Roles
Whenever you add a new member to your account, you can assign specific roles to these users.
Account-scoped Roles
If you are adding members whose role scope includes All domains and has no other limitations, you can assign Account Scoped Roles that apply to every domain across your account.
| Role | Description |
|---|---|
| Administrator | Can access the full account including subscriptions, except for membership management and billing. |
| Super Administrator - All Privileges | Can edit any Cloudflare setting, make purchases, update billing, and manage memberships. Super Administrators can revoke the access of other Super Administrators. |
| Administrator Read Only | Can access the full account in read-only mode. |
| Analytics | Can read Analytics. |
| API Gateway | Grants full access to API Gateway (including API Shield) for all domains in an account. |
| API Gateway Read | Grants read access to API Gateway (including API Shield) for all domains in an account. |
| Audit Logs Viewer | Can view Audit Logs. |
| Billing | Can edit the account’s billing profile and subscriptions |
| Cloudflare Access | Can edit Cloudflare Access policies. |
| Cache Purge | Can purge the edge cache. |
| Cloudflare DEX | Can edit Cloudflare DEX. |
| Cloudflare Gateway | Can edit Cloudflare Gateway and read Access. |
| Cloudflare Images | Can access Cloudflare Images data. |
| Cloudflare R2 Admin | Can edit Cloudflare R2 buckets, objects, and associated configurations. |
| Cloudflare R2 Read | Can read Cloudflare R2 buckets, objects, and associated configurations. |
| Cloudflare Stream | Can edit Cloudflare Stream media. |
| Cloudflare Workers Admin | Can edit Cloudflare Workers, Pages, and R2. |
| Cloudflare Zero Trust | Can edit Cloudflare for Zero Trust. |
| Cloudflare Zero Trust PII | Can access Cloudflare for Zero Trust PII. |
| Cloudflare Zero Trust Read Only | Can access Cloudflare for Zero Trust read only mode. |
| Cloudflare Zero Trust Reporting | Can access Cloudflare for Zero Trust reporting data. |
| DNS | Can edit DNS records. |
| Firewall | Can edit WAF, IP Firewall, and Zone Lockdown settings. |
| Load Balancer | Can edit Load Balancers, Pools, Origins, and Health Checks. |
| Log Share | Can edit Log Share configuration. |
| Log Share Reader | Can read Enterprise Log Share. |
| Magic Network Monitoring | Can view and edit MNM configuration. |
| Magic Network Monitoring Admin | Can view, edit, create, and delete MNM configuration. |
| Magic Network Monitoring Read-Only | Can view MNM configuration. |
| Network Services Write (Magic) | Grants write access to network configurations for Magic services. |
| Network Services Read (Magic) | Grants read access to network configurations for Magic services. |
| Minimal Account Access | Can view account, and nothing else. |
| Page Shield | Grants write access to Page Shield across the whole account. |
| Page Shield Read | Grants write access to Page Shield across the whole account. |
| Query Cache Read | Grants read access to Query Cache configuration. |
| Query Cache Write | Grants write access to Query Cache configuration. |
| SSL/TLS, Caching, Performance, Page Rules, and Customization | Can edit most Cloudflare settings except for DNS and Firewall. |
| Trust & Safety | Can access trust and safety related services. |
| Turnstile | Grants full access to Turnstile. |
| Turnstile Read | Grants read access to Turnstile. |
| Waiting Room Admin | Can edit Waiting Room configuration. |
| Waiting Room Read | Can read Waiting Room configuration. |
| Zaraz Admin | Can edit and publish Zaraz configuration. |
| Zaraz Edit | Can edit Zaraz configuration. |
| Zaraz Read | Can read Zaraz configuration. |
| Zone Versioning (Account-Wide) | Can view and edit Zone Versioning for all domains in account. |
| Zone Versioning Read (Account-Wide) | Can view Zone Versioning for all domains in account. |
Domain-scoped Roles
If you are adding members whose role scope has some limitations (specific domains allowed or excluded, limited to a domain group), you can assign Domain Scoped Roles that apply to all relevant domains.
| Role | Description |
|---|---|
| Bot Management | Can edit Bot Management (including Super Bot Fight Mode) configurations. |
| Domain Administrator | Grants full access to domains in an account, and read-only access to account-wide Firewall, Access, and Worker resources. |
| Domain Administrator Read Only | Grants read-only access to domains in an account, as well as account-wide Firewall, Access, and Worker resources. |
| Domain API Gateway | Grants full access to API Gateway (including API Shield. |
| Domain API Gateway Read | Grants read access to API Gateway (including API Shield. |
| Domain DNS | Grants access to edit DNS settings for domains in an account. |
| Domain Page Shield | Grants write access to Page Shield for domains in an account. |
| Domain Page Shield Read | Grants read access to Page Shield for domains in an account. |
| Domain Waiting Room Admin | Can edit waiting rooms configuration. |
| Domain Waiting Room Read | Can read waiting rooms configuration. |
| Domain Page Shield | Grants read access to Page Shield for domain. |
| Domain Page Shield Read | Grants write access to Page Shield for domain. |
| Zone Versioning | Grants full access to Zone Versioning. |
| Zone Versioning Read | Grants read-only access to Zone Versioning. |