From d670c49f817222816cb594e7a046def7ba96a2ce Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Sun, 14 Sep 2025 19:27:23 -0500 Subject: [PATCH 01/20] Add tiered policies page --- .../gateway/tiered-policies/index.mdx | 14 +++ .../managed-service-providers.mdx | 4 +- .../organizational-policies.mdx | 94 +++++++++++++++++++ 3 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx rename src/content/docs/cloudflare-one/policies/gateway/{ => tiered-policies}/managed-service-providers.mdx (98%) create mode 100644 src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx new file mode 100644 index 000000000000000..ebb01d7f6c1a218 --- /dev/null +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -0,0 +1,14 @@ +--- +pcx_content_type: navigation +title: Tiered policies +sidebar: + order: 15 + group: + hideIndex: true +--- + +import { DirectoryListing } from "~/components"; + +Zero Trust supports two types of Gateway tiered policy configurations: + + diff --git a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx similarity index 98% rename from src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx rename to src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx index 4b944890e769614..646b3cf777c5ff7 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx @@ -1,8 +1,8 @@ --- -pcx_content_type: how-to +pcx_content_type: get-started title: Managed service providers (MSPs) sidebar: - order: 15 + order: 3 --- :::note diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx new file mode 100644 index 000000000000000..81bab9a5e2929f3 --- /dev/null +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx @@ -0,0 +1,94 @@ +--- +pcx_content_type: get-started +title: Organizational policies +sidebar: + order: 2 +--- + +:::note +Only available on Enterprise plans. For more information, contact your account team. +::: + +Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level. The Tenant platform supports [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. + +For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. + +## Get started + +{/* Don't need to surface much of the policy creation flow here */} + +To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). + +## Account types + +The Gateway Tenant platform supports tiered and siloed account configurations. + +### Tiered accounts + +In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account, including: + +- Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/) +- Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/) +- Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) +- Creating [lists](/cloudflare-one/policies/gateway/lists/) + +Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). + +Gateway evaluates parent account policies before any child account policies. To allow a child account to override a specific parent account policy, you can use the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`. + +```mermaid +flowchart TD +%% Accessibility + accTitle: How Gateway policies work in a tiered account configuration + accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration. + +%% Flowchart + subgraph s1["Parent account"] + n1["Block malware"] + n2["Block DNS tunnel"] + n3["Block spyware"] + end + subgraph s2["Child account A"] + n4["Block social media"] + end + subgraph s3["Child account B"] + n5["Block instant messaging"] + end + n1 ~~~ n2 + n2 ~~~ n3 + A["Tenant"] --Administers--> s1 + s1 -- "Applies policies to" --> s2 & s3 + + n1@{ shape: lean-l} + n2@{ shape: lean-l} + n3@{ shape: lean-l} + n4@{ shape: lean-l} + n5@{ shape: lean-l} +``` + +### Siloed accounts + +In a siloed account configuration, each account operates independently within the same tenant. MSPs manage each account's own security policies, resources, and configurations separately. + +```mermaid +flowchart TD +%% Accessibility + accTitle: How Gateway policies work in a siloed account configuration + accDescr: Flowchart describing the order of precedence Gateway applies policies in a siloed account configuration. + +%% Flowchart + subgraph s1["Siloed account A"] + n1["Block social media"] + end + subgraph s2["Siloed account C"] + n2["Block instant messaing"] + end + subgraph s3["Siloed account B"] + n3["Block news"] + end + A["Tenant"] -- Administers --> s1 & s3 & s2 + + n1@{ shape: lean-l} + n2@{ shape: lean-l} + n3@{ shape: lean-l} +``` From 70e5caf02c436368ac20213ea25a6ef36a8bde2a Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Sun, 14 Sep 2025 19:29:08 -0500 Subject: [PATCH 02/20] Add redirect --- public/__redirects | 1 + 1 file changed, 1 insertion(+) diff --git a/public/__redirects b/public/__redirects index c314a81faff85e7..74e935914a93549 100644 --- a/public/__redirects +++ b/public/__redirects @@ -820,6 +820,7 @@ /gateway/getting-started-new/onboarding-gateway/ /cloudflare-one/policies/gateway/ 301 /gateway/locations/setup-instructions/android/ /cloudflare-one/connections/connect-devices/agentless/dns/locations/ 301 /gateway/locations/setup-instructions/router/ /cloudflare-one/policies/gateway/dns-policies/ 301 +/cloudflare-one/policies/gateway/managed-service-providers/ /cloudflare-one/policies/gateway/tiered-policies/managed-service-providers/ 301 # google tag /google-tag-first-party-mode/ /google-tag-gateway/ 301 From 4fbf99b787b4ebe619e43a14334ac1821019f041 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Sun, 14 Sep 2025 21:08:55 -0500 Subject: [PATCH 03/20] Add orgs background --- .../gateway/tiered-policies/organizational-policies.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx index 81bab9a5e2929f3..6cf6b8c59d685a0 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx @@ -9,15 +9,15 @@ sidebar: Only available on Enterprise plans. For more information, contact your account team. ::: -Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level. The Tenant platform supports [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. +{/* TODO: Update the Orgs link with most up to date option */} -For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. +Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an organization. Organizational policies support [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. ## Get started {/* Don't need to surface much of the policy creation flow here */} -To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). +To set up CLoudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). ## Account types From af592463eddd1d40f1c21fa761a19f1aeb3aa453 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Sun, 14 Sep 2025 21:29:42 -0500 Subject: [PATCH 04/20] Update details about tiered accounts --- .../managed-service-providers.mdx | 4 ++-- .../tiered-policies/organizational-policies.mdx | 17 ++++++++++------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx index 646b3cf777c5ff7..03ee3e4ec617af2 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx @@ -11,13 +11,13 @@ Only available on Enterprise plans. For more information, contact your account t Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level. -The Tenant platform only supports [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. +The Tenant platform supports [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. ## Get started {/* Don't need to surface much of the policy creation flow here */} -To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). +To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). ## Account types diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx index 6cf6b8c59d685a0..bccf21b2bb2b1a6 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx @@ -17,7 +17,7 @@ Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) {/* Don't need to surface much of the policy creation flow here */} -To set up CLoudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). +To set up Cloudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). ## Account types @@ -25,16 +25,16 @@ The Gateway Tenant platform supports tiered and siloed account configurations. ### Tiered accounts -In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account, including: +In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can add policies as needed while still being managed by the parent account. Organization owners can also configure child accounts independently from the parent account, including: - Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/) - Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/) - Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) - Creating [lists](/cloudflare-one/policies/gateway/lists/) -Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). +Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each child account in an organization. Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). -Gateway evaluates parent account policies before any child account policies. To allow a child account to override a specific parent account policy, you can use the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint to set the policy's `allow_child_bypass` rule setting to `true`. +Gateway evaluates parent account policies before any child account policies. In a Cloudflare Organization, child accounts cannot bypass parent account policies. All traffic and corresponding policies, logs, and configurations for a child account will be contained to that child account. Organization owners can view logs for child accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately. ```mermaid flowchart TD @@ -56,7 +56,6 @@ flowchart TD end n1 ~~~ n2 n2 ~~~ n3 - A["Tenant"] --Administers--> s1 s1 -- "Applies policies to" --> s2 & s3 n1@{ shape: lean-l} @@ -66,9 +65,13 @@ flowchart TD n5@{ shape: lean-l} ``` +:::caution[Limitations] +Organizational policies do not support egress policies, device posture selectors, private apps, or virtual networks. +::: + ### Siloed accounts -In a siloed account configuration, each account operates independently within the same tenant. MSPs manage each account's own security policies, resources, and configurations separately. +In a siloed account configuration, each account operates independently within the same tenant. Organization owners manage each account's own security policies, resources, and configurations separately. ```mermaid flowchart TD @@ -86,7 +89,7 @@ flowchart TD subgraph s3["Siloed account B"] n3["Block news"] end - A["Tenant"] -- Administers --> s1 & s3 & s2 + A["Organization owner"] -- Administers --> s1 & s3 & s2 n1@{ shape: lean-l} n2@{ shape: lean-l} From b0b16b9d7e39fe5f624172745153b102dd0e4305 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 15 Sep 2025 11:53:14 -0500 Subject: [PATCH 05/20] Re-add index --- .../gateway/tiered-policies/index.mdx | 93 +++++++++++++++++- .../managed-service-providers.mdx | 2 +- .../organizational-policies.mdx | 97 ------------------- 3 files changed, 89 insertions(+), 103 deletions(-) delete mode 100644 src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index ebb01d7f6c1a218..a45a26a64e7e3c0 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -3,12 +3,95 @@ pcx_content_type: navigation title: Tiered policies sidebar: order: 15 - group: - hideIndex: true --- -import { DirectoryListing } from "~/components"; +:::note +Only available on Enterprise plans. For more information, contact your account team. +::: -Zero Trust supports two types of Gateway tiered policy configurations: +{/* TODO: Update the Orgs link with most up to date option */} - +Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an organization. Tiered organizational policies support [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. + +## Get started + +{/* Don't need to surface much of the policy creation flow here */} + +To set up Cloudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). + +## Account types + +The Gateway Tenant platform supports tiered and siloed account configurations. + +### Tiered accounts + +In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can add policies as needed while still being managed by the parent account. Organization owners can also configure child accounts independently from the parent account, including: + +- Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/) +- Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/) +- Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) +- Creating [lists](/cloudflare-one/policies/gateway/lists/) + +Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each child account in an organization. Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). + +Gateway evaluates parent account policies before any child account policies. In a Cloudflare Organization, child accounts cannot bypass parent account policies. All traffic and corresponding policies, logs, and configurations for a child account will be contained to that child account. Organization owners can view logs for child accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately. + +```mermaid +flowchart TD +%% Accessibility + accTitle: How Gateway policies work in a tiered account configuration + accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration. + +%% Flowchart + subgraph s1["Parent account"] + n1["Block malware"] + n2["Block DNS tunnel"] + n3["Block spyware"] + end + subgraph s2["Child account A"] + n4["Block social media"] + end + subgraph s3["Child account B"] + n5["Block instant messaging"] + end + n1 ~~~ n2 + n2 ~~~ n3 + s1 -- "Applies policies to" --> s2 & s3 + + n1@{ shape: lean-l} + n2@{ shape: lean-l} + n3@{ shape: lean-l} + n4@{ shape: lean-l} + n5@{ shape: lean-l} +``` + +:::caution[Limitations] +Tiered policies do not support egress policies, device posture selectors, private apps, or virtual networks. +::: + +### Siloed accounts + +In a siloed account configuration, each account operates independently within the same tenant. Organization owners manage each account's own security policies, resources, and configurations separately. + +```mermaid +flowchart TD +%% Accessibility + accTitle: How Gateway policies work in a siloed account configuration + accDescr: Flowchart describing the order of precedence Gateway applies policies in a siloed account configuration. + +%% Flowchart + subgraph s1["Siloed account A"] + n1["Block social media"] + end + subgraph s2["Siloed account C"] + n2["Block instant messaing"] + end + subgraph s3["Siloed account B"] + n3["Block news"] + end + A["Organization owner"] -- Administers --> s1 & s3 & s2 + + n1@{ shape: lean-l} + n2@{ shape: lean-l} + n3@{ shape: lean-l} +``` diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx index 03ee3e4ec617af2..015ad705bc3e374 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx @@ -2,7 +2,7 @@ pcx_content_type: get-started title: Managed service providers (MSPs) sidebar: - order: 3 + order: 2 --- :::note diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx deleted file mode 100644 index bccf21b2bb2b1a6..000000000000000 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/organizational-policies.mdx +++ /dev/null @@ -1,97 +0,0 @@ ---- -pcx_content_type: get-started -title: Organizational policies -sidebar: - order: 2 ---- - -:::note -Only available on Enterprise plans. For more information, contact your account team. -::: - -{/* TODO: Update the Orgs link with most up to date option */} - -Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an organization. Organizational policies support [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. - -## Get started - -{/* Don't need to surface much of the policy creation flow here */} - -To set up Cloudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). - -## Account types - -The Gateway Tenant platform supports tiered and siloed account configurations. - -### Tiered accounts - -In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can add policies as needed while still being managed by the parent account. Organization owners can also configure child accounts independently from the parent account, including: - -- Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/) -- Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/) -- Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) -- Creating [lists](/cloudflare-one/policies/gateway/lists/) - -Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each child account in an organization. Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). - -Gateway evaluates parent account policies before any child account policies. In a Cloudflare Organization, child accounts cannot bypass parent account policies. All traffic and corresponding policies, logs, and configurations for a child account will be contained to that child account. Organization owners can view logs for child accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately. - -```mermaid -flowchart TD -%% Accessibility - accTitle: How Gateway policies work in a tiered account configuration - accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration. - -%% Flowchart - subgraph s1["Parent account"] - n1["Block malware"] - n2["Block DNS tunnel"] - n3["Block spyware"] - end - subgraph s2["Child account A"] - n4["Block social media"] - end - subgraph s3["Child account B"] - n5["Block instant messaging"] - end - n1 ~~~ n2 - n2 ~~~ n3 - s1 -- "Applies policies to" --> s2 & s3 - - n1@{ shape: lean-l} - n2@{ shape: lean-l} - n3@{ shape: lean-l} - n4@{ shape: lean-l} - n5@{ shape: lean-l} -``` - -:::caution[Limitations] -Organizational policies do not support egress policies, device posture selectors, private apps, or virtual networks. -::: - -### Siloed accounts - -In a siloed account configuration, each account operates independently within the same tenant. Organization owners manage each account's own security policies, resources, and configurations separately. - -```mermaid -flowchart TD -%% Accessibility - accTitle: How Gateway policies work in a siloed account configuration - accDescr: Flowchart describing the order of precedence Gateway applies policies in a siloed account configuration. - -%% Flowchart - subgraph s1["Siloed account A"] - n1["Block social media"] - end - subgraph s2["Siloed account C"] - n2["Block instant messaing"] - end - subgraph s3["Siloed account B"] - n3["Block news"] - end - A["Organization owner"] -- Administers --> s1 & s3 & s2 - - n1@{ shape: lean-l} - n2@{ shape: lean-l} - n3@{ shape: lean-l} -``` From f56aeb553e3cf7b5d51f6b197aa8b4a3380da9e7 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 18 Sep 2025 13:53:26 -0500 Subject: [PATCH 06/20] Revert MSP page --- .../gateway/tiered-policies/managed-service-providers.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx index 015ad705bc3e374..2dbafa57adbb28f 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx @@ -11,13 +11,13 @@ Only available on Enterprise plans. For more information, contact your account t Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level. -The Tenant platform supports [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. +The Tenant platform only supports [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). For more information, refer to the [Cloudflare Zero Trust for managed service providers](https://blog.cloudflare.com/gateway-managed-service-provider/) blog post. ## Get started {/* Don't need to surface much of the policy creation flow here */} -To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). +To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). ## Account types @@ -81,7 +81,7 @@ flowchart TD n1["Block social media"] end subgraph s2["Siloed account C"] - n2["Block instant messaing"] + n2["Block instant messaging"] end subgraph s3["Siloed account B"] n3["Block news"] From caf5508bf701d1141f1349de676206cbf7d7f3c4 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 18 Sep 2025 15:54:27 -0500 Subject: [PATCH 07/20] Update terminology --- .../policies/gateway/tiered-policies/index.mdx | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index a45a26a64e7e3c0..d235899d34e8b24 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -25,16 +25,16 @@ The Gateway Tenant platform supports tiered and siloed account configurations. ### Tiered accounts -In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can add policies as needed while still being managed by the parent account. Organization owners can also configure child accounts independently from the parent account, including: +In a tiered account configuration, a top-level source account enforces global security policies that apply to all of its recipient accounts. Recipient accounts can add policies as needed while still being managed by the source account. Organization owners can also configure recipient accounts independently from the source account, including: - Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/) - Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/) - Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) - Creating [lists](/cloudflare-one/policies/gateway/lists/) -Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each child account in an organization. Each child account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). +Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each recipient account in an organization. Each recipient account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). -Gateway evaluates parent account policies before any child account policies. In a Cloudflare Organization, child accounts cannot bypass parent account policies. All traffic and corresponding policies, logs, and configurations for a child account will be contained to that child account. Organization owners can view logs for child accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately. +Gateway evaluates source account policies before any recipient account policies. In a Cloudflare Organization, recipient accounts cannot bypass source account policies. All traffic and corresponding policies, logs, and configurations for a recipient account will be contained to that recipient account. Organization owners can view logs for recipient accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately. ```mermaid flowchart TD @@ -43,15 +43,15 @@ flowchart TD accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration. %% Flowchart - subgraph s1["Parent account"] + subgraph s1["Source account"] n1["Block malware"] n2["Block DNS tunnel"] n3["Block spyware"] end - subgraph s2["Child account A"] + subgraph s2["Recipient account A"] n4["Block social media"] end - subgraph s3["Child account B"] + subgraph s3["Recipient account B"] n5["Block instant messaging"] end n1 ~~~ n2 @@ -84,7 +84,7 @@ flowchart TD n1["Block social media"] end subgraph s2["Siloed account C"] - n2["Block instant messaing"] + n2["Block instant messaging"] end subgraph s3["Siloed account B"] n3["Block news"] From c738502f6e2844a7fa485f1079d7f722b8f982db Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 18 Sep 2025 16:42:26 -0500 Subject: [PATCH 08/20] Improve MSP nudge --- .../gateway/tiered-policies/managed-service-providers.mdx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx index 2dbafa57adbb28f..a314ba8672d72dd 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx @@ -5,8 +5,10 @@ sidebar: order: 2 --- -:::note -Only available on Enterprise plans. For more information, contact your account team. +:::caution[Tiered account availability] +Only available for [Cloudflare Partners](https://www.cloudflare.com/partners/) on Enterprise plans. Cloudflare recommends users on Enterprise plans configure a [Cloudflare Organization](/fundamentals/organizations/) for use with [tiered policies](/cloudflare-one/policies/gateway/tiered-policies/). Tiered policies allows for additional configurations, logging options, and policy types. + +For more information, contact your account team. ::: Gateway supports the [Cloudflare Tenant API](/tenant/), which allows Cloudflare-partnered managed service providers (MSPs) to set up and manage Cloudflare accounts and services for their customers. With the Tenant API, MSPs can create Zero Trust deployments with global Gateway policy control. Policies can be customized or overridden at a group or individual account level. From d2f4fcb45dd0cb312bc7c59f9d3073dc18f67b72 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 18 Sep 2025 16:51:52 -0500 Subject: [PATCH 09/20] Add notes --- .../policies/gateway/tiered-policies/index.