Summary and recommendation
Cloudflare user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Cloudflare splits user management across two distinct surfaces: the core dashboard (zone and account administration) and Cloudflare One (Zero Trust, Access, Gateway).
Every app your team needs to secure or manage may require access in one or both surfaces, so understanding which surface governs which users is the first step before making any changes.
Dashboard membership is invitation-based and role-driven.
Roles range from Super Administrator down to scoped roles like DNS or Firewall, and members can hold multiple roles simultaneously.
Zone-scoping lets you restrict a member to specific zones rather than the full account.
Quick facts
| Admin console path | Cloudflare Dashboard → (Select Account) → Manage Account → Members |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Super Administrator - All Privileges | Full read and write access to all account resources, billing, and member management. Can add/remove members and change roles. | All plans | No per-seat cost for dashboard access on standard plans | Only one Super Administrator role is assigned to the account owner by default; transferring ownership requires contacting Cloudflare support. | |
| Administrator | Full access to all zones and account settings except billing and member management. | Cannot manage billing or add/remove account members. | All plans | No per-seat cost for dashboard access on standard plans | |
| Administrator Read Only | Read-only access to all zones and account settings. | Cannot make any configuration changes. | All plans | No per-seat cost for dashboard access on standard plans | |
| Billing | Access to billing profile, payment methods, and invoices. | Cannot access zone or account configuration settings. | All plans | No per-seat cost for dashboard access on standard plans | |
| DNS | Read and write access to DNS settings for all zones in the account. | Cannot access non-DNS zone settings or account-level settings. | All plans | No per-seat cost for dashboard access on standard plans | |
| Firewall | Read and write access to firewall rules and settings for all zones. | Cannot access non-firewall zone settings or account-level settings. | All plans | No per-seat cost for dashboard access on standard plans | |
| Cloudflare Zero Trust | Full access to Cloudflare Zero Trust (Access and Gateway) configuration. | Cannot access standard zone DNS/firewall settings or billing. | Cloudflare Zero Trust plan (Free tier supports up to 50 users) | $3/user/month (Access only), $5/user/month (Gateway only), $7/user/month (full suite); Enterprise custom pricing | Zero Trust users (end-users authenticating through Access) are counted separately from dashboard account members. |
| Cloudflare Zero Trust Read Only | Read-only access to Cloudflare Zero Trust configuration. | Cannot make configuration changes in Zero Trust. | Cloudflare Zero Trust plan | Same seat cost structure as Zero Trust role |
Permission model
- Model type: role-based
- Description: Cloudflare uses a predefined set of account-level roles. Each invited member is assigned one or more roles that determine their access scope. Roles can be scoped to the entire account or to specific zones within the account. There is no fully custom role builder for standard plans; Enterprise accounts can work with Cloudflare to configure more granular access.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Role-level granularity with optional zone-scoping. Members can be assigned multiple roles simultaneously. Zone-scoped roles restrict a member's access to only the specified zones rather than all zones in the account.
How to add users
- Log in to the Cloudflare dashboard at https://dash.cloudflare.com.
- Select the account from the account switcher.
- Navigate to Manage Account → Members.
- Click 'Invite Member'.
- Enter the invitee's email address.
- Select one or more roles to assign.
- Optionally restrict the member's access to specific zones by selecting zones under 'Scope'.
- Click 'Send Invite'.
- The invitee receives an email invitation and must accept it to gain access. If they do not have a Cloudflare account, they must create one first.
Required fields: Email address of the invitee, At least one role selection
Watch out for:
- The invitee must have or create a Cloudflare account using the invited email address before they can accept the invitation.
- Invitations expire; if the invitee does not accept in time, a new invitation must be sent.
- A member's email address is tied to their personal Cloudflare account; changing it requires the member to update their own profile.
- Zone-scoped role assignments are only available for certain roles; not all roles support zone-level scoping.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise (SCIM provisioning for dashboard members and Zero Trust users) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Account members can be removed from an account by a Super Administrator or Administrator. Removing a member revokes their access to the account immediately. This removes them from the account but does not delete their personal Cloudflare account. For Zero Trust users, deprovisioning via SCIM (Enterprise) revokes their access when they are deactivated in the connected IdP.
- Log in to the Cloudflare dashboard at https://dash.cloudflare.com.
