Definitely a per-zone API. The case I have in mind is for a domain admin to be able to purge the entire cache for their domain when needed.
good example of needing multiple API key/user permissions so we can utilise stuff like fail2ban actions passing to Cloudflare API without compromising main API key [Tutorial] Protecting your site from HTTP Flood Attacks
This is a really good idea, I personally think it should be a pro rather than Enterprise feature so it’s available to more users. An added benefit is more paying customers. $20/month is cheaper than $5000/month.
I found it absolutely remarkable that Cloudflare had no ability to allow at least two admins on all paid accounts. This is a rather important feature. Shared credentials are a poor security practice, and make it nigh on impossible to use two factor authentication in a sane way. For everyone wanting all of these fine-grained ACLs – I find it hard to disagree with the sentiment, but I’d rather have anything over the current situation. Please, Cloudflare, do not allow feature creep to delay this important feature!
Hello all - Really appreciate the details and the feedback. We definitely know that this is something you guys want, but to avoid feature creep (thanks @gork) it really helps to know why and how.
Some of you have already done this, but please try to describe what your specific needs are. Is it just more than one admin? Do you need zone specific permissions? Detailed ACL? What level account do you have now?
Thanks, and keep the feedback coming!
I currently use the free plan, and what I want/need is to be able to have different API keys for different sites. I am using the Cloudflare plugin for WordPress, which uses the API key to connect to Cloudflare. Even when these are just personal sites, I’d rather use separate keys for each site, so that if the key is ever exposed the damage will be limited to just a single site, rather than all my sites. It is especially a concern if the site has other admins, belongs to a client, etc.
I would like to have this feature.
I host the websites for some of my family members and they are all placed behind Cloudflare.
Each member has his own account, because it’s their web property, not mine.
but to manage those sites, I’ve got their credentials. with multi-user I can use my own credentials to access their accounts. in my case no ACLs are required just the option to access their resources.
They use Cloudflare Free
I agree with this sentiment:
I am a webmaster-type and manage hundreds of domains for tens of clients. I am the person responsible for recommending Cloudflare, and setting up each site. In all cases my clients own their own domain names and hosting accounts, and should also have access to their own properties on Cloudflare. Most commonly, they need to change their own DNS settings, but ideally they should be able to replace me with someone else, without needing to call and ask me for my password (and 2nd factor!) to do so.
I am on a free plan right now, but would gladly upgrade to a paid account for each client that needed to share access. I would not gladly upgrade to an Enterprise account, as most of these sites are for SMBs or Non-Profits.
Thanks for all the detail. I promise it’s a priority, but they are still figuring out exactly how it’s going to go.
I have the same issue. Multi-user would mean I don’t have to make DNS changes for my clients. Yes, I would like to limit which zones each user could access.
Thanks ryan for creating this thread. I’m very excited to see you listening to users, although I’m also a bit saddened that this is where the process is at (I’ve had a google alert enabled for ~2yrs looking for “Cloudflare multi-user”, which is how I found this thread).
I’m in a similar situation with @jen - my agency has many clients that need ownership of the Cloudflare account we’re overseeing, so that they could replace me/us if those chose. That is a lower priority for me however, than having the multiple developers my agency has be able to have direct involvement in the setup and ongoing maintenance of Cloudflare settings on a per-domain basis.
