2FA - Granted Access Inheritance

If Organization B grants access to Organization A’s Super Admin user, and all members of Organization A are assigned as having Administrator role, will all of the members of Organization A be able to access the Organization B account? Or will the Super Admin be the only one that can access Organization B’s account?

We’re using Free version of Cloudflare.

There is no inheritance, so only the individual users you invite to your organisation will be granted access.

1 Like

Thanks Michael. So how would you approach getting 2FA setup so that all team members are able to provide 2FA when signing into Super Admin account?

There is a setting to enforce 2FA:

If you are an Enterprise user, you could enable SSO with your existing identify provider, where you hopefully enforce MFA anyway!

I may have misunderstood the use case. Are you trying to have multiple people use MFA for a single shared super-admin user? I think the easiest way is to save the TOTP code safely somewhere, and have each person add the code to their TOTP app of choice (I like Authy, but they are all essentially the same).

Not really the best idea from a security perspective. Just remember to roll the code every time somebody leaves the team.

1 Like

Just to clear up things here.

  1. Everyone is able to use 2FA in their account
  2. Free/Pro/Biz use Regular accounts (1 Super admin per account), this account does not have control or access of information or settings of the accounts of the users they invite.
  3. Enterprise uses Organizations, they can create/delete accounts, manage the users they provision (including authentication), and invite external users (They do not manage external user’s details)

With this in mind:

  • a super administrator of an account, in any plan, can enable Member 2FA enforcement to the account or organization
    • When enabled, any user that has not setup 2FA will need to enable 2FA in their account to access the account of which they are a member.

Anyone can enable 2FA enforcement to their Account under the members section of their account/organization

1 Like

Perfect - thanks Michael. This is direction/validation I was looking for. I Appreciate your time in helping me.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.