Skip to content

Commit 834878a

Browse files
ranbeldtrzaska-c
ranbel
and
dtrzaska-c
authored
[CF1] Add CASB roles (cloudflare#26197)
* [CASB] Add CASB to Roles and Permissions * fix alphabetical ordering * Update 2025-10-28-casb-roles.mdx * Apply suggestions from code review * fix links --------- Co-authored-by: Dennis Trzaska <dtrzaska@cloudflare.com>
1 parent 62cbe73 commit 834878a

File tree

5 files changed

+39
-12
lines changed

5 files changed

+39
-12
lines changed

.github/CODEOWNERS

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@
6666
/src/content/docs/cloudflare-one/access-controls/ @kennyj42 @ranbel @cloudflare/pcx-technical-writing
6767
/src/content/docs/cloudflare-one/team-and-resources/devices/ @ranbel @cloudflare/pcx-technical-writing
6868
/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/ @nikitacano @ranbel @cloudflare/pcx-technical-writing
69-
/src/content/docs/cloudflare-one/applications/casb/ @maxvp @cloudflare/pcx-technical-writing
69+
/src/content/docs/cloudflare-one/cloud-and-saas-findings/ @maxvp @cloudflare/pcx-technical-writing
7070
/src/content/docs/cloudflare-one/traffic-policies/ @maxvp @cloudflare/pcx-technical-writing
7171
/src/content/docs/cloudflare-one/remote-browser-isolation/ @deadlypants1973 @cloudflare/pcx-technical-writing
7272
/src/content/docs/cloudflare-one/data-loss-prevention/ @maxvp @cloudflare/pcx-technical-writing

src/content/changelog/casb/2025-10-28-casb-roles.mdx

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
---
2+
title: CASB introduces new granular roles
3+
description: Cloudflare CASB adds two new granular roles, CASB Read and CASB, for more precise user access control.
4+
products:
5+
- casb
6+
date: 2025-10-28
7+
---
8+
9+
Cloudflare CASB (Cloud Access Security Broker) now supports two new granular roles to provide more precise access control for your security teams:
10+
11+
* **Cloudflare CASB Read:** Provides read-only access to view CASB findings and dashboards. This role is ideal for security analysts, compliance auditors, or team members who need visibility without modification rights.
12+
* **Cloudflare CASB:** Provides full administrative access to configure and manage all aspects of the CASB product.
13+
14+
These new roles help you better enforce the principle of least privilege. You can now grant specific members access to CASB security findings without assigning them broader permissions, such as the **Super Administrator** or **Administrator** roles.
15+
16+
To enable [Data Loss Prevention (DLP)](/cloudflare-one/data-loss-prevention/dlp-profiles/), scans in CASB, account members will need the **Cloudflare Zero Trust** role.
17+
18+
You can find these new roles when inviting members or creating API tokens in the Cloudflare dashboard under **Manage Account** > **Members**.
19+
20+
To learn more about managing roles and permissions, refer to the [Manage account members and roles documentation](/fundamentals/manage-members/roles/).

src/content/docs/cloudflare-one/roles-permissions.mdx

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -15,16 +15,18 @@ To check the list of members in your account, or to manage roles and permissions
1515

1616
Only Super Administrators will be able to assign or remove the following roles from users in their account. Scroll to the right to see a full list of permissions for each role.
1717

