diff --git a/src/content/docs/fundamentals/manage-members/roles.mdx b/src/content/docs/fundamentals/manage-members/roles.mdx index 0ea20a8169cdd20..384a7f46512ab74 100644 --- a/src/content/docs/fundamentals/manage-members/roles.mdx +++ b/src/content/docs/fundamentals/manage-members/roles.mdx @@ -22,13 +22,16 @@ Account-scoped roles apply across an entire Cloudflare account, and through all | Analytics | Can read Analytics. | | API Gateway | Grants full access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | | API Gateway Read | Grants read access to [API Gateway (including API Shield)](/api-shield/) for all domains in an account. | +| Application Security Reports Read | Can read Application Security Reports. | | Audit Logs Viewer | Can view [Audit Logs](/fundamentals/account/account-security/review-audit-logs/). | -| Bot Management (Account-wide) | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/)) configurations for all domains in account. | +| Bot Management (Account-Wide) | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/)) configurations for all domains in account. | | Billing | Can edit the account's [billing profile](/billing/create-billing-profile/) and subscriptions | | Cache Purge | Can purge the edge cache and allows the reading of zone settings. | | Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/access-controls/policies/) and [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/). | | Cloudflare CASB | Can edit [Cloudflare CASB](/cloudflare-one/cloud-and-saas-findings/). | | Cloudflare CASB Read | Can read [Cloudflare CASB](/cloudflare-one/cloud-and-saas-findings/). | +| Cloudchamber Admin | Can manage Cloudchamber deployments. | +| Cloudchamber Admin Read Only | Can manage Cloudchamber deployments in read-only mode. | | Cloudflare DEX | Can edit [Cloudflare DEX](/cloudflare-one/insights/dex/). | | Cloudflare Gateway | Can edit [Cloudflare Gateway](/cloudflare-one/traffic-policies/) and read [Access](/cloudflare-one/integrations/identity-providers/). | | Cloudflare Images | Can access [Cloudflare Images](/images/) data. | @@ -36,19 +39,25 @@ Account-scoped roles apply across an entire Cloudflare account, and through all | Cloudflare R2 Read | Can read Cloudflare [R2](/r2/) buckets, objects, and associated configurations. | | Cloudflare Stream | Can edit [Cloudflare Stream](/stream/) media. | | Cloudflare Zero Trust | Can edit [Cloudflare Zero Trust](/cloudflare-one/). Grants administrator access to all Zero Trust products including Access, Gateway, the Cloudflare One Client, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email security. | -| Cloudflare Zero Trust DNS Locations Write | Can view [Gateway DNS locations](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations) and create and edit [secure DNS locations](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations). | +| Cloudflare Zero Trust Secure DNS Locations Write | Can view [Gateway DNS locations](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations) and create and edit [secure DNS locations](/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations). | | Cloudflare Zero Trust PII | Can access [Cloudflare Zero Trust](/cloudflare-one/) PII. | | Cloudflare Zero Trust Read Only | Can access [Cloudflare Zero Trust](/cloudflare-one/) read only mode. | | Cloudflare Zero Trust Reporting | Can access [Cloudflare Zero Trust](/cloudflare-one/) reporting data. | +| Connectivity Directory Admin | Can view, edit, create, and delete [Workers VPC Services](/workers-vpc/) and bind to [Cloudflare Tunnel](/workers-vpc/configuration/tunnel/). | +| Connectivity Directory Bind | Can read, list, and bind to [Workers VPC Services](/workers-vpc/), as well as read and list [Cloudflare Tunnels](/workers-vpc/configuration/tunnel/). | +| Connectivity Directory Read | Can view [Workers VPC Services](/workers-vpc/) and [Cloudflare Tunnels](/workers-vpc/configuration/tunnel/). | | DNS | Can edit [DNS records](/dns/manage-dns-records/). | | Email Configuration Admin | Grants administrator access to Email security. Cannot take actions on emails, or read emails. | | Email Integration Admin | Grants read and write access to integrations only. | -| Email security Analyst | Grants analyst access. Can take action on emails and read emails. | -| Email security Read Only | Grants read only access to all of Email security. | -| Email security Reporting | Grants read access to Email security metrics. | -| Email security Policy Admin | Grants read access to all settings, and write access to [allow policies](/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [trusted domains](/cloudflare-one/email-security/settings/detection-settings/trusted-domains/), and [blocked senders](/cloudflare-one/email-security/settings/detection-settings/blocked-senders/) | +| Email Security Analyst | Grants analyst access. Can take action on emails and read emails. | +| Email Security Read only | Grants read only access to all of Email security. | +| Email Security Reporting | Grants read access to Email security metrics. | +| Email Security Policy Admin | Grants read access to all settings, and write access to [allow policies](/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [trusted domains](/cloudflare-one/email-security/settings/detection-settings/trusted-domains/), and [blocked senders](/cloudflare-one/email-security/settings/detection-settings/blocked-senders/) | | Firewall | Can edit [WAF](/waf/), [IP Access rules](/waf/tools/ip-access-rules/), [Zone Lockdown](/waf/tools/zone-lockdown/) settings, and [Cache Rules](/cache/how-to/cache-rules/). | +| HTTP Applications | Grants full access to HTTP Applications. | +| HTTP Applications Read | Grants read-only access to HTTP Applications. | | Load Balancer | Can edit [Load Balancers](/load-balancing/), Pools, Origins, and Health Checks. | +| Load Balancing Account Read | Can read [Load Balancing](/load-balancing/) resources such as Load Balancers, Monitors, Monitor Groups, Pools, and