Expanded availability of Multi-User access

Oh yes, multi-user would absolutely be great. Maybe only delegating certain tasks to users, like ability to set page rules for the marketing/website folks, ability to add DNS entries for a co-admin and so on.
Last but not least it’s always good practice to have more than one admin for anything as critical as DNS and Website stuff :slight_smile:

2 Likes

Something else that would be nice would be the ability to have zone/record templates that can be shared across users or sites (e.g. G Suite MX records, SPF settings, etc.)

1 Like

Multiuser will definitely help us to improve our ease of use in Cloudflare. A feature like AWS IAM could be very useful in this case.

Also, a tagging feature for domains and DNS entries would help me a lot as well.

I have more than 40 domains in my panel and I need to filter them like, some of them belong to schools, some of them to higher education website and some for another usage. Tagging Domains would be very beneficial for me. @ryan I request you to think about tagging domain feature.

Apart from this, just a thought it may be good to add tagging feature to DNS entries, so I can remember which entry was for what. Like, sometimes there are more than 50 DNS entries on a single domain and becomes hectic to manage it and remember which one is for which.

Thanks

1 Like

Tagging Domains would be very beneficial for me.

This is great feedback. I will definitely pass it along to the product folks for consideration.

I know that expansion of MU is being considered, but how exactly is still unclear.

1 Like

So you are looking for multi user access, but only if you can define roles on a zone by zone basis?

I think a system like AWS IAM is the best possible solution for multi user access. It will take time to build it but once it is ready, I am sure users will love it.

Following could be starting policies for IAM based roles:

  • AdministratorAccess
  • CloudflareZoneDNSFullAccess
  • CloudflareZoneDNSReadOnlyAccess
  • CloudflareZoneAnalyticsFullAccess
  • CloudflareZoneAnalyticsReadonlyAccess
  • CloudflareZoneCryptoFullAccess
  • CloudflareZoneCryptoReadonlyAccess
  • CloudflareZoneFirewallFullAccess
  • CloudflareZoneFirewallReadonlyAccess
  • CloudflareZoneSpeedFullAccess
  • CloudflareZoneSpeedReadonlyAccess
  • CloudflareZoneCachingFullAccess
  • CloudflareZoneCachingReadonlyAccess
  • CloudflareZonePageRulesFullAccess
  • CloudflareZonePageRulesReadonlyAccess
  • CloudflareZoneNetworkFullAccess
  • CloudflareZoneNetworkReadonlyAccess
  • CloudflareZoneTrafficFullAccess
  • CloudflareZoneTrafficReadonlyAccess
  • CloudflareZoneCustomizeFullAccess
  • CloudflareZoneCustomizeReadonlyAccess
  • CloudflareZoneAppsFullAccess
  • CloudflareZoneAppsReadonlyAccess
  • CloudflareZoneFScrapeshieldFullAccess
  • CloudflareZoneFScrapeshieldReadonlyAccess

There will be two type of access just as AWS:

  • Programmatical Access
  • Dashboard Access

It may change from customer to customer, like in Enterprise option you can add more options as per the plan.

3 Likes

Well, I take what I can get I guess.
This would be the “ideal” solution for me :slight_smile:
Just having a second admin would already help. Maybe you can develop and roll this out in phases?
Phase 1: Second admin possible (no ACL)
Phase 2: Second admin possible with ACL on zone level (Can administer zone: yes/no)
Phase 3: Full ACL with different access levels per zone and feature (With ACL’s similar to @w3dev below (https://community.Cloudflare.com/t/expanded-availability-of-multi-user-access/64/19?u=michelz)

3 Likes

Definitely a per-zone API. The case I have in mind is for a domain admin to be able to purge the entire cache for their domain when needed.

1 Like

good example of needing multiple API key/user permissions so we can utilise stuff like fail2ban actions passing to Cloudflare API without compromising main API key https://community.Cloudflare.com/t/tutorial-protecting-your-site-from-http-flood-attacks/436

This is a really good idea, I personally think it should be a pro rather than Enterprise feature so it’s available to more users. An added benefit is more paying customers. $20/month is cheaper than $5000/month.

1 Like

I found it absolutely remarkable that Cloudflare had no ability to allow at least two admins on all paid accounts. This is a rather important feature. Shared credentials are a poor security practice, and make it nigh on impossible to use two factor authentication in a sane way. For everyone wanting all of these fine-grained ACLs – I find it hard to disagree with the sentiment, but I’d rather have anything over the current situation. Please, Cloudflare, do not allow feature creep to delay this important feature!

