Skip to content

[Email Security] Update Email Security roles across all pages #24737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 28, 2025
Merged

[Email Security] Update Email Security roles across all pages #24737

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
611e1ad
[Email Security] Update Email Security roles across all pages
Maddy-Cloudflare Aug 27, 2025
508d0fb
Updating page
Maddy-Cloudflare Aug 27, 2025
272629c
Addressing Pete's suggestion
Maddy-Cloudflare Aug 27, 2025
4864a5e
Update src/content/docs/fundamentals/manage-members/roles.mdx
Maddy-Cloudflare Aug 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions src/content/docs/cloudflare-one/roles-permissions.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,12 @@ The Cloudflare Zero Trust PII role does not apply to Access audit logs. PII is a

For more information on Email Security roles, refer to [Account-scoped roles](/fundamentals/manage-members/roles/#account-scoped-roles).

- **Cloudflare Zero Trust**: Super Admin access for all Zero Trust products, Email Security included.
- **Cloudflare Zero Trust**: Can edit Cloudflare [Zero Trust](/cloudflare-one/). Grants administrator access to all Zero Trust products including Access, Gateway, WARP, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email Security.
- **Cloudflare Zero Trust PII**: Can read PII in Zero Trust. This includes Email Security.
- **Email Security Analyst** and **Email Security Config Admin**: Has full access to all admin features in Email Security.
- **Email Security Analyst** and **Email Security Configuration Admin**: Has full access to all admin features in Email Security.
- **Email Security Integration Admin**: Can read and set up integrations only.
- **Email Security Config Admin**: Has administrator access. Cannot take actions on emails, or read emails.
- **Email Security Configuration Admin**: Has administrator access. Cannot take actions on emails, or read emails.
- **Email Security Analyst**: Has analyst access. Can take action on emails and read emails.
- **Email Security Reporting**: Can read metrics.
- **Email Security Read Only**: Can read all information, but cannot take action on anything.
- **Email Security Policy Admin**: Can read all settings, but only write allow policies, trusted domains, and blocked senders.
- **Email Security Policy Admin**: Can read all settings, but only write [allow policies](/cloudflare-one/email-security/detection-settings/allow-policies/), [trusted domains](/cloudflare-one/email-security/detection-settings/trusted-domains/), and [blocked senders](/cloudflare-one/email-security/detection-settings/blocked-senders/).
10 changes: 6 additions & 4 deletions src/content/docs/email-security/migrate-to-email-security.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,13 @@ Once you have added new account members, you will have to assign each member an

| Area 1 | Email Security | Description |
|---------------------|--------------------------------------------------------------------|--------------------------------------------------------------|
| Super Admin | Email Security Analyst + Email Security Config Admin = Super Admin | Has full access to all products on Zero Trust Email Security |
| Configuration Admin | Email Security Configuration Admin | Admin, cannot take actions on emails or see emails |
| SOC Analyst | Email Security Analyst | Admin, can take actions on emails and see emails |
| Viewer | Email Security Reporting | Can see metrics |
| N/A | Cloudflare Zero Trust | Can edit Cloudflare [Zero Trust](/cloudflare-one/). Has administrator access to all Zero Trust products including Access, Gateway, WARP, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email Security. |
| Super Admin | Email Security Analyst + Email Security Configuration Admin = Super Admin | Has full access to all admin features in Email Security |
| Configuration Admin | Email Security Configuration Admin | Has administrator access. Cannot take actions on emails, or read emails |
| SOC Analyst | Email Security Analyst | Has analyst access. Can take action on emails and read emails. |
| Viewer | Email Security Reporting | Can read metrics |
|N/A | Cloudflare Zero Trust PII | Can read PII in Zero Trust (this includes Email Security)
|N/A | Email Security Policy Admin | Can read all settings, but only write allow policies, trusted domains, and blocked senders |

## Create webhooks

Expand Down
11 changes: 6 additions & 5 deletions src/content/docs/fundamentals/manage-members/roles.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,12 @@ Account-scoped roles apply across an entire Cloudflare account, and through all
| Cloudflare Zero Trust Read Only | Can access [Cloudflare Zero Trust](/cloudflare-one/) read only mode. |
| Cloudflare Zero Trust Reporting | Can access [Cloudflare Zero Trust](/cloudflare-one/) reporting data. |
| DNS | Can edit [DNS records](/dns/manage-dns-records/). |
| Email Configuration Admin | Grants write access to all of Email Security, [CASB](/cloudflare-one/applications/casb/), [DLP](/cloudflare-one/policies/data-loss-prevention/), [Gateway](/cloudflare-one/policies/gateway/), and [Tunnels](/cloudflare-one/connections/connect-networks/), except Mail Preview, Raw Email, on-demand reports, actions on emails, and Submissions, Submission Transparency (Requires Cloudflare Zero Trust PII). |
| Email Integration Admin | Grants write access to Email Security account integration only, [CASB](/cloudflare-one/applications/casb/), [DLP](/cloudflare-one/policies/data-loss-prevention/), [Gateway](/cloudflare-one/policies/gateway/), and [Tunnels](/cloudflare-one/connections/connect-networks/). |
| Email Security Analyst | Grants write access to all of Email Security, except Settings which is read only (Requires Cloudflare Zero Trust PII). |
| Email Security Read Only | Grants read access to all of Email Security, but cannot see Raw Email, take action on emails, or make Submissions (Requires Cloudflare Zero Trust PII). |
| Email Security Reporting | Grants read access to Email Security Home, PhishGuard, and Submission Transparency. |
| Email Configuration Admin | Grants administrator access to Email Security. Cannot take actions on emails, or read emails. |
| Email Integration Admin | Grants read and write access to integrations only. |
| Email Security Analyst | Grants analyst access. Can take action on emails and read emails. |
| Email Security Read Only | Grants read only access to all of Email Security. |
| Email Security Reporting | Grants read access to Email Security metrics. |
| Email Security Policy Admin | Grants read access to all settings, and write access to [allow policies](/cloudflare-one/email-security/detection-settings/allow-policies/), [trusted domains](/cloudflare-one/email-security/detection-settings/trusted-domains/), and [blocked senders](/cloudflare-one/email-security/detection-settings/blocked-senders/) |
| Firewall | Can edit [WAF](/waf/), [IP Access rules](/waf/tools/ip-access-rules/), [Zone Lockdown](/waf/tools/zone-lockdown/) settings, and [Cache Rules](/cache/how-to/cache-rules/). |
| Load Balancer | Can edit [Load Balancers](/load-balancing/), Pools, Origins, and Health Checks. |
| Log Share | Can edit [Log Share](/logs/) configuration. |
Expand Down
Loading