Zone Rulesets Permission

In attempting to scope an API key’s permissions, I have noticed that the “Ruleset” permissions are at Account Level only and not at Zone Level.
I am a bit concerned that this is too far reaching and wonders if there could be a review to bring this down to a Zone Level permissions as well.

1 Like

When possible, use API tokens instead of API keys.

Apologies for any confusion, I was actually referring to the api tokens.
I noticed that a token with a Dynamic Redirect Edit permissions could not Edit redirect rules unless it was granted the Account Rulesets Edit permission. There does not appear to be any “Zone Rulesets” permissions in the list of permissions that a token can be granted at a Zone Level.

Hi,
There is virtually no documentation regarding this issue, and it was not resolved.
I’m having trouble finding out what kind of permission is needed to get or set a rate limit.
Thanks

Hi Assafk,

With the new WAF version, rate-limit falls under Rulesets. So depending on where you will be creating a rate-limit rule, you would either need an Account:Rulesets:Write or Zone WAF:Edit permissions or both.
Hope this helps.