fix: add note clarifying Administrator role lacks ZT PII permission for Logpush (#30346)

tmcloughlin-cf · web-flow · commit 6d1893865032 · 2026-04-27T15:17:12.000Z
diff --git a/src/content/docs/logs/logpush/permissions.mdx b/src/content/docs/logs/logpush/permissions.mdx
@@ -37,6 +37,12 @@ The **Administrator Read only** and **Log Share Reader** roles only have access
 
 To view, create, update, or delete Logpush jobs for Zero Trust datasets (Access, Gateway, and DEX) users must have both the `Logs Edit` and `Zero Trust: PII Read` permissions.
 
+:::note
+
+The **Administrator** role includes `Logs Edit` but does not include `Zero Trust: PII Read`. A Super Administrator must explicitly assign the **Cloudflare Zero Trust PII** role as an add-on to any user who needs to manage Logpush jobs for Zero Trust datasets. Refer to [Zero Trust roles and permissions](/cloudflare-one/roles-permissions/) for more information.
+
+:::
+
 If you encounter the error `reading job for product '<product>' is not allowed (1004)`, this indicates that the API token you are using does not have the required permissions. Ensure your token or user account has both permissions listed above.
 
 For more details, refer to the [Logpush Permission Update for Zero Trust Datasets](https://developers.cloudflare.com/changelog/2025-11-05-logpush-permissions-update/).