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index d235899d34e8b24..e76e6dbaf12cc10 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -9,9 +9,7 @@ sidebar: Only available on Enterprise plans. For more information, contact your account team. ::: -{/* TODO: Update the Orgs link with most up to date option */} - -Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an organization. Tiered organizational policies support [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. +Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an organization. Tiered Gateway policies with Organizations support [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. ## Get started @@ -25,6 +23,8 @@ The Gateway Tenant platform supports tiered and siloed account configurations. ### Tiered accounts +{/* TODO: Rename this section and check if siloed accounts are relevant (potentially fix H2 preamble above). Fix the flow to match Orgs config. */} + In a tiered account configuration, a top-level source account enforces global security policies that apply to all of its recipient accounts. Recipient accounts can add policies as needed while still being managed by the source account. Organization owners can also configure recipient accounts independently from the source account, including: - Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/) @@ -65,6 +65,8 @@ flowchart TD n5@{ shape: lean-l} ``` +{/* TODO: Decide best way to surface limitations. Separate section? */} + :::caution[Limitations] Tiered policies do not support egress policies, device posture selectors, private apps, or virtual networks. ::: From 52478402d537cfc666cfc5f4dc75a05ffaa5b160 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 18 Sep 2025 16:53:15 -0500 Subject: [PATCH 10/20] Update content type --- .../cloudflare-one/policies/gateway/tiered-policies/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index e76e6dbaf12cc10..128e14064228af0 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -1,5 +1,5 @@ --- -pcx_content_type: navigation +pcx_content_type: get-started title: Tiered policies sidebar: order: 15 From a74a9070908a0483f0447d2f4c4f5d1c3a9afa90 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 19 Sep 2025 15:15:07 -0500 Subject: [PATCH 11/20] Add MSP limitations --- .../gateway/tiered-policies/managed-service-providers.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx index a314ba8672d72dd..221248d060865b5 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx @@ -30,7 +30,9 @@ The Gateway Tenant platform supports tiered and siloed account configurations. In a tiered account configuration, a top-level parent account enforces global security policies that apply to all of its child accounts. Child accounts can override or add policies as needed while still being managed by the parent account. MSPs can also configure child accounts independently from the parent account, including: - Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/) + - Child accounts will use the block page setting used by the parent account unless you configure separate block settings for the child account. This applies to both [redirects](/cloudflare-one/policies/gateway/block-page/#redirect-to-a-block-page) and [custom block pages](/cloudflare-one/policies/gateway/block-page/#customize-the-block-page). The block page uses the account certificate for each child account. - Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/) + - If Gateway cannot attribute an incoming DNS query to a child account, it will use the parent account's certificate. This happens when the source IP address of the DNS query does not match a child account or if a custom DNS resolver endpoint is not configured. - Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) - Creating [lists](/cloudflare-one/policies/gateway/lists/) From 4923ba801638e4e961726d3238901c59d7be5717 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 19 Sep 2025 15:32:51 -0500 Subject: [PATCH 12/20] Remove silo --- .../gateway/tiered-policies/index.mdx | 29 +------------------ 1 file changed, 1 insertion(+), 28 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index 128e14064228af0..c89ecf068b9979e 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -19,7 +19,7 @@ To set up Cloudflare Organizations, refer to [Create an Organization](/fundament ## Account types -The Gateway Tenant platform supports tiered and siloed account configurations. +Tiered policies support tiered and siloed account configurations. ### Tiered accounts @@ -70,30 +70,3 @@ flowchart TD :::caution[Limitations] Tiered policies do not support egress policies, device posture selectors, private apps, or virtual networks. ::: - -### Siloed accounts - -In a siloed account configuration, each account operates independently within the same tenant. Organization owners manage each account's own security policies, resources, and configurations separately. - -```mermaid -flowchart TD -%% Accessibility - accTitle: How Gateway policies work in a siloed account configuration - accDescr: Flowchart describing the order of precedence Gateway applies policies in a siloed account configuration. - -%% Flowchart - subgraph s1["Siloed account A"] - n1["Block social media"] - end - subgraph s2["Siloed account C"] - n2["Block instant messaging"] - end - subgraph s3["Siloed account B"] - n3["Block news"] - end - A["Organization owner"] -- Administers --> s1 & s3 & s2 - - n1@{ shape: lean-l} - n2@{ shape: lean-l} - n3@{ shape: lean-l} -``` From f9950bf5abac814a887edb9f31d30b999265d297 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 23 Sep 2025 14:36:39 -0500 Subject: [PATCH 13/20] Add section --- .../policies/gateway/tiered-policies/index.mdx | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index c89ecf068b9979e..9de8a5d2547d870 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -13,17 +13,11 @@ Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) ## Get started -{/* Don't need to surface much of the policy creation flow here */} - To set up Cloudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). ## Account types -Tiered policies support tiered and siloed account configurations. - -### Tiered accounts - -{/* TODO: Rename this section and check if siloed accounts are relevant (potentially fix H2 preamble above). Fix the flow to match Orgs config. */} +Accounts in organizations include source accounts and recipient accounts. In a tiered account configuration, a top-level source account enforces global security policies that apply to all of its recipient accounts. Recipient accounts can add policies as needed while still being managed by the source account. Organization owners can also configure recipient accounts independently from the source account, including: @@ -70,3 +64,5 @@ flowchart TD :::caution[Limitations] Tiered policies do not support egress