18-
| | Access Read | Access Edit | Gateway Read | Gateway Edit | Gateway Report | DNS Location Read | DNS Location Edit | Billing Read | Billing Edit | DEX Read | DEX Edit |
19-
| --------------------------------------------- | ----------- | ----------- | ------------ | ------------ | -------------- | ----------------- | ----------------- | ------------ | ------------ | -------- | -------- |
20-
| Super Administrator ||||||||||||
21-
| Cloudflare Zero Trust[^1] ||||||||||||
22-
| Cloudflare Access ||||||||||||
23-
| Cloudflare Gateway ||||||||||||
24-
| Cloudflare Zero Trust Read Only ||||||||||||
25-
| Cloudflare Zero Trust Reporting ||||||||||||
26-
| Cloudflare Zero Trust DNS Locations Write[^2] ||||||||||||
27-
| Cloudflare DEX ||||||||||||
18+
| | Access Read | Access Edit | Gateway Read | Gateway Edit | Gateway Report | DNS Location Read | DNS Location Edit | Billing Read | Billing Edit | DEX Read | DEX Edit | CASB Read | CASB Edit |
19+
| --------------------------------------------- | ----------- | ----------- | ------------ | ------------ | -------------- | ----------------- | ----------------- | ------------ | ------------ | -------- | -------- | --------- | --------- |
20+
| Super Administrator ||||||||||||||
21+
| Cloudflare Zero Trust[^1] ||||||||||||||
22+
| Cloudflare Access ||||||||||||||
23+
| Cloudflare Gateway ||||||||||||||
24+
| Cloudflare Zero Trust Read Only ||||||||||||||
25+
| Cloudflare Zero Trust Reporting ||||||||||||||
26+
| Cloudflare Zero Trust DNS Locations Write[^2] ||||||||||||||
27+
| Cloudflare DEX ||||||||||||||
28+
| Cloudflare CASB Read ||||||||||||||
29+
| Cloudflare CASB ||||||||||||||
2830

2931
[^1]: The **Cloudflare Zero Trust** role grants administrator access to all Zero Trust products including Access, Gateway, WARP, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email security.
3032

src/content/docs/fundamentals/manage-members/roles.mdx

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,8 +25,11 @@ Account-scoped roles apply across an entire Cloudflare account, and through all
2525
| Audit Logs Viewer | Can view [Audit Logs](/fundamentals/account/account-security/review-audit-logs/). |
2626
| Bot Management (Account-wide) | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/)) configurations for all domains in account. |
2727
| Billing | Can edit the account's [billing profile](/billing/create-billing-profile/) and subscriptions |
28-
| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/access-controls/policies/) and [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/). |
2928
| Cache Purge | Can purge the edge cache and allows the reading of zone settings. |
29+
| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/access-controls/policies/) and [Cloudflare Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/). |
30+
31+
| Cloudflare CASB | Can edit [Cloudflare CASB](/cloudflare-one/cloud-and-saas-findings/). |
32+
| Cloudflare CASB Read | Can read [Cloudflare CASB](/cloudflare-one/cloud-and-saas-findings/). |
3033
| Cloudflare DEX | Can edit [Cloudflare DEX](/cloudflare-one/insights/dex/). |
3134
| Cloudflare Gateway | Can edit [Cloudflare Gateway](/cloudflare-one/traffic-policies/) and read [Access](/cloudflare-one/integrations/identity-providers/). |
3235
| Cloudflare Images | Can access [Cloudflare Images](/images/) data. |

src/content/partials/fundamentals/account-permissions-table.mdx

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,8 @@ import { Markdown } from "~/components";
5555
| Cloudchamber {props.editWord} | Grants write access to Cloudchamber deployments. |
5656
| { props.src === "dash" && "Cloudflare" } Realtime Read | Grants read access to Cloudflare Realtime. |
5757
| { props.src === "dash" && "Cloudflare" } Realtime {props.editWord} | Grants write access to Cloudflare Realtime. |
58+
| Cloudflare CASB Read | Grants read access to [Cloud Access Security Broker](/cloudflare-one/cloud-and-saas-findings/). |
59+
| Cloudflare CASB {props.editWord} | Grants write access to [Cloud Access Security Broker](/cloudflare-one/cloud-and-saas-findings/). |
5860
| Cloudflare DEX Read | Grants read access to [Digital Experience Monitoring](/cloudflare-one/insights/dex/). |
5961
| Cloudflare DEX {props.editWord} | Grants write access to [Digital Experience Monitoring](/cloudflare-one/insights/dex/). |
6062
| { props.src === "dash" && "Cloudflare" } Images Read | Grants read access to [Cloudflare Images](/images/). |

0 commit comments

Comments
 (0)