Health Checks. | | Log Share | Can edit [Log Share](/logs/) configuration. | | Log Share Reader | Can read Enterprise [Log Share](/logs/). | | Magic Network Monitoring | Can view and edit [Network Flow configuration](/network-flow/). | @@ -59,15 +68,17 @@ Account-scoped roles apply across an entire Cloudflare account, and through all | Minimal Account Access | Can view account, and nothing else. | | Page Shield | Grants write access to [Page Shield](/page-shield/) across the whole account. | | Page Shield Read | Grants read access to [Page Shield](/page-shield/) across the whole account. | -| Hyperdrive Read | Grants read access to [Hyperdrive](/hyperdrive/) database configuration. | +| Realtime | Grants access to Realtime configuration excluding sensitive data. | +| Realtime Admin | Grants administrator access to Realtime configuration. | +| Hyperdrive Read only | Grants read access to [Hyperdrive](/hyperdrive/) database configuration. | | Hyperdrive Admin | Grants write access to [Hyperdrive](/hyperdrive/) database configuration. | | SSL/TLS, Caching, Performance, Page Rules, and Customization | Can edit most Cloudflare settings except for [DNS](/dns/) and [Firewall](/waf/). | | Secrets Store Admin | Can create, edit, duplicate, delete, and view secrets metadata. Can also [add a Secrets Store binding to a Worker](/secrets-store/integrations/workers/). | | Secrets Store Deployer | Can view secrets metadata but cannot create, edit, duplicate, nor delete secrets. Can also [add a Secrets Store binding to a Worker](/secrets-store/integrations/workers/). | | Secrets Store Reporter | Can view secrets metadata. Cannot perform any actions (create, edit, duplicate, delete secrets), nor add a Secrets Store binding to a Worker. | -| Security Center Brand Protection | Can access the Brand Protection feature on the API and Cloudflare dashboard. Brand Protection role also gives you access to the Investigate platform. | -| Security Center Cloudforce One Admin | Grants write access to [Cloudforce One](/security-center/cloudforce-one/). | -| Security Center Cloudforce One Read | Grants read access to [Cloudforce One](/security-center/cloudforce-one/), and cannot create and/or edit RFIs or PIRs. | +| Brand Protection | Can access the Brand Protection feature on the API and Cloudflare dashboard. Brand Protection role also gives you access to the Investigate platform. | +| Cloudforce One Admin | Grants write access to [Cloudforce One](/security-center/cloudforce-one/). | +| Cloudforce One Read | Grants read access to [Cloudforce One](/security-center/cloudforce-one/), and cannot create and/or edit RFIs or PIRs. | | Trust and Safety | Can access trust and safety related services. | | Turnstile | Grants full access to [Turnstile](/turnstile/). | | Turnstile Read | Grants read access to [Turnstile](/turnstile/). | @@ -75,6 +86,7 @@ Account-scoped roles apply across an entire Cloudflare account, and through all | Vectorize Read only | Can read [Vectorize](/vectorize/) configurations. | | Waiting Room Admin | Can edit [Waiting Room](/waiting-room/) configuration. | | Waiting Room Read | Can read [Waiting Room](/waiting-room/) configuration. | +| Workers Editor | Can use the [Workers Playground](/workers/playground/). | | Workers Platform Admin | Grants edit and read access to all products typically used as part of Cloudflare's Developer Platform, including [Workers](/workers/), [Pages](/pages/), [Durable Objects](/durable-objects/), [KV](/kv/), [R2](/r2/), Zones, [Zone Analytics](/analytics/account-and-zone-analytics/zone-analytics/) and [Page Rules](/rules/). Cloudflare may add additional read-only permissions to this role as new products are introduced. | | Workers Platform (Read-only) | Grants read-only access to all products typically used as part of Cloudflare's Developer Platform, including [Workers](/workers/), [Pages](/pages/), [Durable Objects](/durable-objects/), [KV](/kv/), [R2](/r2/), Zones, [Zone Analytics](/analytics/account-and-zone-analytics/zone-analytics/) and [Page Rules](/rules/). Cloudflare may add additional read-only permissions to this role as new products are introduced. | | Connectivity Directory Read | Can view [Workers VPC Services](/workers-vpc/) and [Cloudflare Tunnels](/workers-vpc/configuration/tunnel/). | @@ -82,7 +94,7 @@ Account-scoped roles apply across an entire Cloudflare account, and through all | Connectivity Directory Admin | Can view, edit, create, and delete [Workers VPC Services](/workers-vpc/), including the ability to create VPC Services that bind to [Cloudflare Tunnel](/workers-vpc/configuration/tunnel/). | | Zaraz Admin | Can edit and publish [Zaraz](/zaraz/) configuration. | | Zaraz Edit | Can edit [Zaraz](/zaraz/) configuration. | -| Zaraz Read | Can read [Zaraz](/zaraz/) configuration. | +| Zaraz Read only | Can read [Zaraz](/zaraz/) configuration. | | Zone Versioning (Account-Wide) | Can view and edit [Zone Versioning](/version-management/) for all domains in account. | | Zone Versioning Read (Account-Wide) | Can view [Zone Versioning](/version-management/) for all domains in account. | @@ -121,4 +133,4 @@ Resource-scoped roles is currently in Beta. | Cloudflare Access Identity Provider Admin | Can edit a specific [Cloudflare One identity provider (IdP)](/cloudflare-one/integrations/identity-providers/) in an account. | | Cloudflare Access Policy Admin | Can edit a specific [Access policy](/cloudflare-one/access-controls/policies/) in an account. | | Cloudflare Access Service Token Admin | Can edit a specific [Access service token](/cloudflare-one/access-controls/service-credentials/service-tokens/) in an account. | -| Access for Infrastructure Target Admin | Can edit a specific [Access for Infrastructure target](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) in an account. | +| Access for Infrastructure Target Admin | Can edit a specific [Access for Infrastructure target](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) in an account. | |