seanho00
commented
4 years ago - Zone / Zone / Read
- Zone / DNS / Edit
- Zones: include zone for domain that needs cert
If using CNAME to a lesser-privileged zone, I believe the original zone needs Zone/Zone/Read, and the lesser-privileged zone needs Zone/DNS/Edit. But since CF doesn't let me specify different permissions for the same token on different zones, this kind of defeats the purpose of using a lesser-privileged zone.
References:
What scope is needed?
https://community.cloudflare.com/t/bug-zone-detail-by-name-requires-zone-list-permission/128042/12