Skip to content

Changelog

New updates and improvements at Cloudflare.

hero image

New permissions and roles for Gateway policies and lists

You can now assign granular, resource-scoped roles for Cloudflare Gateway firewall policies and Zero Trust lists. Administrators can delegate access to specific policy types or list management without granting account-wide or product-wide control.

What is new

When you add a member or create a permission policy, the following resource-scoped roles are now available:

RoleDescription
Zero Trust Gateway Firewall Policies AdminCan view and edit all Gateway firewall policies, including DNS, HTTP, and Network policies.
Zero Trust Gateway DNS Policies AdminCan view and edit Gateway DNS policies.
Zero Trust Gateway HTTP Policies AdminCan view and edit Gateway HTTP policies.
Zero Trust Gateway Network Policies AdminCan view and edit Gateway Network policies.
Zero Trust Gateway Egress Policies AdminCan view and edit Gateway Egress policies.
Zero Trust Gateway Resolver Policies AdminCan view and edit Gateway Resolver policies.
Zero Trust Gateway Policies AdminCan view and edit all Gateway policies.
Zero Trust Gateway Policies ReadCan view all Gateway policies.
Zero Trust Gateway Read OnlyCan view all Gateway resources.
Zero Trust DNS Locations AdminCan view and edit DNS locations.
Zero Trust Proxy Endpoints AdminCan view and edit Gateway Proxy Endpoints.
Zero Trust Account Lists AdminCan view and edit all Gateway and Access lists.
Zero Trust Account Lists ReadCan view all Gateway and Access lists.

These roles allow you to:

  • Grant a network engineer write access to Network policies only, without exposing DNS or HTTP policy configuration.
  • Allow a security analyst to view all Gateway policies in read-only mode for auditing purposes.
  • Delegate list management to a team that maintains block and allow lists without giving them access to policy configuration.

You can also now assign Resource-scoped roles. These roles are complementary to existing account-level roles, and allow you to grant access to a specific resource, like an individual Gateway policy or Cloudflare One list. Existing account-level roles continue to work. A member with the Cloudflare Gateway or Cloudflare Zero Trust role retains full access to all Gateway resources. This ensures backward compatibility for existing automation and API tokens.

Get started