policies, device posture selectors, private apps, or virtual networks. ::: + +## Share policy From 5f2f5054a761d08252f035201433a3c158dce44a Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 23 Sep 2025 15:28:35 -0500 Subject: [PATCH 14/20] Update mermaid chart --- .../gateway/tiered-policies/index.mdx | 43 +++++++++++++------ .../docs/fundamentals/organizations.mdx | 6 +-- 2 files changed, 33 insertions(+), 16 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index 9de8a5d2547d870..6d4fef4cbda8e02 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -11,6 +11,8 @@ Only available on Enterprise plans. For more information, contact your account t Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an organization. Tiered Gateway policies with Organizations support [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. +Managed service providers (MSPs) that are Cloudflare Partners can use tiered or siloed Gateway accounts with the Tenant API. For more information, refer to [Managed service providers (MSPs)](/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers/). + ## Get started To set up Cloudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). @@ -19,7 +21,7 @@ To set up Cloudflare Organizations, refer to [Create an Organization](/fundament Accounts in organizations include source accounts and recipient accounts. -In a tiered account configuration, a top-level source account enforces global security policies that apply to all of its recipient accounts. Recipient accounts can add policies as needed while still being managed by the source account. Organization owners can also configure recipient accounts independently from the source account, including: +In a tiered policy configuration, a top-level source account can share Gateway policies with its recipient accounts. Recipient accounts can add policies as needed while still being managed by the source account. Organization owners can also configure other settings for recipient accounts independently from the source account, including: - Configuring a [custom block page](/cloudflare-one/policies/gateway/block-page/) - Generating or uploading [root certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/) @@ -28,35 +30,50 @@ In a tiered account configuration, a top-level source account enforces global se Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each recipient account in an organization. Each recipient account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). -Gateway evaluates source account policies before any recipient account policies. In a Cloudflare Organization, recipient accounts cannot bypass source account policies. All traffic and corresponding policies, logs, and configurations for a recipient account will be contained to that recipient account. Organization owners can view logs for recipient accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately. +Gateway evaluates source account policies before any recipient account policies. In a Cloudflare Organization, recipient accounts cannot bypass or modify source account policies. All traffic and corresponding policies, logs, and configurations for a recipient account will be contained to that recipient account. Organization owners can view logs for recipient accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately. ```mermaid flowchart TD %% Accessibility accTitle: How Gateway policies work in a tiered account configuration - accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration. + accDescr: Flowchart describing the order of precedence Gateway applies policies in a tiered account configuration using Cloudflare Organizations. %% Flowchart subgraph s1["Source account"] n1["Block malware"] - n2["Block DNS tunnel"] - n3["Block spyware"] + n2["Block spyware"] + n3["Block DNS tunnel"] end subgraph s2["Recipient account A"] + n5["Block malware"] + n6["Block spyware"] n4["Block social media"] end subgraph s3["Recipient account B"] - n5["Block instant messaging"] + n8["Block malware"] + n9["Block spyware"] + n10["Block DNS tunnel"] + n7["Block instant messaging"] end n1 ~~~ n2 n2 ~~~ n3 - s1 -- "Applies policies to" --> s2 & s3 - - n1@{ shape: lean-l} - n2@{ shape: lean-l} - n3@{ shape: lean-l} - n4@{ shape: lean-l} - n5@{ shape: lean-l} + s1 -- Share policies with --> s2 & s3 + + n1@{ shape: rect} + n2@{ shape: rect} + n3@{ shape: rect} + n4@{ shape: rect} + n5@{ shape: rect} + n1:::Sky + n2:::Sky + n3:::Peach + n5:::Sky + n6:::Sky + n8:::Sky + n9:::Sky + n10:::Peach + classDef Sky stroke-width:1px, stroke-dasharray:none, stroke:#374D7C, fill:#E2EBFF, color:#374D7C + classDef Peach stroke-width:1px, stroke-dasharray:none, stroke:#FBB35A, fill:#FFEFDB, color:#8F632D ``` {/* TODO: Decide best way to surface limitations. Separate section? */} diff --git a/src/content/docs/fundamentals/organizations.mdx b/src/content/docs/fundamentals/organizations.mdx index 755d31791761e4a..9a89de221e00365 100644 --- a/src/content/docs/fundamentals/organizations.mdx +++ b/src/content/docs/fundamentals/organizations.mdx @@ -54,7 +54,7 @@ You can also view specific data associated with your HTTP traffic by adding opti ## Shared Configurations -Create and enforce global policies across your organization or sub-organization with [WAF Custom Rulesets](/waf/custom-rules/) and [Gateway policies](/cloudflare-one/policies/gateway/). +Create and enforce global policies across your organization or sub-organization with [WAF Custom Rulesets](/waf/custom-rules/) and [Gateway tiered policies](/cloudflare-one/policies/gateway/tiered-policies/). By utilizing shared configurations, you can define a WAF custom ruleset that can apply to one or more accounts to be managed in a single place. @@ -71,5 +71,5 @@ Rename your organization and add or edit customer identification data related to ### Edit customer identification data 1. Select **Organizations** > **Manage Organization**. -2. From **Customer identification data**, select **Edit**. -3. Enter the information in the text fields and select **Save**. \ No newline at end of file +2. From **Customer identification data**, select **Edit**. +3. Enter the information in the text fields and select **Save**. From 0bd5d8a2256be4dbc85c4673c957a27e6b42869d Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 23 Sep 2025 16:17:45 -0500 Subject: [PATCH 15/20] Add manage policies section --- .../gateway/tiered-policies/index.mdx | 58 +++++++++++++++++-- 1 file changed, 53 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index 6d4fef4cbda8e02..31471c14576956c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -9,17 +9,17 @@ sidebar: Only available on Enterprise plans. For more information, contact your account team. ::: -Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an organization. Tiered Gateway policies with Organizations support [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. +Gateway supports using [Cloudflare Organizations](/fundamentals/organizations/) to share configurations between and apply specific policies to accounts within an Organization. Tiered Gateway policies with Organizations support [DNS](/cloudflare-one/policies/gateway/dns-policies/), [network](/cloudflare-one/policies/gateway/network-policies/), [HTTP](/cloudflare-one/policies/gateway/http-policies/), and [resolver](/cloudflare-one/policies/gateway/resolver-policies/) policies. Managed service providers (MSPs) that are Cloudflare Partners can use tiered or siloed Gateway accounts with the Tenant API. For more information, refer to [Managed service providers (MSPs)](/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers/). ## Get started -To set up Cloudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). +To set up Cloudflare Organizations, refer to [Create an Organization](/fundamentals/organizations/#create-an-organization). Once