Configuring user roles and permissions

      Last updated March 08, 2021

    Your Fastly account can be managed by multiple users. You can control each user's role, as well as control the scope of their service access and their specific permission levels for that service access.

    User roles and what they can do

    Fastly allows you to assign one of four different roles to each user allowed access to your account. In general, the abilities granted to each role are as follows:

    Abilities granted to user roles are selective, not additive. Specifically, each role has full (  ) or potentially restricted (  ) access to the following functionality:

    User Billing Engineer Superuser
    Stats dashboards
    View historical stats X X X X
    View real-time service stats X X X X
    View service configurations ? X X X
    Create services X X
    Delete services ? X
    Configure services ? X
    Compare service versions ? X
    Deactivate services ? X
    Purge ? X
    View and download generated VCL ? X
    Customize VCL ? X
    TLS management ? ? ? X
    Account & Organization
    Update personal profile settings X X X X
    Update company settings X
    Invite all new user roles X
    Invite new engineer and user roles (API only) X
    Assign and change roles and permissions X
    Issue password resets X
    Delete account users X
    Enable and disable personal 2FA X X X X
    Enable and disable company-wide 2FA X
    Manage personal API tokens X X X X
    Revoke account API tokens X
    View invoices X X
    View billing history X X
    Pay bills X X
    Update credit card info X X
    Change account type X X

    Service access and permission levels

    All user roles grant access by default to every service on an account now and in the future. The engineer role is unique, however, in that you can change that default. Superusers can limit an engineer's access to specific services and can control the level of permissions on each of those services as follows:

    Permission levels are additive. Each level includes the previous level's permissions. When new services are added to an account by a superuser, engineers with limited access to services will not be granted permissions to those services until a superuser specifically grants those permission levels manually.

    Users assigned the role of engineer can create new services (this is especially useful for learning about configuration options without affecting production services). By default, an engineer will automatically have full access to any service they create until their permission levels on that service are modified by an account superuser.

    Changing user roles and access permissions for existing users

    Users assigned the superuser role can change the role, service access, or permission levels for any existing user on your account. Plan your changes carefully.

    1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
    2. Click the User management link. The User management page appears.
    3. In the Users area, click the gear icon next to a user name and then select Access controls from the menu that appears. The Edit access control page appears for the selected user.
    4. From the Choose their role choices, optionally select a new role for the user.
    5. Optionally, check the TLS management box to grant TLS configuration access to a user. Users with the role of superuser have this permission by default.
    6. From the Service access controls, optionally select Limit access to selected services to limit access to selected services for users assigned the role of engineer.

      the service access controls and permission levels for an engineer whose access will be limited to selected services

    7. If you've limited access to selected services for a user assigned the role of engineer, select the specific permission levels for each service associated with the account.
    8. Click Update. The user's role and permission levels will be changed accordingly.

    Account ownership and how to transfer it

    We assign account "ownership" to the first user who signs up for an account for your organization and we automatically assign them the superuser role. Any superuser on your account can change that role or even transfer ownership via the Company settings accessible from the Account controls of the web interface.

    Accounts can only be canceled by owners. In addition, account owners serve as the primary point of contact for billing purposes. Invoices are sent to them, but if a specific billing contact has been defined for an account, invoices go to that contact instead.

    Back to Top