diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions.mdx
index 88d5adbb69cdcb..07d493b176236f 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/tunnel-permissions.mdx
@@ -6,6 +6,8 @@ sidebar:
---
+import { Render } from "~/components";
+
Tunnel permissions determine who can run and manage a Cloudflare Tunnel. Two files control permissions for a locally-managed tunnel:
* **An account certificate** (`cert.pem`) is issued for a Cloudflare account when you login to `cloudflared`. Make sure you are intentional about the locations and machines you store this certificate on, as this certificate allows users to create, delete, and manage all tunnels for the account.
@@ -26,8 +28,10 @@ Refer to the table below for a comparison between the two files and the purposes
| **Valid for** | At least 10 years, and the service token it contains is valid until revoked | Does not expire |
| **Needed to** | Manage tunnels (for example, create, route, delete and list tunnels) | Run a tunnel. Create a config file. |
-
-
## Tunnel ownership
Tunnel ownership is bound to the Cloudflare account for which the `cert.pem` file was issued upon authenticating `cloudflared`. If a user in a Cloudflare account creates a tunnel, any other user in the same account who has access to the `cert.pem` file for the account can delete, list, or otherwise manage tunnels within it.
+
+## Account-scoped roles
+
+
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx
index 55d147a40641cc..982fb37c85ad0f 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 1
---
-import { TabItem, Tabs } from "~/components";
+import { TabItem, Tabs, Render } from "~/components";
If you created a Cloudflare Tunnel [from the dashboard](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/), the tunnel runs as a service on your OS.
@@ -310,4 +310,4 @@ The tunnel token is now fully rotated. The old token is no longer in use.
### Account-scoped roles
-Account members with [Cloudflare Access](/cloudflare-one/roles-permissions/) and [DNS](/fundamentals/setup/manage-members/roles/) permissions will be able to create, delete, and configure all tunnels for the account.
+
\ No newline at end of file
diff --git a/src/content/docs/fundamentals/setup/manage-members/roles.mdx b/src/content/docs/fundamentals/setup/manage-members/roles.mdx
index 924c368bccce2f..f4d2eb54cdff95 100644
--- a/src/content/docs/fundamentals/setup/manage-members/roles.mdx
+++ b/src/content/docs/fundamentals/setup/manage-members/roles.mdx
@@ -25,7 +25,7 @@ Account-scoped roles apply across an entire Cloudflare account, and through all
| Audit Logs Viewer | Can view [Audit Logs](/fundamentals/setup/account/account-security/review-audit-logs/). |
| Bot Management (Account-wide) | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/pro/)) configurations for all domains in account. |
| Billing | Can edit the account’s [billing profile](/fundamentals/subscriptions-and-billing/create-billing-profile/) and subscriptions |
-| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/policies/access/) policies. |
+| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/policies/access/) and [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/). |
| Cache Purge | Can purge the edge cache. |
| Cloudflare DEX | Can edit [Cloudflare DEX](/cloudflare-one/insights/dex/). |
| Cloudflare Gateway | Can edit [Cloudflare Gateway](/cloudflare-one/policies/gateway/) and read [Access](/cloudflare-one/identity/). |
diff --git a/src/content/partials/cloudflare-one/tunnel/account-scoped-roles.mdx b/src/content/partials/cloudflare-one/tunnel/account-scoped-roles.mdx
new file mode 100644
index 00000000000000..d4199c77c7a3ad
--- /dev/null
+++ b/src/content/partials/cloudflare-one/tunnel/account-scoped-roles.mdx
@@ -0,0 +1,10 @@
+---
+{}
+
+---
+
+Minimum permissions needed to create, delete, and configure tunnels for an account:
+- [Cloudflare Access](/cloudflare-one/roles-permissions/)
+
+Additional permissions needed to [route traffic to a public hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/):
+- [DNS](/fundamentals/setup/manage-members/roles/)
\ No newline at end of file