Some more detailed thoughts:
I’ve observed a trend over the past ~15yrs - the line has been getting progressively more blurred between web devs and sys admins. We used to just get a virtual machine and have complete ownership of everything on the OS, and it was a completely different skillset to know the inner workings of HTML/CSS/JS/PHP than Ubuntu/CentOS/RedHat/etc. But now, we use managed hosting providers (Heroku and Pantheon) who offer delightful, opinionated, mostly-managed hosting services comprised of app containers with ephemeral filesystems, and really nice automation at every point. We no longer need someone to be responsible for knowing how fix OS issues, or make updates to the core apps on it like apache/php/mysql. Instead, we just have devs that are getting progressively more involved in the configuration and maintenance of managed services like Cloudflare. We want them to take ownership of big pieces of the puzzle, take an opinionated, thoughtful stance on how it should work, and we’ll operate within that framework. Our senior devs are now configuring, testing, and maintaining Cloudflare performance settings like auto-minification, and page rules that control caching schemas and https rules. They’re also often directly involved in troubleshooting email delivery issues, which touches DNS settings. These are all things that historically, they would have relied on someone else for, but now they can self-serve… by using the same account with shared credentials, with access to every single one of our clients’ accounts. Yikes.
So, with @gork 's post in mind, my priority list would be:
- roll-out a minimal method of simply not having to have shared accounts so we can enable 2fa
- I’d like the ability to only give my devs access to certain domains (but they can have access to all of it)
- The full enchilada of fine-grained access controls, with clients able to own their respective domains, and various users only able to access certain areas of different domains.
Totally understand your feelings. I’ve already met with product and they are finding the specific feedback very helpful as far as what to prioritize and how it might be available to more people. The work is already underway and we should have more details soon!
Fabulous, thanks again for the community outreach. Cloudflare rocks, which is why we’re all taking the time to give you feedback - we’re all amazed by your services and want even more out of it!
I’m a new free tier user testing the waters. While this doesn’t strictly qualify as “multi-user”, I posted a feature request in the DNS forum regarding per-record tokens for DDNS use, and someone replied suggesting I mention my thoughts here. My concern is about the security implications of using full/wide-access tokens in DDNS scripts/clients that often run in environments of dubious security. Per-record DDNS credentials are implemented in two other DNS hosting services that I use.
That’s great feedback. I’ll be sure to pass it along to Product.
yes 100 times yes.
being able share user access of specific domains would be amazing (can someone confirm if this would be possible with you multi user set up)
i genuinely think you would be losing customers now not having this feature. as i expect there are alot of companies that get setup by a freelanceer on a free plan when they are small, and when the company get big and need a full time developer move to other solutions because. it’s not a simple 10 second switch to upgrade the plan.
Any news on this?
Basic multi-user functionality so we don’t have to share a login between members of our DevOps team and thus can enable 2FA would be hugely appreciated.
Offering customisable roles/access would be very useful as well.
It’s definitely coming. Can you elaborate on your specific needs? How many zones are you managing, what level of control do you need, etc.?
Good to hear.
Our main need is that we have a team of devops engineers who all need to manage all our zones, currently we have to share a login and thus can’t enable 2FA.
A nice to have would be the ability to delegate access to manage DNS and view Analytics to external users, on a zone by zone basis.
We have 6 zones currently - a mix of Business and Pro.
I asked about this feature via Twitter. Thanks to @Yank for pointing me this direction. I (kinda) apologize in advance for the wall of text that follows, but I like to think things through before making my pitch. I have been-there-done-that fielding requests and pitches from people who don’t understand the scope of things! Thanks for considering this (and even just reading it)!
TL;DR: Multi-user account access has many use cases outside of a business environment and would greatly benefit many low-use and hobbyist sites that do not generate enough revenue or traffic to rationalize upgrading to even the Pro plan.
In addition to several personal sites that I have on my Cloudflare account, I also am the person who has taken the lead to manage the web presences for several local community groups. These sites typically get no more than a dozen hits a week and, for the most part, basically point to a static site that displays the venue and time that the next meeting will occur. The web server for these sites is something that the group’s leadership manages.
I use Cloudflare for a number of reasons, the biggest is the fact that our origin server is protected and it’s a great console to manage DNS, with it’s extremely fast DNS updates and beautiful interface. It’s also where all my domain’s reside, so having a single-pane-of-glass (ugh, I just said that) for management and analytics is fantastic.
