|
| 1 | +--- |
| 2 | +pcx_content_type: reference |
| 3 | +title: Authorization |
| 4 | +head: [] |
| 5 | +description: Control access to Workers and Developer Platform resources with roles. |
| 6 | +--- |
| 7 | + |
| 8 | +When you add members to your Cloudflare account or create API tokens, you can assign roles that control access to Workers and other Developer Platform resources. Roles determine what actions users can perform, from viewing metadata to creating and managing resources. |
| 9 | + |
| 10 | +For information about managing account members, refer to [Manage members](/fundamentals/manage-members/manage/). For information about creating API tokens, refer to [Create API tokens](/fundamentals/api/get-started/create-token/). |
| 11 | + |
| 12 | +## Overview |
| 13 | + |
| 14 | +For every product within the [Developer Platform](/products/?product-group=Developer+platform), you can assign one or more of the following role types to users or API tokens on your Cloudflare account: |
| 15 | + |
| 16 | +- **Metadata Read-Only**: Allows viewing resource lists, settings, and observability data (metrics, logs, traces) without access to product content. |
| 17 | +- **Content Read-Only**: Allows reading product content (such as D1 database content or Worker code) without the ability to modify it. |
| 18 | +- **Editor**: Allows reading and writing product content, and updating settings. Cannot create, delete, or rename resources. |
| 19 | +- **Admin**: Full control over resources, including the ability to create, rename, delete, and grant access to other users. |
| 20 | +- **Create**: Allows creating new resources. The user who creates a resource automatically becomes the Admin for that resource. Does not grant access to existing resources. |
| 21 | + |
| 22 | +As a best practice, developers building with the Developer Platform should have **Workers Platform Metadata Read-Only** combined with a product-specific **Create** role. This approach allows developers to view resources and observability data across the platform while creating and managing their own resources. |
| 23 | + |
| 24 | +Resource-level roles (such as D1 Database Admin or Worker Admin) mirror account-level roles but apply to a specific resource. Users can have multiple roles, both account-wide and per-resource. |
| 25 | + |
| 26 | +:::note |
| 27 | +Roles are ordered from least to most privileged: Metadata Read-Only < Content Read-Only < Editor < Admin. More privileged roles include all access granted by less privileged roles. |
| 28 | + |
| 29 | +Page below describes roles for Workers and D1. The same pattern would be followed for all products within Developer Platform. |
| 30 | +::: |
| 31 | + |
| 32 | +## Workers Platform roles |
| 33 | + |
| 34 | +Workers Platform roles grant access to all products in the Developer Platform, including Workers, D1, KV, R2, Durable Objects, and other related products. |
| 35 | + |
| 36 | +| Role | Description | |
| 37 | +| ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
| 38 | +| Workers Platform Metadata Read-Only | Can see all resources. <br/> Can read metadata such as settings and observability (metrics, logs, traces). <br/> Cannot read product content or manage resources. | |
| 39 | +| [Workers Platform Read-Only](/fundamentals/manage-members/roles/#account-scoped-roles) (existing role) | Can read metadata and product content (KV namespace values, Worker code). <br/> Cannot manage resources or update settings. | |
| 40 | +| Workers Platform Editor | Can read and write product content. <br/> Can update settings and create new versions and deployments. <br/> Cannot create, delete, or rename resources. <br/> Cannot manage resource access. | |
| 41 | +| [Workers Platform Admin](/fundamentals/manage-members/roles/#account-scoped-roles) (existing role) | Can read metadata and product content. <br/> Can update settings. <br/> Can create, rename, and delete resources. <br/> Can grant resource access to other users. | |
| 42 | +| Workers Platform Create | Can create new resources across Developer Platform products (Workers, D1, KV). <br/> User who creates a resource becomes Admin for that resource. <br/> Does not grant access to existing resources. | |
| 43 | + |
| 44 | +## Workers product roles |
| 45 | + |
| 46 | +Workers product roles apply to all Workers in your account. |
| 47 | + |
| 48 | +| Role | Description | |
| 49 | +| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
