Skip to content

[CASB] Add CASB to Roles and Permissions #26145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

[CASB] Add CASB to Roles and Permissions #26145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2324bc9
[CASB] Add CASB to Roles and Permissions
dtrzaska-c Oct 28, 2025
1d5265a
fix alphabetical ordering
ranbel Oct 30, 2025
8185264
Update 2025-10-28-casb-roles.mdx
ranbel Oct 30, 2025
85a2cc9
Apply suggestions from code review
ranbel Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions src/content/changelog/casb/2025-10-28-casb-roles.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
title: CASB introduces new granular roles
description: Cloudflare CASB adds two new granular roles, CASB Read and CASB, for more precise user access control.
products:
- casb
date: 2025-10-28
---

Cloudflare CASB (Cloud Access Security Broker) now supports two new granular roles to provide more precise access control for your security teams:

* **Cloudflare CASB Read:** Provides read-only access to view CASB findings and dashboards. This role is ideal for security analysts, compliance auditors, or team members who need visibility without modification rights.
* **Cloudflare CASB:** Provides full administrative access to configure and manage all aspects of the CASB product.

These new roles help you better enforce the principle of least privilege. You can now grant specific members access to CASB security findings without assigning them broader permissions, such as the **Super Administrator** or **Administrator** roles.

To enable [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/dlp-profiles/), scans in CASB, account members will need the **Cloudflare Zero Trust** role.

You can find these new roles when inviting members or creating API tokens in the Cloudflare dashboard under **Manage Account** > **Members**.

To learn more about managing roles and permissions, refer to the [Manage account members and roles documentation](/fundamentals/setup/manage-members/roles/).
22 changes: 12 additions & 10 deletions src/content/docs/cloudflare-one/roles-permissions.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,18 @@ To check the list of members in your account, or to manage roles and permissions

Only Super Administrators will be able to assign or remove the following roles from users in their account. Scroll to the right to see a full list of permissions for each role.

| | Access Read | Access Edit | Gateway Read | Gateway Edit | Gateway Report | DNS Location Read | DNS Location Edit | Billing Read | Billing Edit | DEX Read | DEX Edit |
| --------------------------------------------- | ----------- | ----------- | ------------ | ------------ | -------------- | ----------------- | ----------------- | ------------ | ------------ | -------- | -------- |
| Super Administrator | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cloudflare Zero Trust[^1] | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| Cloudflare Access | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Cloudflare Gateway | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Cloudflare Zero Trust Read Only | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ |
| Cloudflare Zero Trust Reporting | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ |
| Cloudflare Zero Trust DNS Locations Write[^2] | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Cloudflare DEX | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
| | Access Read | Access Edit | Gateway Read | Gateway Edit | Gateway Report | DNS Location Read | DNS Location Edit | Billing Read | Billing Edit | DEX Read | DEX Edit | CASB Read | CASB Edit |
| --------------------------------------------- | ----------- | ----------- | ------------ | ------------ | -------------- | ----------------- | ----------------- | ------------ | ------------ | -------- | -------- | --------- | --------- |
| Super Administrator | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cloudflare Zero Trust[^1] | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| Cloudflare Access | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Cloudflare Gateway | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Cloudflare Zero Trust Read Only | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ |
| Cloudflare Zero Trust Reporting | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Cloudflare Zero Trust DNS Locations Write[^2] | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Cloudflare DEX | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| Cloudflare CASB Read | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
| Cloudflare CASB | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |

[^1]: The **Cloudflare Zero Trust** role grants administrator access to all Zero Trust products including Access, Gateway, WARP, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email security.

Expand Down
5 changes: 4 additions & 1 deletion src/content/docs/fundamentals/manage-members/roles.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,11 @@ Account-scoped roles apply across an entire Cloudflare account, and through all
| Audit Logs Viewer | Can view [Audit Logs](/fundamentals/account/account-security/review-audit-logs/). |
| Bot Management (Account-wide) | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/)) configurations for all domains in account. |
| Billing | Can edit the account's [billing profile](/billing/create-billing-profile/) and subscriptions |
| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/access-controls/policies/) and [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/). |
| Cache Purge | Can purge the edge cache and allows the reading of zone settings. |
| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/access-controls/policies/) and [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/). |

| Cloudflare CASB | Can edit [Cloudflare CASB](/cloudflare-one/applications/casb/). |
| Cloudflare CASB Read | Can read [Cloudflare CASB](/cloudflare-one/applications/casb/). |
| Cloudflare DEX | Can edit [Cloudflare DEX](/cloudflare-one/insights/dex/). |
| Cloudflare Gateway | Can edit [Cloudflare Gateway](/cloudflare-one/traffic-policies/) and read [Access](/cloudflare-one/integrations/identity-providers/). |
| Cloudflare Images | Can access [Cloudflare Images](/images/) data. |
Expand Down
2 changes: 2 additions & 0 deletions src/content/partials/fundamentals/account-permissions-table.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ import { Markdown } from "~/components";
| Cloudchamber {props.editWord} | Grants write access to Cloudchamber deployments. |
| { props.src === "dash" && "Cloudflare" } Realtime Read | Grants read access to Cloudflare Realtime. |
| { props.src === "dash" && "Cloudflare" } Realtime {props.editWord} | Grants write access to Cloudflare Realtime. |
| Cloudflare CASB Read | Grants read access to [Cloud Access Security Broker](/cloudflare-one/applications/casb/). |
| Cloudflare CASB {props.editWord} | Grants write access to [Cloud Access Security Broker](/cloudflare-one/applications/casb/). |
| Cloudflare DEX Read | Grants read access to [Digital Experience Monitoring](/cloudflare-one/insights/dex/). |
| Cloudflare DEX {props.editWord} | Grants write access to [Digital Experience Monitoring](/cloudflare-one/insights/dex/). |
| { props.src === "dash" && "Cloudflare" } Images Read | Grants read access to [Cloudflare Images](/images/). |
Expand Down
Loading