The need for multi-user access is simple: I don’t want to be the single point of control for these ‘group’ domains. For everything else (Registrar, Hosting, and the services used on the web site), we make it a requirement that we are able to grant multiple users access to manage and ensure that, if one of us goes on vacation or gets busy with work, progress can move forward. I don’t want to seem like I am keeping anything hostage!
From my point of view, multi-user would be simple: at the free plan, additional users (2 more, in addition to the ‘master’ account, seems reasonable) can be added to have full access to a specific domain. It seems logical to add a new button on the “Customize” page that displays a field to enter an email address. If the email address isn’t already associated with a Cloudflare account, that user would receive an email inviting them to create one.
Once created, this ‘delegated’ account would have all the same rights as the ‘master’ account, with the exception of the API keys and subscription plan configuration, which is logically separated into the “My Account Settings” and “My Profile” of the ‘master’ account.
Having done this type of shared accounts for many different situations, I began to consider the drawbacks that Cloudflare would have to deal with to add this as a free-plan feature. The most common situation that I have seen with delegated accounts that end up generating a support ticket with the Vendor are related to account access on a delegated account or dispute resolution.
For account access, since the master account does not have any part of the authentication flow for the delegated account, the master account would not be in a position to need to reset the password or 2FA status for that delegated account. This is especially true since the delegated account may also be master or delegated to other domains.
Another unfortunate but common situation revolves around a delegated account trying to take over and kicking out the master account. However, this is DNS management and not Registrar control, so the “true” owner of the domain is the entity that controls the Registrar and NS records. A delegated account would not be able to kick out the master unless the person or entity who controls the delegated account also has control of the Registrar/NS records, which of course is outside of Cloudflare’s control. I don’t see any significant increase in Cloudflare’s support burden from having to deal with this type of dispute.
While I am sure the Cloudflare team is quite familiar with this situation, for those that don’t follow, this often occurs when a business contracts with a external designer/web development company. Primary due to lack of understanding of the concepts at play, the designer is the one that registers the domain and controls the DNS. This means that when the parties decide to part ways, it can unfortunately occur where the digital assets are held hostage and a ‘transfer fee’ (or worse) is assessed to the business to hand off the domains and control. It would be far more logical for the business to buy their own domain, register their own Cloudflare account and delegate access to their designer.
- It’s also prudent to consider any lost revenue from customers who would not upgrade if this paid plan feature were available for free. I don’t think this would be a concern, however, since the delegated access feature is reserved for people who have enough money to click the “GET IN TOUCH” button. It would have the potential to bring in new free and lower-tier paid users who have stayed away from Cloudflare as they see this feature as unattainable but yet need it as part of their organizational or personal requirements.
Cloudflare is a for-profit business however, so we need to work in the proper ways to incentive customers to upgrade to a paid plan. We have included a soft-limit on the number of delegated accounts. Bigger businesses that have multiple developers who need to adhere to compliance regulations that mandate individual accounts (and no shared accounts) would still need to upgrade to a paid plan. Those organizations that also need to limit access on their delegated accounts to only specific features would also need to upgrade to a paid plan. Additional features like an audit trail, access logging and such are also reserved for a paid plan.
Since paid plans are done per domain, it would seem the most simple to keep the shared-access feature as a domain-level feature (not an account level configuration). This ensures that a single account can have a free-plan domain (that can be delegated under the previously-mentioned free-plan parameters) and a paid-plan domain that benefits from having more delegated accounts and more granular control.
As far as which paid plan gets these features, I would selfishly propose that the above-mentioned paid plan features be added to the Pro level. Many of the features on Business and Enterprise plans seem to be centred around domains that get lots of traffic and most small businesses (who in my experience are most likely to go for the Pro plan) are the ones who would benefit most from the paid plan features mentioned. More enterprise features, like being able to delegate an entire account’s worth of domains and even managing the passwords and 2FA configurations for the delegated accounts, would still be reserved to the Enterprise plan.
Thanks so much for considering this and for making a great service that even has a free tier to begin with!