Roles and permissions
When creating a Cloudflare Zero Trust account, you will be given the Super Administrator role. As a Super Administrator, you can invite members to join your Zero Trust account and assign them different roles. There is no limit to the number of members which can be added to a given account. Any members with the proper permissions will be able to make configuration changes while actively logged into Zero Trust (unless read-only mode is enabled).
To check the list of members in your account, or to manage roles and permissions, refer to our Account setup documentation.
Only Super Administrators will be able to assign or remove the following roles from users in their account. Scroll to the right to see a full list of permissions for each role.
| Access Read | Access Edit | Gateway Read | Gateway Edit | Gateway Report | Billing Read | Billing Edit | |
|---|---|---|---|---|---|---|---|
| Super Administrator | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cloudflare Zero Trust | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Cloudflare Access | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ❌ |
| Cloudflare Gateway | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Cloudflare Zero Trust Read Only | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ |
| Cloudflare Zero Trust Reporting | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ |
By default, only Super Administrators can view end users’ PII in the Gateway activity logs, such as Device IDs, Source IPs, or user emails. No other roles will have the ability to read PII unless Super Administrators explicitly assign the Cloudflare Zero Trust PII role to them.
The Cloudflare Zero Trust PII role should be considered an add-on role, to be combined with any role from the table above. For example, Super Administrators may decide to assign the Cloudflare Gateway role to a user, and add the Cloudflare Zero Trust PII role to allow that user to access PII in the Gateway logs.
Email Security shows you the following email detail information:
- Details
- Action log
- Raw message
- Mail trace
Email Security displays the following details:
- Threat type: Threat type of the email, for example, credential harvester, and IP-based spam.
- Validation: Email validation methods SPF ↗, DKIM ↗, DMARC ↗.
- Sender details: Information include:
- IP address
- Registered domain
- Autonomous sys number: This number identifies your autonomous system (AS) ↗.
- Autonomous sys name: This name identifies your autonomous system (AS).
- Country
- Links identified: A list of malicious links identified by Email Security.
- Reasons for disposition: Description of why the email was deemed as malicious, suspicious, or spam.
Action log allows you to review post-delivery actions performed on your selected message. The action log displays:
- Date: Date when the post-delivery action was performed.
- Activity: The activity taken on an email. For example, moving the email to the trash folder, releasing a quarantined email, and more.
Raw message allows you to view the raw details of the message. You can also choose to download the email message. To download the message, select Download .EML.
Mail trace allows you to track the path your selected message took from the sender to the recipient. Mail trace displays:
- Date: The date and time when the mail was tracked.
- Type: An email can be inbound (email sent to you from another email), or outbound (emails sent from your email address).
- Activity: The activity taken on an email. For example, moving the email to the trash folder, releasing a quarantined email, and more.