you have provisioned and configured your Organization's accounts, you can create [Gateway policies](/cloudflare-one/policies/gateway/). ## Account types -Accounts in organizations include source accounts and recipient accounts. +Zero Trust accounts in Cloudflare Organizations include source accounts and recipient accounts. In a tiered policy configuration, a top-level source account can share Gateway policies with its recipient accounts. Recipient accounts can add policies as needed while still being managed by the source account. Organization owners can also configure other settings for recipient accounts independently from the source account, including: @@ -28,7 +28,7 @@ In a tiered policy configuration, a top-level source account can share Gateway p - Mapping [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) - Creating [lists](/cloudflare-one/policies/gateway/lists/) -Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each recipient account in an organization. Each recipient account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). +Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each recipient account in an Organization. Each recipient account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). Gateway evaluates source account policies before any recipient account policies. In a Cloudflare Organization, recipient accounts cannot bypass or modify source account policies. All traffic and corresponding policies, logs, and configurations for a recipient account will be contained to that recipient account. Organization owners can view logs for recipient accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately. @@ -82,4 +82,52 @@ flowchart TD Tiered policies do not support egress policies, device posture selectors, private apps, or virtual networks. ::: -## Share policy +## Manage policies + +You can make changes to your tiered policies in the source account for your Cloudflare Organization. + +### Share policy + +To share a Gateway policy from a source account to a recipient account: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. +2. Choose the policy type you want to share. If you want to share a resolver policy, go to **Gateway** > **Resolver policies**. +3. Find the policy you want to share from the list. +4. In the three-dot menu, select **Share**. +5. In **Select account**, choose the accounts you want to share the policy with. To share the policy with all of the recipient accounts in your Organization, choose _Select all accounts in org_. +6. Select **Continue**, then select **Share**. + +{/* TODO: Find actual time estimate. */} + +A sharing icon will appear next to the policy's name. After a few minutes, the policy will appear in the recipient accounts' Gateway policies. Shared policies will appear grayed out in the recipient account's list of Gateway policies. + +If a policy fails to share to recipient accounts, Gateway will retry deploying the policy automatically unless the error is unrecoverable. + +### Edit share recipients + +To change or remove recipients for a Gateway policy: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. +2. Choose the policy type you want to edit. If you want to edit a resolver policy, go to **Gateway** > **Resolver policies**. +3. Find the policy you want to edit from the list. +4. In the three-dot menu, select **Edit shared configuration recipients**. +5. In **Select account**, choose the accounts you want to share the policy with. To remove a recipient, select **Remove** next to the recipient account's name. +6. Select **Continue**, then select **Save**. + +After a few minutes, the policy sharing will update across the configured recipient accounts. + +### Remove policy share + +To stop sharing a policy with all recipient accounts: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. +2. Choose the policy type you want to remove. If you want to remove a resolver policy, go to **Gateway** > **Resolver policies**. +3. Find the policy you want to remove from the list. +4. In the three-dot menu, select **Unshare**. +5. Select **Unshare**. + +After a few minutes, Gateway will stop sharing the policy with all recipient accounts and only apply the policy to the source account. + +### Edit shared policy + +When you edit or delete a shared policy in a source account, Gateway will require confirmation before making any changes. Changes made to shared policies will apply to all recipient accounts. Deleting a shared policy will delete the policy from both the source account and all recipient accounts. From d976c222c2101d58ce6d88f1aa4f4f9df8c7a5de Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 23 Sep 2025 17:07:07 -0500 Subject: [PATCH 16/20] Add settings share --- .../gateway/tiered-policies/index.mdx | 68 ++++++++++++++++--- 1 file changed, 58 insertions(+), 10 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index 31471c14576956c..e9a19e143cec988 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -84,7 +84,7 @@ Tiered policies do not support egress policies, device posture selectors, privat ## Manage policies -You can make changes to your tiered policies in the source account for your Cloudflare Organization. +You can create, configure, and share your tiered policies in the source account for your Cloudflare Organization. ### Share policy @@ -92,14 +92,13 @@ To share a Gateway policy from a source account to a recipient account: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. 2. Choose the policy type you want to share. If you want to share a resolver policy, go to **Gateway** > **Resolver policies**. -3. Find the policy you want to share from the list. -4. In the three-dot menu, select **Share**. -5. In **Select account**, choose the accounts you want to share the policy with. To share the policy with all of the recipient accounts in your Organization, choose _Select all accounts in org_. -6. Select **Continue**, then select **Share**. +3. Find the policy you want to share from the list. In the three-dot menu, select **Share**. Alternatively, to bulk share multiple policies, you can select each policy you want to share, then select **Actions** > **Share**. +4. In **Select account**, choose the accounts you want to share the policy with. To share the policy with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_. +5. Select **Continue**, then select **Share**. {/* TODO: Find actual time estimate. */} -A sharing icon will appear next to the policy's name. After a few minutes, the policy will appear in the recipient accounts' Gateway policies. Shared policies will appear grayed out in the recipient account's list of Gateway policies. +A sharing icon will appear next to the policy's name. After a few minutes, the policy will appear in and apply the recipient accounts. Shared policies will appear grayed out in the recipient account's list of Gateway policies. If a policy fails to share to recipient accounts, Gateway will retry deploying the policy automatically unless the error is unrecoverable. @@ -116,18 +115,67 @@ To change or remove recipients for a Gateway policy: After a few minutes, the policy sharing will update across the configured recipient accounts. -### Remove policy share +:::note +If you selected _Select all accounts in org_ when sharing the policy, you will need to [unshare the policy](#unshare-policy) before you can edit its recipient accounts. +::: + +### Unshare policy To stop sharing a policy with all recipient accounts: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. 