b/src/content/partials/cloudflare-one/gateway/selectors/sni-domain.mdx
deleted file mode 100644
index fcd45e601ff28fb..000000000000000
--- a/src/content/partials/cloudflare-one/gateway/selectors/sni-domain.mdx
+++ /dev/null
@@ -1,12 +0,0 @@
----
-{}
-
----
-
-The domain whose Server Name Indication (SNI) header Gateway will filter traffic against. For example, a rule for `example.com` will match `example.com`, `www.example.com`, and `my.test.example.com`.
-
-This selector only applies to traffic on port `443`.
-
-| UI name | API example |
-| ---------- | ---------------------------------- |
-| SNI Domain | `net.sni.domains == "example.com"` |
diff --git a/src/content/partials/cloudflare-one/gateway/selectors/sni.mdx b/src/content/partials/cloudflare-one/gateway/selectors/sni.mdx
deleted file mode 100644
index 73185a3291e00b8..000000000000000
--- a/src/content/partials/cloudflare-one/gateway/selectors/sni.mdx
+++ /dev/null
@@ -1,12 +0,0 @@
----
-{}
-
----
-
-The host whose Server Name Indication (SNI) header Gateway will filter traffic against. This will allow for an exact match.
-
-This selector only applies to traffic on port `443`.
-
-| UI name | API example |
-| ------- | ----------------------------------- |
-| SNI | `net.sni.host == "www.example.com"` |
diff --git a/src/content/partials/cloudflare-one/gateway/uploaded-downloaded-file.mdx b/src/content/partials/cloudflare-one/gateway/uploaded-downloaded-file.mdx
deleted file mode 100644
index 9b4a224f41ff811..000000000000000
--- a/src/content/partials/cloudflare-one/gateway/uploaded-downloaded-file.mdx
+++ /dev/null
@@ -1,6 +0,0 @@
----
-{}
-
----
-
-Information about the file transferred in the request found by [enhanced file detection](#enhanced-file-detection). Details include: - File name
- File type
- File size
- File hash (for Allowed requests only)
- Content type
- Direction (Upload/Download)
- Action (Block/Allow)
diff --git a/src/content/partials/learning-paths/create-cloudflare-account.mdx b/src/content/partials/learning-paths/create-cloudflare-account.mdx
index b7c74cba4c03143..f9d93467ee5020d 100644
--- a/src/content/partials/learning-paths/create-cloudflare-account.mdx
+++ b/src/content/partials/learning-paths/create-cloudflare-account.mdx
@@ -1,9 +1,8 @@
---
{}
-
---
-import { Render } from "~/components"
+import { Render } from "~/components";
To create a new Cloudflare account:
@@ -11,7 +10,10 @@ To create a new Cloudflare account:
2. To secure your account, enable [two-factor authentication](/fundamentals/user-profiles/2fa/).
-3.
+3. If you have a Cloudflare contact (Enterprise only), ask them to set up your account as a multi-user organization. Account members will need:
+ - [**Access** permissions](/cloudflare-one/roles-permissions/) to read or edit applications and Access policies.
+ - [**Gateway** permissions](/cloudflare-one/roles-permissions/) to read or edit Gateway policies.
+ - [**PII** permissions](/cloudflare-one/roles-permissions/#cloudflare-zero-trust-pii) to view user information in Gateway activity logs.
## Best practices
diff --git a/src/content/partials/learning-paths/zero-trust/enterprise-account-perms.mdx b/src/content/partials/learning-paths/zero-trust/enterprise-account-perms.mdx
deleted file mode 100644
index 07a0c23e2542fbd..000000000000000
--- a/src/content/partials/learning-paths/zero-trust/enterprise-account-perms.mdx
+++ /dev/null
@@ -1,10 +0,0 @@
----
-{}
-
----
-
-If you have a Cloudflare contact (Enterprise only), ask them to set up your account as a multi-user organization. Account members will need:
-
-* [**Access** permissions](/cloudflare-one/roles-permissions/) to read or edit applications and Access policies.
-* [**Gateway** permissions](/cloudflare-one/roles-permissions/) to read or edit Gateway policies.
-* [**PII** permissions](/cloudflare-one/roles-permissions/#cloudflare-zero-trust-pii) to view user information in Gateway activity logs.