New permissions and roles for Gateway policies and lists
You can now assign granular, resource-scoped roles for Cloudflare Gateway firewall policies and Zero Trust lists. Administrators can delegate access to specific policy types or list management without granting account-wide or product-wide control.
When you add a member or create a permission policy, the following resource-scoped roles are now available:
| Role | Description |
|---|---|
| Zero Trust Gateway Firewall Policies Admin | Can view and edit all Gateway firewall policies, including DNS, HTTP, and Network policies. |
| Zero Trust Gateway DNS Policies Admin | Can view and edit Gateway DNS policies. |
| Zero Trust Gateway HTTP Policies Admin | Can view and edit Gateway HTTP policies. |
| Zero Trust Gateway Network Policies Admin | Can view and edit Gateway Network policies. |
| Zero Trust Gateway Egress Policies Admin | Can view and edit Gateway Egress policies. |
| Zero Trust Gateway Resolver Policies Admin | Can view and edit Gateway Resolver policies. |
| Zero Trust Gateway Policies Admin | Can view and edit all Gateway policies. |
| Zero Trust Gateway Policies Read | Can view all Gateway policies. |
| Zero Trust Gateway Read Only | Can view all Gateway resources. |
| Zero Trust DNS Locations Admin | Can view and edit DNS locations. |
| Zero Trust Proxy Endpoints Admin | Can view and edit Gateway Proxy Endpoints. |
| Zero Trust Account Lists Admin | Can view and edit all Gateway and Access lists. |
| Zero Trust Account Lists Read | Can view all Gateway and Access lists. |
These roles allow you to:
- Grant a network engineer write access to Network policies only, without exposing DNS or HTTP policy configuration.
- Allow a security analyst to view all Gateway policies in read-only mode for auditing purposes.
- Delegate list management to a team that maintains block and allow lists without giving them access to policy configuration.
You can also now assign Resource-scoped roles. These roles are complementary to existing account-level roles, and allow you to grant access to a specific resource, like an individual Gateway policy or Cloudflare One list. Existing account-level roles continue to work. A member with the Cloudflare Gateway or Cloudflare Zero Trust role retains full access to all Gateway resources. This ensures backward compatibility for existing automation and API tokens.
- Review the resource-scoped roles on the Cloudflare role reference.
- Learn how to create permission policies that use these roles.