Cloudflare

Cloudflare Organizations — Public Beta

UWA Organisation
Dashboard Design

Hierarchical account management  ·  Scoped access control  ·  Separate billing

UWA Australia (HQ)

UWA India

UWA Dubai

Section 01

Organisation Structure

Root org  ·  Child accounts  ·  Single pane of glass

UWA Cloudflare Organisation Hierarchy

Root Organisation

UWA Australia

Perth HQ  ·  Org Super Admins reside here

Child Account

UWA Perth (HQ)

Central IT team
Existing Enterprise account

plan: Enterprise

Child Account

UWA India

India campus IT team
Scoped local admins

plan: Enterprise

Child Account

UWA Dubai

NY campus IT team
Scoped local admins

plan: Enterprise

Organisation supports up to 500 accounts and 5,000 zones — UWA can expand to additional campuses without limit concerns.

Single Pane of Glass — What UWA Central IT Gets

Unified Analytics

  • Aggregate HTTP traffic across all campus accounts
  • Filter by account, date range, or domain
  • Download reports spanning all campuses
  • Single view for security events org-wide

Shared Security Policies

  • Push WAF custom rules to all campus accounts
  • Share Gateway DNS / HTTP / Network policies
  • Policies apply instantly across all recipients
  • Campus accounts see shared rules as read-only

Centralised Member Management

  • Invite central IT once at Org level
  • Implicit access to every child account
  • No need to manage per-account memberships
  • Granular campus roles managed at account level

Infrastructure as Code

  • Manage the whole Org via Terraform provider
  • Provision accounts, assign members, push configs
  • Audit all changes via Org-level audit log
  • API-first — everything in the UI is also in the API

Section 02

Admin Roles &
Access Control

Org Super Admin  ·  Implicit access  ·  Campus-scoped admins

Organisation Super Admin — How It Works

Implicit Access

An Org Super Admin automatically has Super Administrator permissions on every child account in the organisation — without needing to be explicitly added to each one.

1

Central IT invited once

Added as Org Super Admin at the Organisation level only

2

Access cascades automatically

They immediately have Super Admin access on UWA Perth, UWA India, and UWA Dubai accounts

3

New campuses inherit automatically

Adding a new campus account to the Org instantly grants central IT access — no manual steps

Recommended assignment

ORG LEVEL

UWA Central IT (Perth)

  • Full visibility and control across all campuses
  • Can push shared WAF + Gateway policies
  • Access to unified analytics dashboard
  • Manages Org membership and structure
ACCOUNT LEVEL

Campus IT Teams

  • Added directly to their own campus account only
  • Full control within their account (zones, WAF, Workers)
  • Cannot see or touch other campus accounts
  • Cannot see Org-level dashboard or settings

Note: During the public beta, Org Super Admin is the only Org-level role available. Granular Org roles are on the roadmap for later in 2026.

Restricting India Admin to UWA India Only

Key Principle

Do not add India admins at the Org level. Add them only as members of the UWA India account directly. They will have no visibility of any other account.

Setup steps

1

Create UWA India account

Separate Cloudflare account for the India campus

2

Add India admin at account level

Dashboard → UWA India Account → Members → Invite

3

Assign account-level role

e.g. Account Administrator or a custom scoped role

4

Assign UWA India to the Org

Central IT assigns the account to the Org — India admin is unaffected

Resulting access model

Who can access what?

User UWA Perth UWA India UWA Dubai Org Dashboard
Central IT
Org Super Admin		 ✓ Full ✓ Full ✓ Full ✓ Full
India Admin
Account member		 ✗ None ✓ Full ✗ None ✗ None
NY Admin
Account member		 ✗ None ✗ None ✓ Full ✗ None

India and Dubai admins operate completely independently — full control within their own account, zero cross-campus visibility. UWA Perth retains full oversight via the Org dashboard.

