Configuring user roles and permissions
Last updated 2021-10-22
Your Fastly account can be managed by multiple users through the role-based access controls in the web interface. These controls allow you to manage the scope of a user's service access and their specific permission levels for that service access, all based on the role assigned to them.
The roles, service access, and permission levels you assign to users do not affect their ability to submit requests to Fastly Customer Support.
User roles and what they can do
Fastly allows you to assign one of four different roles to each user allowed access to your account. In general, the abilities granted to each role are as follows:
- User. View stats and analytics for all services on an account.
- Billing. View billing information about an account. View stats and analytics information for all services on an account.
- Engineer. View configuration details, issue purge requests, and make configuration changes, including activating new service versions. Some of these abilities may be restricted on a per service basis.
- Superuser. Full account access, including service configuration, user access and control, and account management capabilities for an account. Superusers cannot close or cancel an account unless they are also the account owner.
Abilities granted to user roles are selective, not additive. Specifically, each role has access to the following functionality, if at all:
|View historical stats||Full access||Full access||Full access||Full access|
|View real-time service stats||Full access||Full access||Full access||Full access|
|View service configurations||Potential restrictions||Full access||Full access||Full access|
|Create services||No access||No access||Full access||Full access|
|Delete services||No access||No access||Potential restrictions||Full access|
|Configure services||No access||No access||Potential restrictions||Full access|
|Compare service versions||No access||No access||Potential restrictions||Full access|
|Deactivate services||No access||No access||Potential restrictions||Full access|
|Purge||No access||No access||Potential restrictions||Full access|
|View and download generated VCL||No access||No access||Potential restrictions||Full access|
|Customize VCL||No access||No access||Potential restrictions||Full access|
|TLS management||Potential restrictions||Potential restrictions||Potential restrictions||Full access|
|Account & Organization|
|Update personal profile settings||Full access||Full access||Full access||Full access|
|Update company settings||No access||No access||No access||Full access|
|Invite all new user roles||No access||No access||No access||Full access|
|Invite new engineer and user roles (API only)||No access||No access||Full access||No access|
|Assign and change roles and permissions||No access||No access||No access||Full access|
|Issue password resets||No access||No access||No access||Full access|
|Delete account users||No access||No access||No access||Full access|
|Enable and disable personal 2FA||Full access||Full access||Full access||Full access|
|Enable and disable company-wide 2FA||No access||No access||No access||Full access|
|Manage personal API tokens||Full access||Full access||Full access||Full access|
|Revoke account API tokens||No access||No access||No access||Full access|
|View invoices||No access||Full access||No access||Full access|
|View billing history||No access||Full access||No access||Full access|
|Pay bills||No access||Full access||No access||Full access|
|Update credit card info||No access||Full access||No access||Full access|
|Change account type||No access||Full access||No access||Full access|
Service access and permission levels
All user roles grant access by default to every service on an account now and in the future. The engineer role is unique, however, in that you can change that default. Superusers can limit an engineer's access to specific services and can control the level of permissions on each of those services as follows:
- Read-only. Allows an engineer to view a specific service's configuration but does not allow them to issue purge requests for that service nor make changes to its configuration.
- Purge select. Allows an engineer to view a specific service's configuration and also allows them to issue purge requests for that service via URL or surrogate key. They cannot use the purge all function on the service, nor can they make configuration changes to that service.
- Purge all. Allows an engineer to view a specific service's configuration and issue purge requests via URL, surrogate key, or the purge all function. They cannot, however, make configuration changes to that service.
- Full access. Allows an engineer full access to a specific service, including permission to issue purge requests via any method on that service. They can make configuration changes to that service and can activate new versions of it at will.
Permission levels are additive. Each level includes the previous level's permissions. When new services are added to an account by a superuser, engineers with limited access to services will not be granted permissions to those services until a superuser specifically grants those permission levels manually.
Users assigned the role of
engineer can create new services (this is especially useful for learning about configuration options without affecting production services). By default, an engineer will automatically have full access to any service they create until their permission levels on that service are modified by an account superuser.
Changing user roles and access permissions for existing users
Users assigned the superuser role can change the role, service access, or permission levels for any existing user on your account. Plan your changes carefully.
Role, service access, and permission level changes for existing users apply instantly and get saved automatically.
- Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
- Click the User management link. The User management page appears.
- In the Active users area, click the Options menu next to a user name and then select Access controls from the menu that appears. The Edit access control page appears for the selected user.
- From the Choose their role choices, optionally select a new role for the user.
- Optionally, check the TLS management box to grant TLS configuration access to a user. Users with the role of superuser have this permission by default.
From the Service access controls, optionally select Limit access to selected services to limit access to selected services for users assigned the role of engineer.
- If you've limited access to selected services for a user assigned the role of engineer, select the specific permission levels for each service associated with the account.
- Click Update. The user's role and permission levels will be changed accordingly.
We assign the special role of "owner" to the first user who signs up for an account for your organization and we automatically assign that owner the superuser role. Any superuser on your account can change the permissions on an owner role or transfer ownership via the Company settings, which are accessible from the Account controls of the web interface.
Account owners typically serve as the primary point of contact for billing purposes. Invoices are sent to them, but if a specific billing contact has been defined for an account, invoices go to that contact instead. In addition, accounts can only be canceled by owners.