2. Choose the policy type you want to remove. If you want to remove a resolver policy, go to **Gateway** > **Resolver policies**. -3. Find the policy you want to remove from the list. -4. In the three-dot menu, select **Unshare**. -5. Select **Unshare**. +3. Find the policy you want to remove from the list. In the three-dot menu, select **Unshare**. Alternatively, to bulk remove multiple policies, you can select each policy you want to remove, then select **Actions** > **Unshare**. +4. Select **Unshare**. After a few minutes, Gateway will stop sharing the policy with all recipient accounts and only apply the policy to the source account. ### Edit shared policy When you edit or delete a shared policy in a source account, Gateway will require confirmation before making any changes. Changes made to shared policies will apply to all recipient accounts. Deleting a shared policy will delete the policy from both the source account and all recipient accounts. + +## Manage settings + +You can share Zero Trust settings from your source account to recipient accounts in your Cloudflare Organization, including the Gateway block page, extended email address matching, and Access login methods. + +{/* TODO: Turn these sections into a flexible partial or tabs. */} + +### Share Gateway block page + +To share your [Gateway block page](/cloudflare-one/policies/gateway/block-page/) settings from a source account to a recipient account: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Custom pages**. +2. In **Account Gateway block page**, select the three-dot menu and choose **Share**. +3. In **Select account**, choose the accounts you want to share the settings with. To share the settings with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_. +4. Select **Continue**, then select **Share**. + +A sharing icon will appear next to the setting. After a few minutes, the setting will appear in and apply to the recipient accounts. + +To modify share recipients or unshare the setting, select the three-dot menu and choose **Edit shared configuration recipients** or **Unshare**. + +### Share extended email address matching + +To share your [extended email address matching](/cloudflare-one/policies/gateway/identity-selectors/#extended-email-addresses) settings from a source account to a recipient account: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Network**. +2. In **Firewall** > **Matched extended email address**, select the three-dot menu and choose **Share**. +3. In **Select account**, choose the accounts you want to share the settings with. To share the settings with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_. +4. Select **Continue**, then select **Share**. + +A sharing icon will appear next to the setting. After a few minutes, the setting will appear in and apply to the recipient accounts. + +To modify share recipients or unshare the setting, select the three-dot menu and choose **Edit shared configuration recipients** or **Unshare**. + +### Share Access login methods + +To share your [Access login method](/cloudflare-one/identity/) settings from a source account to a recipient account: + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. +2. In **Login methods**, find the identity provider you want to share. +3. Select the three-dot menu and choose **Share**. +4. In **Select account**, choose the accounts you want to share the settings with. To share the settings with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_. +5. Select **Continue**, then select **Share**. + +A sharing icon will appear next to the identity provider's name. After a few minutes, the setting will appear in and apply to the recipient accounts. + +To modify share recipients or unshare the setting, select the three-dot menu and choose **Edit shared configuration recipients** or **Unshare**. From e96a10b60886945d924781036e054917866ab98b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 24 Sep 2025 14:50:55 -0500 Subject: [PATCH 17/20] Remove Access login methods --- .../gateway/tiered-policies/index.mdx | 20 ++----------------- .../managed-service-providers.mdx | 2 -- 2 files changed, 2 insertions(+), 20 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index e9a19e143cec988..436038afc9d2827 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -76,11 +76,9 @@ flowchart TD classDef Peach stroke-width:1px, stroke-dasharray:none, stroke:#FBB35A, fill:#FFEFDB, color:#8F632D ``` -{/* TODO: Decide best way to surface limitations. Separate section? */} +### Limitations -:::caution[Limitations] Tiered policies do not support egress policies, device posture selectors, private apps, or virtual networks. -::: ## Manage policies @@ -136,7 +134,7 @@ When you edit or delete a shared policy in a source account, Gateway will requir ## Manage settings -You can share Zero Trust settings from your source account to recipient accounts in your Cloudflare Organization, including the Gateway block page, extended email address matching, and Access login methods. +You can share Zero Trust settings from your source account to recipient accounts in your Cloudflare Organization, including the Gateway block page and extended email address matching. {/* TODO: Turn these sections into a flexible partial or tabs. */} @@ -165,17 +163,3 @@ To share your [extended email address matching](/cloudflare-one/policies/gateway A sharing icon will appear next to the setting. After a few minutes, the setting will appear in and apply to the recipient accounts. To modify share recipients or unshare the setting, select the three-dot menu and choose **Edit shared configuration recipients** or **Unshare**. - -### Share Access login methods - -To share your [Access login method](/cloudflare-one/identity/) settings from a source account to a recipient account: - -1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. -2. In **Login methods**, find the identity provider you want to share. -3. Select the three-dot menu and choose **Share**. -4. In **Select account**, choose the accounts you want to share the settings with. To share the settings with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_. -5. Select **Continue**, then select **Share**. - -A sharing icon will appear next to the identity provider's name. After a few minutes, the setting will appear in and apply to the recipient accounts. - -To modify share recipients or unshare the setting, select the three-dot menu and choose **Edit shared configuration recipients** or **Unshare**. diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx index 221248d060865b5..520138c4cdce880 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/managed-service-providers.mdx @@ -17,8 +17,6 @@ The Tenant platform only supports [DNS policies](/cloudflare-one/policies/gatewa ## Get started -{/* Don't need to surface much of the policy creation flow here */} - To set up the Tenant API, refer to [Get started](/tenant/get-started/). Once you have provisioned and configured your customer's Cloudflare accounts, you can create [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). ## Account types From f1a3c40f649ccba4f68a9ee6d4ae0c47af948692 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 24 Sep 2025 15:20:42 -0500 Subject: [PATCH 18/20] Update limitations --- .../cloudflare-one/policies/gateway/tiered-policies/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index 436038afc9d2827..0ce3fbc9f472850 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -78,7 +78,7 @@ flowchart TD ### Limitations -Tiered policies do not support egress policies, device posture selectors, private apps, or virtual networks. +Tiered policies do not support [egress policies](/cloudflare-one/policies/gateway/egress-policies/). You cannot share policies with selectors that target [device posture checks](/cloudflare-one/identity/devices/), [Access private apps](/cloudflare-one/applications/non-http/self-hosted-private-app/), or [virtual networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/). ## Manage policies From 3691e6b734aa916b00cca8bcc5dc7beed7ed3d95 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 24 Sep 2025 15:29:37 -0500 Subject: [PATCH 19/20] Add more details --- .../policies/gateway/tiered-policies/index.