Central Enforcement — Shared Policies

WAF Custom Rules

  • Author once at Org level — push to all campus accounts
  • Campus accounts see shared rules as locked / read-only
  • Local campus teams can still add their own rules
  • Baseline protection enforced university-wide

Example: Block all traffic from non-university IP ranges, OWASP top-10 rules, rate limits on login pages

Gateway Tiered Policies

  • Share DNS, HTTP, Network, and Resolver policies
  • Source account (Perth) creates and distributes policies
  • All campus accounts enforce the same policies
  • Policies deploy within ~2 minutes of sharing

Example: Block malware categories, enforce SafeSearch, restrict access to approved SaaS apps across all campuses

Limitation: Shared Gateway policies cannot use device posture selectors, Detected Protocol selector, or the Quarantine action across accounts. Egress policies cannot be shared. Policies can only be shared within an Organisation — not to sub-organisations (not applicable in UWA's flat structure).

Section 03

Billing Structure

Separate accounts  ·  Independent invoices  ·  Campus autonomy

Billing — Separate Accounts, Separate Invoices

How it works

UWA Perth (HQ Account)

Invoice A

Enterprise plan charges, usage, add-ons billed to UWA Australia entity

UWA India Account

Invoice B

India campus plan charges billed separately — local budget ownership

UWA Dubai Account

Invoice C

NY campus plan charges billed separately — local budget ownership

Key billing facts

Naturally separate by design

Cloudflare bills per account. The multi-account structure directly satisfies UWA's requirement — no special configuration needed.

Child accounts can be any plan

Only the root Org creator needs Enterprise. Child campus accounts can be Pro, Business, or Enterprise — each priced independently.

No consolidated billing view (yet)

Billing roll-up across Org accounts is not available in the current beta. UWA finance receives one invoice per campus account. Cloudflare's account team can assist with consolidated reporting.

Billing remains with account owner

Org Super Admin access does not grant billing admin rights on child accounts. Each campus controls its own payment method.

Section 04

Beta Status &
Roadmap

Current limitations  ·  What's coming  ·  Getting started

Current Beta Limitations

Limitations Now

  • Only one Org role: Super Admin (all-or-nothing)
  • No sub-organisations for enterprise accounts
  • Account removal requires contacting Support
  • Org deletion is API-only (no dashboard button)
  • No consolidated billing view across accounts
  • All Org members must have 2FA or SSO enabled
  • Each user can only create one Organisation

Coming Later in 2026

  • Granular Org-level roles (e.g. read-only, billing-only)
  • Self-service account removal from Org
  • Org deletion via dashboard
  • Consolidated billing / usage rollup view
  • Additional shared policy types
  • Sub-organisations for enterprise customers

Impact on UWA: The most relevant near-term gap is the single Org role — UWA Central IT cannot delegate a read-only observer role to a campus stakeholder at Org level. In the interim, campus oversight for non-admins is handled at the account level. This is expected to be resolved during 2026.

Next Steps — Getting UWA Started

Action plan

1

Confirm Enterprise plan eligibility

Org creation requires an existing Enterprise account — verify with your AE / AM

2

Enable 2FA or SSO on UWA Perth account

Required prerequisite for Org creation — all Org members must have it enabled

3

Create the UWA Organisation

Dashboard → Organizations → Create organisation → "UWA Australia"

4

Provision campus accounts + assign to Org

Create or assign existing UWA India and UWA Dubai accounts

5

Invite Central IT as Org Super Admin

Org → Members → Invite — they get implicit access to all campus accounts

6

Add campus admins at account level

Add India and NY admins directly to their respective campus accounts only

Solution summary

Structure

1 Organisation (UWA Australia) → 3 child accounts (Perth HQ, India, Dubai). Flat hierarchy with centralised Org view.

Central Oversight

Perth Central IT = Org Super Admin. Implicit access to all campuses, unified analytics, shared policy enforcement.

Campus Autonomy

Campus IT = Account-level members only. Full control within their account, zero cross-campus visibility.

Billing

Separate invoice per campus account, naturally aligned to UWA's requirement. No additional configuration needed.

Docs: developers.cloudflare.com/fundamentals/organizations/  ·  Feature is in Public Beta — available to Enterprise customers today.

Download PDF