Any side effects of changing the super admin?

Hi,

I’m the super administrator of a free Cloudflare account that I set up for my client’s new website.

Now that the website is up and running, I want to transfer super admin control to the client so that they have control of membership and billing.

I understand that the supported way to do this in the free plan is to swap the users’ details by changing the email address of each user to that of the other.

I have several doubts about how this method works in practice before I go ahead and apply it to my client’s account.

How does it affect the audit log? Will my actions be attributed to the client’s user and vice versa?

How does it affect passwords and multi-factor authentication? Will I need to disable or reset any of these features to avoid anyone being locked out?

How does it affect my access to related resources such as the community support forum and support help pages? Will I still be able to sign into them with my own email address and see my contributions?

How does it affect other email-based notifications like passive origin monitoring and certificate transparency monitoring? Will those settings be affected by the swap?

Are there any other side effects that I should be aware of?

Regards Iain

Today I tested this myself in a throwaway account.

First, the messy details:

Your passwords and 2FA settings will be reversed after doing this.

To do the role swap for real I’ll need a copy of my client’s password and 2FA seed. I’ll get them reset after confirming that the swap has worked.

You’ll need to wait between 3 and 24 hours between email address changes for the same user. Any sooner will fail with a 429 “Too many requests” error.

The delay is mentioned by judge and cloonan in similar forum questions. I didn’t see it mentioned in the docs.

Any email notifications that might be sent in the 3-24 hours between changes would presumably be sent to the temporary address. You might want to make sure that temporary address is routed back to you somehow so you don’t miss anything.

You will need to log in once as [email protected] (or whatever temp address you chose) to complete the switch over. This just feels weird.

Each user’s email address will need to be verified again after being fully swapped over.

It turns out that each user in Cloudflare automatically has an account created for them and becomes the super administator of that account. This happens even if the user is created through an invitation to an existing account. So my client has access to the account I created for them and access to another empty account named after their email address.

After performing the role swap, I will have access to the account created for my client’s email address. In our case it’s not a problem because nothing else has been created there. I’ll just be left with an extra empty account.

I was unable to test the effect on certificate transparency monitoring because in my throwaway account I didn’t properly set up any domain.

And now the good news:

Swapping the email addresses doesn’t rewrite anything that was already in the audit log. Any email address logged before the change stays the same.

The passive origin settings will be unaffected. It appears that the email addresses entered here are not linked to Cloudflare users or accounts.

And something that is kind of good news, but kind of confusing:

A “Change email” event is recorded in the audit log when the invited user’s email address changes to the temp address, and another event recorded when the address changes again to that of the iniviting user.

The event metadata looks like this:

{
  "New email": "[email protected]",
  "Old email": "clo[email protected]"
}
{
  "New email": "[email protected]",
  "Old email": "[email protected]"
}

However, I only saw two email change events in the audit log to record the operation. I was expecting three.

In my test I followed the procedure like this:

  1. I changed the email address for the invited user (Administrator) to [email protected]
  2. I changed the email address for the inviting user (Super Administrator) to the invited user’s old email address
  3. I change the email address for the invited user again to the inviting user’s old email address.

I saw two email change events logged for events 1 and 3 but not for 2.

I’m not sure if that’s how it’s supposed to work or if some logging problem exists in my account. I haven’t found detailed documentation for the log events.

This topic was automatically closed after 30 days. New replies are no longer allowed.