- Select the account.
- Navigate to Manage Account → Members.
- Locate the member to remove.
- Click the 'Revoke' or remove button next to the member's name.
- Confirm the removal when prompted.
| Data impact | Behavior |
|---|---|
| Owned records | DNS records, firewall rules, and other zone configurations created by the member remain in place after removal; they are not deleted. |
| Shared content | Configurations and settings made by the removed member persist in the account. |
| Integrations | API tokens created by the removed member under their own Cloudflare account are not automatically revoked; those tokens must be managed separately by the token owner. |
| License freed | For Zero Trust per-seat billing, removing a user from the Zero Trust organization frees the seat. Dashboard member removal on standard plans has no per-seat billing impact. |
Watch out for:
- The account owner (Super Administrator) cannot be removed without transferring ownership first; ownership transfer requires contacting Cloudflare support.
- API tokens belong to the individual user's Cloudflare account, not the organization account; removing a member does not invalidate their API tokens unless the tokens are explicitly revoked.
- For Zero Trust, end-users who authenticated via Access are tracked separately from dashboard members; removing a dashboard member does not remove them from Zero Trust user records if they previously authenticated.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Cloudflare dashboard account member | Access to the Cloudflare dashboard for managing zones and account settings based on assigned role. | No per-seat charge on Free, Pro, Business, or Enterprise plans for dashboard access. |
| Cloudflare Zero Trust – Access only | User authentication through Cloudflare Access (identity-aware proxy for internal applications). | $3/user/month |
| Cloudflare Zero Trust – Gateway only | DNS and HTTP filtering through Cloudflare Gateway. | $5/user/month |
| Cloudflare Zero Trust – Full suite | Access + Gateway + additional Zero Trust features. | $7/user/month |
| Cloudflare Zero Trust – Free tier | Up to 50 users with core Access and Gateway features. | $0/month |
| Cloudflare Zero Trust – Enterprise | Full Zero Trust suite with SCIM provisioning, advanced policies, and dedicated support. | Custom pricing |
- Where to check usage: Cloudflare Dashboard → (Select Account) → Cloudflare One → Settings → Account → Seat Usage (for Zero Trust seats); billing overview at Manage Account → Billing
- How to identify unused seats: In Cloudflare Zero Trust, navigate to My Team → Users to view active and inactive users. Users who have not authenticated recently can be identified and removed to free seats.
- Billing notes: Zero Trust seats are counted based on unique users who have authenticated through Access or are enrolled in Gateway. The Free tier allows up to 50 seats at no cost. Seats above the free tier threshold are billed monthly per user. Standard Cloudflare dashboard membership (for zone/account management) does not incur per-seat charges on any plan tier.
The cost of manual management
Dashboard membership carries no per-seat charge on any plan tier - Free through Enterprise. Zero Trust seats are billed separately: Access-only at $3/user/month, Gateway-only at $5/user/month, and the full suite at $7/user/month, with a free tier covering up to 50 users.
SCIM-based automated provisioning and deprovisioning is gated to the Enterprise plan for Cloudflare One. On lower tiers, every offboarding action - across every app protected by Access - requires a manual step in the dashboard or a direct API call. There is no bulk deactivation shortcut outside of SCIM or the API.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Manual management is workable for small teams with stable membership and a single account. The role model is straightforward, zone-scoping gives reasonable access control, and dashboard access costs nothing extra.
The model breaks down at scale or during frequent offboarding. Every app a departing user could access via Cloudflare One must be individually addressed - dashboard membership removal, Zero Trust session revocation, and API token cleanup are three separate actions with no single kill switch below Enterprise SCIM.
Teams running more than a handful of Zero Trust-protected apps, or operating under compliance requirements for timely deprovisioning, will hit the limits of the manual approach quickly.
Bottom line
Cloudflare's manual user management is reliable for small, stable teams but requires deliberate process discipline to avoid leaving residual access behind. Dashboard removal, Zero Trust deprovisioning, and API token revocation are independent actions - missing any one of them leaves a gap.
SCIM closes the Zero Trust deprovisioning loop automatically, but it is an Enterprise-only feature, meaning teams on lower tiers must build and maintain their own offboarding checklist to cover every app a user could reach.
Automate Cloudflare workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
