Skip to content

Role scopes

Scopes are one of three constituent parts of a policy that allows granting of access to users.

To allow for flexible combinations of access to users, Cloudflare currently has two types of scopes (Account and Domain), with different sets of roles for each scope.


Choose the scope of roles

Each policy has a limitation of a single scope, but you can assign multiple policies to a given user.

You can choose the scope of a policy when you add a member.

Account scope

If you want the member to have a policy that applies across your account, use the following combination of fields.

FieldValue
OperatorInclude
TypeAll domains

Specific Domains

If you want the member to have a policy that applies to a specific domain, use the following combination of fields. When applying these roles to this policy, only domain-scoped roles can be used.

FieldValue
OperatorInclude
TypeA specific domain
NameA specific domain

Domain groups

If you have a set of domains that are all categorized similarly (e.g. all of your sensitive/production domains, all domains around a given project or geography), you can pre-assign them into a domain group and then create policies that provide access to all domains within this group.

Create group

To create a domain group:

  1. Log in to the Cloudflare dashboard and select your account (you must be logged in as a Super Administrator and have a verified email address).

  2. Go to Manage Account > Configurations > Lists.

  3. For Domain Group Manager, select Create.

  4. Create your domain group:

    1. Select the domains to include.
    2. Add a Name.
    3. Select Create.

You can also edit and delete these groups as needed.

Use group

To assign a member permissions to a domain group, use the following combination of fields:

FieldValue
OperatorInclude
TypeDomain Group
NameExample Group