Expanded availability of Multi-User access


#1

Are you on a FREE, PRO, OR BUSINESS plan and have a need for Multi-User? Please offer some feedback here.


Best Practice for managing multiple cloudflare accounts
Request for DDNS-specific API authentication
Multiple User Logins?
#2

I have Pro sites for mid-clients. I could definitely use MUA.


#3

Multi access would be a good idea!.


#4

Every now end then client asks to access his domain zone but I have to give them full access to account where they may (or may not) make changes which I would like them to not make.
Multi-user access would be a cool feature but with 2 additional things:

  • ACL - I may want give access just to domain zone or only to certain parts of panel
  • history of changes - if client changes something and change it back after (let’s say) couple of hours I have no idea that change has been made

#5

Can you provide some more detail around your usage? Plan level, number of users who need access, specific scenarios, etc.


#6

Excellent detail. So you would need a huge organization of users, but need to be able to limit which zone(s) each user could access?


#7

Separation by zone is more like a second priority for me. We (as a Cloudflare Partner) separate Cloudflare accounts per client. Let’s say I have 3 different clients. As a partner I make 3 different accounts (3 different e-mail addresses used) and not I (as a account creator) have full access to account but I would like to give a client access to for ex. domain zone so they can change records themselves. Right now I need to give full account access (the same one I use).
I don’t know if you are aware how AWS IAM works and how you can login to AWS panel for same account but using different users. This is what I would like to see here on Cloudflare.


#8

Pretty much what Komar has said, Definitely would want to have the rights to restrict the users from certain settings in cloudflare panel & domain zones, And having the choice of checking the history to see what a user has changed will be great.

.ie a customer has logged in and changed a setting, that setting has broken something and there website isn’t accessible now and they have tried to shift the blame onto me/cloudflare.

I then can proceed to look at the history of the user to see if they changed anything.


#9

Why there is no edit button for posts? Or maybe I’m blind.


#10

I think it was a trust level permission. Do you see it now?


#11

Yes I do. Thanks.

PS. Due to at least 20 characters limit I had to do this PS :wink:


#12

Multi users would be great if not at least ability to generate separate API keys with set permissions configurable so as to not expose the main API key.

Like @komarEX mentioned similar to AWS IAM accounts would be nice


#13

Definitely by zone. For example I have a marketing firm mid client with 5 domains (end clients), another firm with 3 domains, etc. I’d like to be able to give each mid client a login with access to only their domains.


#14

Oh yes, multi-user would absolutely be great. Maybe only delegating certain tasks to users, like ability to set page rules for the marketing/website folks, ability to add DNS entries for a co-admin and so on.
Last but not least it’s always good practice to have more than one admin for anything as critical as DNS and Website stuff :slight_smile:


#15

Something else that would be nice would be the ability to have zone/record templates that can be shared across users or sites (e.g. G Suite MX records, SPF settings, etc.)


#16

Multiuser will definitely help us to improve our ease of use in Cloudflare. A feature like AWS IAM could be very useful in this case.

Also, a tagging feature for domains and DNS entries would help me a lot as well.

I have more than 40 domains in my panel and I need to filter them like, some of them belong to schools, some of them to higher education website and some for another usage. Tagging Domains would be very beneficial for me. @ryan I request you to think about tagging domain feature.

Apart from this, just a thought it may be good to add tagging feature to DNS entries, so I can remember which entry was for what. Like, sometimes there are more than 50 DNS entries on a single domain and becomes hectic to manage it and remember which one is for which.

Thanks


#17

Tagging Domains would be very beneficial for me.

This is great feedback. I will definitely pass it along to the product folks for consideration.

I know that expansion of MU is being considered, but how exactly is still unclear.


#18

So you are looking for multi user access, but only if you can define roles on a zone by zone basis?


#19

I think a system like AWS IAM is the best possible solution for multi user access. It will take time to build it but once it is ready, I am sure users will love it.

Following could be starting policies for IAM based roles:

  • AdministratorAccess
  • CloudflareZoneDNSFullAccess
  • CloudflareZoneDNSReadOnlyAccess
  • CloudflareZoneAnalyticsFullAccess
  • CloudflareZoneAnalyticsReadonlyAccess
  • CloudflareZoneCryptoFullAccess
  • CloudflareZoneCryptoReadonlyAccess
  • CloudflareZoneFirewallFullAccess
  • CloudflareZoneFirewallReadonlyAccess
  • CloudflareZoneSpeedFullAccess
  • CloudflareZoneSpeedReadonlyAccess
  • CloudflareZoneCachingFullAccess
  • CloudflareZoneCachingReadonlyAccess
  • CloudflareZonePageRulesFullAccess
  • CloudflareZonePageRulesReadonlyAccess
  • CloudflareZoneNetworkFullAccess
  • CloudflareZoneNetworkReadonlyAccess
  • CloudflareZoneTrafficFullAccess
  • CloudflareZoneTrafficReadonlyAccess
  • CloudflareZoneCustomizeFullAccess
  • CloudflareZoneCustomizeReadonlyAccess
  • CloudflareZoneAppsFullAccess
  • CloudflareZoneAppsReadonlyAccess
  • CloudflareZoneFScrapeshieldFullAccess
  • CloudflareZoneFScrapeshieldReadonlyAccess

There will be two type of access just as AWS:

  • Programmatical Access
  • Dashboard Access

It may change from customer to customer, like in Enterprise option you can add more options as per the plan.


#20

Well, I take what I can get I guess.
This would be the “ideal” solution for me :slight_smile:
Just having a second admin would already help. Maybe you can develop and roll this out in phases?
Phase 1: Second admin possible (no ACL)
Phase 2: Second admin possible with ACL on zone level (Can administer zone: yes/no)
Phase 3: Full ACL with different access levels per zone and feature (With ACL’s similar to @w3dev below (Expanded availability of Multi-User access)