diff --git a/src/content/changelog/casb/2025-10-28-casb-roles.mdx b/src/content/changelog/casb/2025-10-28-casb-roles.mdx new file mode 100644 index 00000000000000..07d984c607c68b --- /dev/null +++ b/src/content/changelog/casb/2025-10-28-casb-roles.mdx @@ -0,0 +1,20 @@ +--- +title: CASB introduces new granular roles +description: Cloudflare CASB adds two new granular roles, CASB Read and CASB, for more precise user access control. +products: + - casb +date: 2025-10-28 +--- + +Cloudflare CASB (Cloud Access Security Broker) now supports two new granular roles to provide more precise access control for your security teams: + +* **Cloudflare CASB Read:** Provides read-only access to view CASB findings and dashboards. This role is ideal for security analysts, compliance auditors, or team members who need visibility without modification rights. +* **Cloudflare CASB:** Provides full administrative access to configure and manage all aspects of the CASB product. + +These new roles help you better enforce the principle of least privilege. You can now grant specific members access to CASB security findings without assigning them broader permissions, such as the **Super Administrator** or **Administrator** roles. + +To enable [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/dlp-profiles/), scans in CASB, account members will need the **Cloudflare Zero Trust** role. + +You can find these new roles when inviting members or creating API tokens in the Cloudflare dashboard under **Manage Account** > **Members**. + +To learn more about managing roles and permissions, refer to the [Manage account members and roles documentation](/fundamentals/setup/manage-members/roles/). diff --git a/src/content/docs/cloudflare-one/roles-permissions.mdx b/src/content/docs/cloudflare-one/roles-permissions.mdx index 5f320f7650862c..da8b77c2890937 100644 --- a/src/content/docs/cloudflare-one/roles-permissions.mdx +++ b/src/content/docs/cloudflare-one/roles-permissions.mdx @@ -15,16 +15,18 @@ To check the list of members in your account, or to manage roles and permissions Only Super Administrators will be able to assign or remove the following roles from users in their account. Scroll to the right to see a full list of permissions for each role. -| | Access Read | Access Edit | Gateway Read | Gateway Edit | Gateway Report | DNS Location Read | DNS Location Edit | Billing Read | Billing Edit | DEX Read | DEX Edit | -| --------------------------------------------- | ----------- | ----------- | ------------ | ------------ | -------------- | ----------------- | ----------------- | ------------ | ------------ | -------- | -------- | -| Super Administrator | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | -| Cloudflare Zero Trust[^1] | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | -| Cloudflare Access | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | -| Cloudflare Gateway | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | -| Cloudflare Zero Trust Read Only | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | -| Cloudflare Zero Trust Reporting | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | -| Cloudflare Zero Trust DNS Locations Write[^2] | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | -| Cloudflare DEX | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | +| | Access Read | Access Edit | Gateway Read | Gateway Edit | Gateway Report | DNS Location Read | DNS Location Edit | Billing Read | Billing Edit | DEX Read | DEX Edit | CASB Read | CASB Edit | +| --------------------------------------------- | ----------- | ----------- | ------------ | ------------ | -------------- | ----------------- | ----------------- | ------------ | ------------ | -------- | -------- | --------- | --------- | +| Super Administrator | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | +| Cloudflare Zero Trust[^1] | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | +| Cloudflare Access | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | +| Cloudflare Gateway | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | +| Cloudflare Zero Trust Read Only | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | +| Cloudflare Zero Trust Reporting | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | +| Cloudflare Zero Trust DNS Locations Write[^2] | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | +| Cloudflare DEX | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | +| Cloudflare CASB Read | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | +| Cloudflare CASB | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | [^1]: The **Cloudflare Zero Trust** role grants administrator access to all Zero Trust products including Access, Gateway, WARP, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email security. diff --git a/src/content/docs/fundamentals/manage-members/roles.mdx b/src/content/docs/fundamentals/manage-members/roles.mdx index 55c2a895e33f55..2ef33e2cdff651 100644 --- a/src/content/docs/fundamentals/manage-members/roles.mdx +++ b/src/content/docs/fundamentals/manage-members/roles.mdx @@ -25,8 +25,11 @@ Account-scoped roles apply across an entire Cloudflare account, and through all | Audit Logs Viewer | Can view [Audit Logs](/fundamentals/account/account-security/review-audit-logs/). | | Bot Management (Account-wide) | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/)) configurations for all domains in account. | | Billing | Can edit the account's [billing profile](/billing/create-billing-profile/) and subscriptions | -| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/access-controls/policies/) and [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/). | | Cache Purge | Can purge the edge cache and allows the reading of zone settings. | +| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/access-controls/policies/) and [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/). | + +| Cloudflare CASB | Can edit [Cloudflare CASB](/cloudflare-one/applications/casb/). | +| Cloudflare CASB Read | Can read [Cloudflare CASB](/cloudflare-one/applications/casb/). | | Cloudflare DEX | Can edit [Cloudflare DEX](/cloudflare-one/insights/dex/). | | Cloudflare Gateway | Can edit [Cloudflare Gateway](/cloudflare-one/traffic-policies/) and read [Access](/cloudflare-one/integrations/identity-providers/). | | Cloudflare Images | Can access [Cloudflare Images](/images/) data. | diff --git a/src/content/partials/fundamentals/account-permissions-table.mdx b/src/content/partials/fundamentals/account-permissions-table.mdx index d8668245f32377..e4761450df95a4 100644 --- a/src/content/partials/fundamentals/account-permissions-table.mdx +++ b/src/content/partials/fundamentals/account-permissions-table.mdx @@ -55,6 +55,8 @@ import { Markdown } from "~/components"; | Cloudchamber {props.editWord} | Grants write access to Cloudchamber deployments. | | { props.src === "dash" && "Cloudflare" } Realtime Read | Grants read access to Cloudflare Realtime. | | { props.src === "dash" && "Cloudflare" } Realtime {props.editWord} | Grants write access to Cloudflare Realtime. | +| Cloudflare CASB Read | Grants read access to [Cloud Access Security Broker](/cloudflare-one/applications/casb/). | +| Cloudflare CASB {props.editWord} | Grants write access to [Cloud Access Security Broker](/cloudflare-one/applications/casb/). | | Cloudflare DEX Read | Grants read access to [Digital Experience Monitoring](/cloudflare-one/insights/dex/). | | Cloudflare DEX {props.editWord} | Grants write access to [Digital Experience Monitoring](/cloudflare-one/insights/dex/). | | { props.src === "dash" && "Cloudflare" } Images Read | Grants read access to [Cloudflare Images](/images/). |