4 Likes

Hello all - Really appreciate the details and the feedback. We definitely know that this is something you guys want, but to avoid feature creep (thanks @gork) it really helps to know why and how.

Some of you have already done this, but please try to describe what your specific needs are. Is it just more than one admin? Do you need zone specific permissions? Detailed ACL? What level account do you have now?

Thanks, and keep the feedback coming!

1 Like

I currently use the free plan, and what I want/need is to be able to have different API keys for different sites. I am using the Cloudflare plugin for WordPress, which uses the API key to connect to Cloudflare. Even when these are just personal sites, I’d rather use separate keys for each site, so that if the key is ever exposed the damage will be limited to just a single site, rather than all my sites. It is especially a concern if the site has other admins, belongs to a client, etc.

3 Likes

I would like to have this feature.

I host the websites for some of my family members and they are all placed behind Cloudflare.
Each member has his own account, because it’s their web property, not mine.

but to manage those sites, I’ve got their credentials. with multi-user I can use my own credentials to access their accounts. in my case no ACLs are required just the option to access their resources.
They use Cloudflare Free

2 Likes

I agree with this sentiment:

I am a webmaster-type and manage hundreds of domains for tens of clients. I am the person responsible for recommending Cloudflare, and setting up each site. In all cases my clients own their own domain names and hosting accounts, and should also have access to their own properties on Cloudflare. Most commonly, they need to change their own DNS settings, but ideally they should be able to replace me with someone else, without needing to call and ask me for my password (and 2nd factor!) to do so.

I am on a free plan right now, but would gladly upgrade to a paid account for each client that needed to share access. I would not gladly upgrade to an Enterprise account, as most of these sites are for SMBs or Non-Profits.

3 Likes

Thanks for all the detail. I promise it’s a priority, but they are still figuring out exactly how it’s going to go.

2 Likes

I have the same issue. Multi-user would mean I don’t have to make DNS changes for my clients. Yes, I would like to limit which zones each user could access.

2 Likes

Thanks ryan for creating this thread. I’m very excited to see you listening to users, although I’m also a bit saddened that this is where the process is at (I’ve had a google alert enabled for ~2yrs looking for “Cloudflare multi-user”, which is how I found this thread).

In summary:
I’m in a similar situation with @jen - my agency has many clients that need ownership of the Cloudflare account we’re overseeing, so that they could replace me/us if those chose. That is a lower priority for me however, than having the multiple developers my agency has be able to have direct involvement in the setup and ongoing maintenance of Cloudflare settings on a per-domain basis.

Some more detailed thoughts:
I’ve observed a trend over the past ~15yrs - the line has been getting progressively more blurred between web devs and sys admins. We used to just get a virtual machine and have complete ownership of everything on the OS, and it was a completely different skillset to know the inner workings of HTML/CSS/JS/PHP than Ubuntu/CentOS/RedHat/etc. But now, we use managed hosting providers (Heroku and Pantheon) who offer delightful, opinionated, mostly-managed hosting services comprised of app containers with ephemeral filesystems, and really nice automation at every point. We no longer need someone to be responsible for knowing how fix OS issues, or make updates to the core apps on it like apache/php/mysql. Instead, we just have devs that are getting progressively more involved in the configuration and maintenance of managed services like Cloudflare. We want them to take ownership of big pieces of the puzzle, take an opinionated, thoughtful stance on how it should work, and we’ll operate within that framework. Our senior devs are now configuring, testing, and maintaining Cloudflare performance settings like auto-minification, and page rules that control caching schemas and https rules. They’re also often directly involved in troubleshooting email delivery issues, which touches DNS settings. These are all things that historically, they would have relied on someone else for, but now they can self-serve… by using the same account with shared credentials, with access to every single one of our clients’ accounts. Yikes.

So, with @gork 's post in mind, my priority list would be:

  1. roll-out a minimal method of simply not having to have shared accounts so we can enable 2fa
  2. I’d like the ability to only give my devs access to certain domains (but they can have access to all of it)
  3. The full enchilada of fine-grained access controls, with clients able to own their respective domains, and various users only able to access certain areas of different domains.

My $0.02

2 Likes

Totally understand your feelings. I’ve already met with product and they are finding the specific feedback very helpful as far as what to prioritize and how it might be available to more people. The work is already underway and we should have more details soon!

2 Likes

Fabulous, thanks again for the community outreach. Cloudflare rocks, which is why we’re all taking the time to give you feedback - we’re all amazed by your services and want even more out of it!

2 Likes