Cloudflare Docs
Cloudflare Fundamentals
Visit Cloudflare Fundamentals on GitHub
Set theme to dark (⇧+D)

Roles

Whenever you add a new member to your account, you can assign specific roles to these users.

​​ Account-scoped Roles

If you are adding members whose role scope includes All domains and has no other limitations, you can assign Account Scoped Roles that apply to every domain across your account.

RoleDescription
AdministratorCan access the full account, except for membership management and billing.
Super Administrator - All PrivilegesCan edit any Cloudflare setting, make purchases, update billing, and manage memberships. Super Administrators can revoke the access of other Super Administrators.
Administrator Read OnlyCan access the full account in read-only mode.
AnalyticsCan read Analytics.
Audit Logs ViewerCan view Audit Logs.
BillingCan edit the account’s billing profile and subscriptions
Cloudflare AccessCan edit Cloudflare Access policies.
Cache PurgeCan purge the edge cache.
Cloudflare GatewayCan edit Cloudflare Gateway and read Access.
Cloudflare ImagesCan access Cloudflare Images data.
Cloudflare StreamCan edit Cloudflare Stream media.
Cloudflare Workers AdminCan edit Cloudflare Workers and Pages.
Cloudflare Zero TrustCan edit Cloudflare for Zero Trust.
Cloudflare Zero Trust PIICan access Cloudflare for Zero Trust PII.
Cloudflare Zero Trust Read OnlyCan access Cloudflare for Zero Trust read only mode.
Cloudflare Zero Trust ReportingCan access Cloudflare for Zero Trust reporting data.
DNSCan edit DNS records.
FirewallCan edit WAF, IP Firewall, and Zone Lockdown settings.
Load BalancerCan edit Load Balancers, Pools, Origins, and Health Checks.
Log ShareCan edit Log Share configuration.
Log Share ReaderCan read Enterprise Log Share.
Magic Network MonitoringCan view and edit MNM configuration.
Magic Network Monitoring AdminCan view, edit, create, and delete MNM configuration.
Magic Network Monitoring Read-OnlyCan view MNM configuration.
Network Services Write (Magic)Grants write access to network configurations for Magic services.
Network Services Read (Magic)Grants read access to network configurations for Magic services.
Minimal Account AccessCan view account, and nothing else.
SSL/TLS, Caching, Performance, Page Rules, and CustomizationCan edit most Cloudflare settings except for DNS and Firewall.
Trust & SafetyCan access trust and safety related services.
Waiting Room AdminCan edit Waiting Room configuration.
Waiting Room ReadCan read Waiting Room configuration.
Zaraz AdminCan edit and publish Zaraz configuration.
Zaraz EditCan edit Zaraz configuration.
Zaraz ReadCan read Zaraz configuration.
Zone Versioning (Account-Wide)Can view and edit Zone Versioning for all domains in account.
Zone Versioning Read (Account-Wide)Can view Zone Versioning for all domains in account.

​​ Domain-scoped Roles

If you are adding members whose role scope has some limitations (specific domains allowed or excluded, limited to a domain group), you can assign Domain Scoped Roles that apply to all relevant domains.

RoleDescription
Domain AdministratorGrants full access to domains in an account, and read-only access to account-wide Firewall, Access, and Worker resources.
Domain Administrator Read OnlyGrants read-only access to domains in an account, as well as account-wide Firewall, Access, and Worker resources.
Domain DNSGrants access to edit DNS settings for domains in an account.
Domain Waiting Room AdminCan edit waiting rooms configuration.
Domain Waiting Room ReadCan read waiting rooms configuration.
Zone VersioningGrants full access to Zone Versioning.
Zone Versioning ReadGrants read-only access to Zone Versioning.