{"id":476,"date":"2026-05-21T00:00:00","date_gmt":"2026-05-21T00:00:00","guid":{"rendered":"https:\/\/wordpress.securinsight.ca\/index.php\/2026\/05\/21\/cloudflare-fundamentals-cloudflare-one-cloudflare-tunnel-for-sase-cloudflare-tunnel-cloudflare-mesh-granular-permissions-for-cloudflare-tunnel-and-cloudflare-mesh\/"},"modified":"2026-05-21T00:00:00","modified_gmt":"2026-05-21T00:00:00","slug":"cloudflare-fundamentals-cloudflare-one-cloudflare-tunnel-for-sase-cloudflare-tunnel-cloudflare-mesh-granular-permissions-for-cloudflare-tunnel-and-cloudflare-mesh","status":"publish","type":"post","link":"https:\/\/wordpress.securinsight.ca\/index.php\/2026\/05\/21\/cloudflare-fundamentals-cloudflare-one-cloudflare-tunnel-for-sase-cloudflare-tunnel-cloudflare-mesh-granular-permissions-for-cloudflare-tunnel-and-cloudflare-mesh\/","title":{"rendered":"Cloudflare Fundamentals, Cloudflare One, Cloudflare Tunnel for SASE, Cloudflare Tunnel, Cloudflare Mesh &#8211; Granular permissions for Cloudflare Tunnel and Cloudflare Mesh"},"content":{"rendered":"<p>You can now scope Cloudflare permissions to individual <a href=\"https:\/\/developers.cloudflare.com\/tunnel\/\">Cloudflare Tunnel<\/a> instances and <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/connectors\/cloudflare-mesh\/\">Cloudflare Mesh<\/a> nodes. Administrators can delegate access to specific Tunnels or Mesh nodes without granting account-wide control over private networking.<\/p>\n<h4>What is new<\/h4>\n<p>When you <a href=\"https:\/\/developers.cloudflare.com\/fundamentals\/manage-members\/manage\/\">add a member<\/a> or create a <a href=\"https:\/\/developers.cloudflare.com\/fundamentals\/manage-members\/policies\/\">permission policy<\/a>, the resource picker now lists <a href=\"https:\/\/developers.cloudflare.com\/tunnel\/\">Cloudflare Tunnel<\/a> instances and <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/connectors\/cloudflare-mesh\/\">Cloudflare Mesh<\/a> nodes as scopable resource types. You can:<\/p>\n<ul>\n<li>Grant a read-only role on a single Cloudflare Tunnel instance to a support operator for log streaming and diagnostics \u2014 without exposing other Tunnels or destructive actions.<\/li>\n<li>Grant a write role on a specific Cloudflare Mesh node to an application team \u2014 without giving them access to the rest of your private network.<\/li>\n<li>Scope a single policy to one or many Tunnels and Mesh nodes at once.<\/li>\n<\/ul>\n<h4>How it works<\/h4>\n<p>Granular permissions are a parallel layer to existing account-level roles \u2014 they do not replace them.<\/p>\n<ul>\n<li><strong>Existing account-level roles continue to work.<\/strong> A member with <code>Cloudflare Access<\/code> or <code>Cloudflare Zero Trust<\/code> retains write access to every Tunnel and Mesh node in the account. This ensures backward compatibility for existing automation and tokens.<\/li>\n<li><strong>Granular permissions are additive.<\/strong> For any API request on a specific Tunnel or Mesh node, access is granted if the principal has <strong>either<\/strong> the account-level role <strong>or<\/strong> a granular permission for that resource.<\/li>\n<li><strong>Resource enumeration is authorization-aware.<\/strong> Listing endpoints (<code>GET \/accounts\/{id}\/cfd_tunnel<\/code>, <code>GET \/accounts\/{id}\/warp_connector<\/code>) return only the resources the principal has at least read access to.<\/li>\n<\/ul>\n<h4>Get started<\/h4>\n<ul>\n<li>Configure <a href=\"https:\/\/developers.cloudflare.com\/tunnel\/advanced\/granular-permissions\/\">granular permissions for Cloudflare Tunnel<\/a>.<\/li>\n<li>Configure <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/networks\/connectors\/granular-permissions\/\">granular permissions for Cloudflare Tunnel and Cloudflare Mesh in Cloudflare One<\/a>.<\/li>\n<li>Review the <a href=\"https:\/\/developers.cloudflare.com\/fundamentals\/manage-members\/roles\/#resource-scoped-roles\">resource-scoped roles<\/a> on the Cloudflare role reference.<\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>You can now scope Cloudflare permissions to individual Cloudflare Tunnel instances and Cloudflare Mesh nodes. Administrators can delegate access to specific Tunnels or Mesh nodes without granting account-wide control over private networking. What is new When you add a member or create a permission policy, the resource picker now lists Cloudflare Tunnel instances and Cloudflare [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-476","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/comments?post=476"}],"version-history":[{"count":0,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/476\/revisions"}],"wp:attachment":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/media?parent=476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/categories?post=476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/tags?post=476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}