App for Cloudflare® requests the minimum needed permissions to fully use all the functions it can do. For those curious about why it needs a specific permission, these are all the permissions it needs and why:
Account.Access: Apps and Policies: Edit
Allows Zero Trust Network Access configuration to to be done (for things like securing the admin area of a site).
Account.Access: Organizations, Identity Providers, and Groups: Read
Allows check to make sure site has an identity provider setup (needed in order to create Zero Trust Network Access policies).
Account.Account Analytics: Read
Allows analytics data to be read for things at the Cloudflare account level (R2 and Turnstile statistics for example).
Account.Allow Request Tracer: Read
Allows the HTTP Request Trace tool to work.
Account.Billing: Read
This is used to determine if a zone is on a paid or free plan. When a site is using R2 for object storage, there's an additional optional setting that allows a site to use HMAC token authentication for a bucket (HMAC token authentication is not available on Cloudflare free plans), so the option to enable it is only presented to a site that is not on a free plan.
Account.Intel: Read
Allows the following tools to work:
Allows automatic configuration of Turnstile for a site.
Account.Workers R2 Storage: Edit
Allows using R2 object storage.
Account.Workers Scripts: Edit
Allows Workers to be automatically configured for things like image and unfurl proxies.
Zone.Analytics: Read
Allows zone-specific analytic data to be read (for things like site statistics shown in admin area).
Zone.Bot Management: Edit
Allows the bot management settings to be controlled.
Zone.Cache Purge: Purge
Allows the purge cache function to work (for manually purging the cache for an entire site as well as automatically selectively purging certain URLs as needed when guest page caching is enabled).
Zone.Cache Rules: Edit
Allows cache rules to be read and updated.
Zone.Firewall Services: Edit
Allows firewall rules to be read and updated (for things like IP and user agent blocking as well as more granular controls like country-level blocking or presenting users with managed challenges during registration).
Zone.Page Rules: Edit
Allows page rules to be read and updated.
Zone.SSL and Certificates: Edit
Allows SSL/TLS specific settings (for example Certificate Transparency Monitoring) to be managed from the settings area.
Zone.Zone: Edit
Allows certain settings (for example Crawler Hints) to be managed from the settings area.
Zone.Zone Settings: Edit
Allows general settings to be managed from the settings area.
Zone.Zone WAF: Edit
Allows firewall rules to be managed.
Account.Access: Apps and Policies: Edit
Allows Zero Trust Network Access configuration to to be done (for things like securing the admin area of a site).
Account.Access: Organizations, Identity Providers, and Groups: Read
Allows check to make sure site has an identity provider setup (needed in order to create Zero Trust Network Access policies).
Account.Account Analytics: Read
Allows analytics data to be read for things at the Cloudflare account level (R2 and Turnstile statistics for example).
Account.Allow Request Tracer: Read
Allows the HTTP Request Trace tool to work.
Account.Billing: Read
This is used to determine if a zone is on a paid or free plan. When a site is using R2 for object storage, there's an additional optional setting that allows a site to use HMAC token authentication for a bucket (HMAC token authentication is not available on Cloudflare free plans), so the option to enable it is only presented to a site that is not on a free plan.
Account.Intel: Read
Allows the following tools to work:
- IP address details
- Domain details
- WHOIS
Allows automatic configuration of Turnstile for a site.
Account.Workers R2 Storage: Edit
Allows using R2 object storage.
Account.Workers Scripts: Edit
Allows Workers to be automatically configured for things like image and unfurl proxies.
Zone.Analytics: Read
Allows zone-specific analytic data to be read (for things like site statistics shown in admin area).
Zone.Bot Management: Edit
Allows the bot management settings to be controlled.
Zone.Cache Purge: Purge
Allows the purge cache function to work (for manually purging the cache for an entire site as well as automatically selectively purging certain URLs as needed when guest page caching is enabled).
Zone.Cache Rules: Edit
Allows cache rules to be read and updated.
Zone.Firewall Services: Edit
Allows firewall rules to be read and updated (for things like IP and user agent blocking as well as more granular controls like country-level blocking or presenting users with managed challenges during registration).
Zone.Page Rules: Edit
Allows page rules to be read and updated.
Zone.SSL and Certificates: Edit
Allows SSL/TLS specific settings (for example Certificate Transparency Monitoring) to be managed from the settings area.
Zone.Zone: Edit
Allows certain settings (for example Crawler Hints) to be managed from the settings area.
Zone.Zone Settings: Edit
Allows general settings to be managed from the settings area.
Zone.Zone WAF: Edit
Allows firewall rules to be managed.
