Comment by aetherspawn
8 hours ago
Please add resource groups and the ability to enforce permissions per resource group before you do this so that we don’t have agents (or people) blowing up prod from their command line. Thank you.
Currently you can only enforce zone-based permissions (domain based) BUT plenty of resources, such as workers, don’t belong to zones so essentially their code can be replaced or deleted with the lowest level permission. And there’s no way to block it…
Alternatively if you could please allow us to create multiple accounts that share a single super account (for SSO and such), similar to GitHub Enterprise which has Enterprises and Organisations. Then we could have ACME Corp. and ACME Corp (Prod) and segregate the two and resource groups wouldn’t be strictly required.
Is it what CloudFlare Organization is about? https://blog.cloudflare.com/organizations-beta/
Superaccount + subaccounts would be great, even if that meant domains can’t be shared between them.
Yeah I don’t mind this, we can move our entire prod domains into another account.
The only reason we can’t right now is because SSO can’t exist for multiple accounts at once.
Second this. Workers being non zone-based makes them less useful to me.