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index 0ce3fbc9f472850..8a499f506aa30cb 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -30,7 +30,7 @@ In a tiered policy configuration, a top-level source account can share Gateway p Gateway will automatically [generate a unique root CA](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) for each recipient account in an Organization. Each recipient account is subject to the default Zero Trust [account limits](/cloudflare-one/account-limits/). -Gateway evaluates source account policies before any recipient account policies. In a Cloudflare Organization, recipient accounts cannot bypass or modify source account policies. All traffic and corresponding policies, logs, and configurations for a recipient account will be contained to that recipient account. Organization owners can view logs for recipient accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately. +Gateway evaluates source account policies before any recipient account policies. In a Cloudflare Organization, recipient accounts cannot bypass or modify source account policies. All traffic and corresponding policies, logs, and configurations for a recipient account will be contained to that recipient account. Organization owners can view logs for recipient accounts on a per-account basis, and [Logpush jobs](/logs/logpush/) must be configured separately. When using DLP policies with [payload logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules), each recipient account must configure its own [encryption public key](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#set-a-dlp-payload-encryption-public-key). ```mermaid flowchart TD @@ -78,7 +78,7 @@ flowchart TD ### Limitations -Tiered policies do not support [egress policies](/cloudflare-one/policies/gateway/egress-policies/). You cannot share policies with selectors that target [device posture checks](/cloudflare-one/identity/devices/), [Access private apps](/cloudflare-one/applications/non-http/self-hosted-private-app/), or [virtual networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/). +Tiered policies do not support [egress policies](/cloudflare-one/policies/gateway/egress-policies/). Source accounts cannot share policies with selectors that target [device posture checks](/cloudflare-one/identity/devices/), [Access private apps](/cloudflare-one/applications/non-http/self-hosted-private-app/), or [virtual networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/). Source and recipient accounts can still create and apply policies with these selectors separately from the Organization share. ## Manage policies @@ -134,7 +134,7 @@ When you edit or delete a shared policy in a source account, Gateway will requir ## Manage settings -You can share Zero Trust settings from your source account to recipient accounts in your Cloudflare Organization, including the Gateway block page and extended email address matching. +You can share Zero Trust settings from your source account to recipient accounts in your Cloudflare Organization, including the Gateway block page and extended email address matching. Other Gateway settings configured in a source account, such as [AV scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) and [file sandboxing](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/), will not affect recipient account configurations. {/* TODO: Turn these sections into a flexible partial or tabs. */} From 6b0b8b3c7bcf269c61b2be35d2ae569d10561933 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 25 Sep 2025 13:46:33 -0500 Subject: [PATCH 20/20] Remove temporal references --- .../policies/gateway/tiered-policies/index.mdx | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx index 8a499f506aa30cb..142d6f410f28a23 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/tiered-policies/index.mdx @@ -94,9 +94,7 @@ To share a Gateway policy from a source account to a recipient account: 4. In **Select account**, choose the accounts you want to share the policy with. To share the policy with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_. 5. Select **Continue**, then select **Share**. -{/* TODO: Find actual time estimate. */} - -A sharing icon will appear next to the policy's name. After a few minutes, the policy will appear in and apply the recipient accounts. Shared policies will appear grayed out in the recipient account's list of Gateway policies. +A sharing icon will appear next to the policy's name. When sharing is complete, the policy will appear in and apply the recipient accounts. Shared policies will appear grayed out in the recipient account's list of Gateway policies. If a policy fails to share to recipient accounts, Gateway will retry deploying the policy automatically unless the error is unrecoverable. @@ -111,7 +109,7 @@ To change or remove recipients for a Gateway policy: 5. In **Select account**, choose the accounts you want to share the policy with. To remove a recipient, select **Remove** next to the recipient account's name. 6. Select **Continue**, then select **Save**. -After a few minutes, the policy sharing will update across the configured recipient accounts. +When sharing is complete, the policy sharing will update across the configured recipient accounts. :::note If you selected _Select all accounts in org_ when sharing the policy, you will need to [unshare the policy](#unshare-policy) before you can edit its recipient accounts. @@ -126,7 +124,7 @@ To stop sharing a policy with all recipient accounts: 3. Find the policy you want to remove from the list. In the three-dot menu, select **Unshare**. Alternatively, to bulk remove multiple policies, you can select each policy you want to remove, then select **Actions** > **Unshare**. 4. Select **Unshare**. -After a few minutes, Gateway will stop sharing the policy with all recipient accounts and only apply the policy to the source account. +When sharing is complete, Gateway will stop sharing the policy with all recipient accounts and only apply the policy to the source account. ### Edit shared policy @@ -147,7 +145,7 @@ To share your [Gateway block page](/cloudflare-one/policies/gateway/block-page/) 3. In **Select account**, choose the accounts you want to share the settings with. To share the settings with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_. 4. Select **Continue**, then select **Share**. -A sharing icon will appear next to the setting. After a few minutes, the setting will appear in and apply to the recipient accounts. +A sharing icon will appear next to the setting. When sharing is complete, the setting will appear in and apply to the recipient accounts. To modify share recipients or unshare the setting, select the three-dot menu and choose **Edit shared configuration recipients** or **Unshare**. @@ -160,6 +158,6 @@ To share your [extended email address matching](/cloudflare-one/policies/gateway 3. In **Select account**, choose the accounts you want to share the settings with. To share the settings with all existing and future recipient accounts in your Organization, choose _Select all accounts in org_. 4. Select **Continue**, then select **Share**. -A sharing icon will appear next to the setting. After a few minutes, the setting will appear in and apply to the recipient accounts. +A sharing icon will appear next to the setting. When sharing is complete, the setting will appear in and apply to the recipient accounts. To modify share recipients or unshare the setting, select the three-dot menu and choose **Edit shared configuration recipients** or **Unshare**.