| 50 | +| Workers Metadata Read-Only | Can see Worker exists (list). <br/> Can see settings (limits, compatibility flags). <br/> Can see bindings configuration, routes, custom domains, cron triggers, and deployment history. <br/> Can see observability (metrics, logs, traces, tail). <br/> Cannot see script code or secret values. | |
| 51 | +| Workers Content Read-Only | Can view Worker script source code. <br/> Cannot deploy changes or modify settings. | |
| 52 | +| Workers Editor | Can deploy Worker changes to production. <br/> Can create versions and deployments. <br/> Can update Worker settings and bindings. <br/> Can manage routes, custom domains, cron triggers, and secrets. <br/> Cannot create or delete Workers. | |
| 53 | +| Workers Admin | Can create, rename, and delete Workers. <br/> Can manage subdomain (\*.workers.dev) settings and account-level Workers settings. <br/> Can grant resource access to other users. | |
| 54 | +| Workers Create | Can create a new Worker and become Worker Admin for your Worker. <br/> Does not grant access to existing Workers. | |
| 55 | + |
| 56 | +## Single Worker roles |
| 57 | + |
| 58 | +Single Worker roles apply to a specific Worker in your account. |
| 59 | + |
| 60 | +| Role | Description | |
| 61 | +| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
| 62 | +| Worker Metadata Read-Only | Can see Worker exists (list). <br/> Can see settings (limits, compatibility flags). <br/> Can see bindings configuration, routes, custom domains, cron triggers, and deployment history. <br/> Can see observability (metrics, logs, traces, tail). <br/> Cannot see script code or secret values. | |
| 63 | +| Worker Content Read-Only | Can view Worker script source code. <br/> Cannot deploy changes or modify settings. | |
| 64 | +| Worker Editor | Can deploy Worker changes to production. <br/> Can create versions and deployments. <br/> Can update Worker settings and bindings. <br/> Can manage routes, custom domains, cron triggers, and secrets. <br/> Cannot delete the Worker or grant others access. | |
| 65 | +| Worker Admin | Can rename and delete the Worker. <br/> Can grant access to the Worker to other users. | |
| 66 | + |
| 67 | +## D1 product roles |
| 68 | + |
| 69 | +D1 product roles apply to all D1 databases in your account. |
| 70 | + |
| 71 | +| Role | Description | |
| 72 | +| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | |
| 73 | +| D1 Metadata Read-Only | Can list databases and read database metadata. <br/> Cannot read or write database content. | |
| 74 | +| D1 Content Read-Only | Can read database content with read-only queries. <br/> Can read all metadata. <br/> Cannot write to databases or update settings. | |
| 75 | +| D1 Editor | Can read and write database content. <br/> Can read all metadata. <br/> Cannot manage databases or update settings. | |
| 76 | +| D1 Admin | Can create, list, read, update, and delete all databases. <br/> Can grant access to other users. <br/> Has full access to all D1 resources. | |
| 77 | +| D1 Create | Can create new databases. <br/> User who creates a database becomes D1 Database Admin for that database. <br/> Does not grant access to existing databases. | |
| 78 | + |
| 79 | +## D1 database roles |
| 80 | + |
| 81 | +D1 database roles apply to a specific D1 database in your account. |
| 82 | + |
| 83 | +| Role | Description | |
| 84 | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | |
| 85 | +| D1 Database Metadata Read-Only | Can read database metadata such as settings and observability (metrics, logs, traces). <br/> Cannot read or write database content. <br/> Cannot manage database or update settings. | |
| 86 | +| D1 Database Content Read-Only | Can read database content with read-only queries. <br/> Can read all metadata. <br/> Cannot write to database or update settings. | |
| 87 | +| D1 Database Editor | Can read and write database content. <br/> Can read all metadata. <br/> Cannot manage database or update settings. | |
| 88 | +| D1 Database Admin | Can manage database (read, update, delete). <br/> Can grant database access to other users. <br/> Can read and update database settings. <br/> Can read and write database content. | |
| 89 | + |
| 90 | +## Related resources |
| 91 | + |
| 92 | +- [Manage account members](/fundamentals/manage-members/manage/) - Add and remove members from your account. |
| 93 | +- [Roles](/fundamentals/manage-members/roles/) - View all available roles for your account. |
| 94 | +- [Create API tokens](/fundamentals/api/get-started/create-token/) - Create tokens with specific permissions. |
0 commit comments