What is the minimum set of roles required to revoke access to cert.pem from a secondary account?
[Here's](https://github.com/cloudflare/cloudflared/issues/93) the bug for more details.
Here are the available roles:
Super Administrator - All Privileges
Can edit any Cloudflare setting, make purchases, update billing, and manage memberships. Super Administrators can revoke the access of other Super Administrators.
Can read Vectorize configurations.
Can edit Vectorize configurations.
Bot Management (Account-Wide)
Can edit Bot Management (including Super Bot Fight Mode) configurations for all domains in account
Can read Hyperdrive database configurations.
Can edit Hyperdrive database configurations.
Grants read access to Turnstile
Grants full access to Turnstile
API Gateway Read
Grants read access to API Gateway (including API Shield) for all domains in an account
Grants full access to API Gateway (including API Shield) for all domains in an account
Cloudflare R2 Read
Can read R2 buckets, objects, and associated configurations.
Cloudflare R2 Admin
Can edit R2 buckets, objects, and associated configurations.
Page Shield Read
Grants read access to Page Shield across the whole account
Grants write access to Page Shield across the whole account
Can edit Cloudflare DEX.
Zone Versioning Read (Account-Wide)
Can view Zone Versioning for all domains in account
Zone Versioning (Account-Wide)
Can view and edit Zone Versioning for all domains in account’
Minimal Account Access
Can view account, and nothing else
Can edit Zaraz configuration.
Waiting Room Admin
Can edit Waiting Room configuration.
Waiting Room Read
Can read waiting rooms configuration.
Magic Network Monitoring Admin
Can view, edit, create, and delete MNM configuration
Magic Network Monitoring
Can view and edit MNM configuration
Magic Network Monitoring Read-Only
Can view MNM configuration
Network Services Write (Magic)
Grants write access to network configurations for Magic services.
Network Services Read (Magic)
Grants read access to network configurations for Magic services.
Can view and edit HTTP Applications
HTTP Applications Read
Can view HTTP Applications
Trust and Safety
Can view and request reviews for blocks
Can edit and publish Zaraz configuration.
Can read Zaraz configuration.
Can edit Cloudflare Images assets
Can edit Cloudflare Gateway and read Access.
Cloudflare Zero Trust Reporting
Can access Cloudflare for Zero Trust reporting data.
Cloudflare Zero Trust Read Only
Can access Cloudflare for Zero Trust read only mode.
Cloudflare Zero Trust
Can edit Cloudflare Zero Trust.
Cloudflare Zero Trust PII
Can access Cloudflare Zero Trust PII.
SSL/TLS, Caching, Performance, Page Rules, and Customization
Can edit most Cloudflare settings except for DNS and Firewall.
Log Share Reader
Can read Enterprise Log Share.
Can edit Log Share configuration.
Can edit Load Balancers, Pools, Origins, and Health Checks.
Can edit WAF, IP Firewall, and Zone Lockdown settings.
Can edit DNS records.
Cloudflare Workers Admin
Can edit Cloudflare Workers.
Can edit Cloudflare Stream media.
Can edit Cloudflare Access.
Can purge the edge cache.
Can edit the account’s billing profile and subscriptions.
Audit Logs Viewer
Can view Audit Logs.
Can read Analytics.
Administrator Read Only
Can access the full account in read-only mode.
Can access the full account, except for membership management and billing.