Fine-grained permissions for Access policies and Access service tokens are available. These new resource-scoped roles expand the existing RBAC model, enabling administrators to grant permissions scoped to individual resources. New roles
Cloudflare Access policy admin: Can edit a specific Access policy in an account. Cloudflare Access service token admin: Can edit a specific Access service token in an account.
These roles complement the existing resource-scoped roles for Access applications, identity providers, and infrastructure targets. For more information:
Resource-scoped roles Role scopes
NoteResource-scoped roles is currently in beta.
Fetched April 4, 2026