releases.shpreview

Gateway policies and lists get resource-scoped roles

1 featureThis release1 featureNew capabilitiesAI-tallied from the release notes
From the original release noteView original ↗

You can now assign granular, resource-scoped roles for Cloudflare Gateway firewall policies and Zero Trust lists. Administrators can delegate access to specific policy types or list management without granting account-wide or product-wide control.

What is new

When you add a member or create a permission policy, the following resource-scoped roles are now available:

Role

Description

Zero Trust Gateway Firewall Policies Admin

Can view and edit all Gateway firewall policies, including DNS, HTTP, and Network policies.

Zero Trust Gateway DNS Policies Admin

Can view and edit Gateway DNS policies.

Zero Trust Gateway HTTP Policies Admin

Can view and edit Gateway HTTP policies.

Zero Trust Gateway Network Policies Admin

Can view and edit Gateway Network policies.

Zero Trust Gateway Egress Policies Admin

Can view and edit Gateway Egress policies.

Zero Trust Gateway Resolver Policies Admin

Can view and edit Gateway Resolver policies.

Zero Trust Gateway Policies Admin

Can view and edit all Gateway policies.

Zero Trust Gateway Policies Read

Can view all Gateway policies.

Zero Trust Gateway Read Only

Can view all Gateway resources.

Zero Trust DNS Locations Admin

Can view and edit DNS locations.

Zero Trust Proxy Endpoints Admin

Can view and edit Gateway Proxy Endpoints.

Zero Trust Account Lists Admin

Can view and edit all Gateway and Access lists.

Zero Trust Account Lists Read

Can view all Gateway and Access lists.

These roles allow you to:

  • Grant a network engineer write access to Network policies only, without exposing DNS or HTTP policy configuration.
  • Allow a security analyst to view all Gateway policies in read-only mode for auditing purposes.
  • Delegate list management to a team that maintains block and allow lists without giving them access to policy configuration.

You can also now assign Resource-scoped roles. These roles are complementary to existing account-level roles, and allow you to grant access to a specific resource, like an individual Gateway policy or Cloudflare One list. Existing account-level roles continue to work. A member with the Cloudflare Gateway or Cloudflare Zero Trust role retains full access to all Gateway resources. This ensures backward compatibility for existing automation and API tokens.

Get started

Fetched July 1, 2026

Gateway policies and lists get resource-scoped roles —… — releases.sh