Configuring user roles and permissions

Accounts are often managed by multiple users. Each user may require different types of access based on the role they play within your organization. You can manage this access using controls in the web interface that limit scope and permission levels for service access based on their assigned role.

User roles and what they can do

When invited to join an account, you'll be assigned a specific role. Think of roles as a way for your company to group the main business functions its users perform when invited to an account. Your role may afford you the ability to view and control a variety of things.

• User roles typically have some limited ability to view (but not manage) basic information about service configurations and controls. You'll also have the ability to view real-time and historical stats. You won’t have access to billing and payment information.
• Billing roles typically have full access to view (but not manage) basic information about service configurations, invoices, and account billing history. You'll also have the ability to manage payment information and account types and to view real-time and historical stats.
• Engineer roles typically have the ability to create services and manage their configurations. Some of these abilities may be restricted on a per service basis, however. When assigned this role, you'll also be able to invite new engineer and user roles via the API. You won't have access to billing and payment information.
• Superuser roles have full account access, with the ability to manage all aspects of service configurations and account settings, including full access to billing and payment information and TLS management. When assigned this role, you cannot close or cancel an account unless you are also the account owner.

Abilities granted to user roles are selective, not additive. Regardless of your role, you'll have the ability to manage you personal profile, personal multi-factor authentication, and personal API tokens, view basic stats information, and submit help requests to Fastly Customer Support.

Access permissions and what they allow

The ability to do things on an account is governed by access permissions associated with each role. As a superuser, you can set those permissions separately for each CDN or Compute service, as well as for each workspace if you've purchased Fastly's Next-Gen WAF.

CDN and Compute service access permissions

By default, all roles grant some amount of access to every CDN and Compute service on an account, including those services created in the future. The Engineer role, however, is unique because its access permissions can be limited on a per-service basis using the following permission levels:

• Read-only. Allows an engineer to view a specific service's configuration but does not allow them to issue purge requests for that service nor make changes to its configuration.
• Purge select. Allows an engineer to view a specific service's configuration and also allows them to issue purge requests for that service via URL or surrogate key. They cannot use the purge all function on the service, nor can they make configuration changes to that service.
• Purge all. Allows an engineer to view a specific service's configuration and issue purge requests for the entire service via the purge all function. They cannot, however, make configuration changes to that service.
• Full access. Allows an engineer full access to a specific service, including permission to issue purge requests via any method on that service. They can make configuration changes to that service and can activate new versions of it at will.

Service permission levels are additive, not selective. Each level includes the previous level's permissions. When new services are added to an account by a superuser, engineers with anything but full access to services will not have access to those services until a superuser specifically grants a permission level manually.

Workspace access permissions

Roles also grant some amount of access to specific workspaces if you've purchased Fastly's Next-Gen WAF. Each role grants progressively greater control over those workspaces as follows:

• The User and Billing roles have access to specific workspaces and can view things related to them (e.g., users, rules, signals, audit logs) but not create or edit them. Think of these roles as "observers" on your account.
• The Engineer role have access to specific workspaces and can view and edit their configuration settings, but they can't create them or delete them, nor can they manage your account-wide settings.
• The Superuser role has access to all workspaces and account features. They create and delete workspaces and can edit settings for all of them. They can also invite and remove users to and from an account and manage their roles.

Changing user roles and access permissions for existing users

If you've been assigned the superuser role, you can the role, service and workspace access, or permission levels for any existing user on your account. Plan your changes carefully.

To change roles and access permissions for existing users, do the following:

1. Log in to the Fastly web interface.
2. Go to Account > User management.
3. In the Active users area, click the Options menu next to a user name and then select Access controls.
4. (Optional) From the Role choices, select a new role for the user.
5. (Optional) Select or deselect the TLS management box to grant or remove TLS configuration access to a user. Users with the role of superuser have this permission by default. You can grant this to other roles if you choose.
6. (Optional) Limit access to selected services for this Engineer user by doing the following:
   • From the CDN & Compute service access controls, select Limit access to selected services.
   • From the Manage service access controls, select the specific permission levels for each service this user should be able to access. Leave the permissions blank to keep specific services hidden.
7. (Optional) Limit access to selected workspaces for this user by doing the following:
   • From the Next-Gen WAF workspace access controls, select Limit access to selected workspaces.
   • From the Manage service access controls, click the switch next to the appropriate workspace to allow access to it.
8. Click Save. The user's role and permission levels will be changed accordingly.

Account ownership

We assign the special role of owner to the first user who signs up for an account for your organization and we automatically assign that owner the superuser role. Any superuser on your account can change the permissions on an owner role or transfer ownership via the Company settings, which are accessible from the Account controls of the web interface.

Account owners typically serve as the primary point of contact for billing purposes. Invoices are sent to them, but if a specific billing contact has been defined for an account, invoices go to that contact instead. In addition, accounts can only be canceled by owners.