Configuring user roles and permissions
Last updated 2021-04-20
Your Fastly account can be managed by multiple users through the role-based access controls in the web interface. These controls allow you to manage the scope of a user's service access and their specific permission levels for that service access, all based on the role assigned to them.
The roles, service access, and permission levels you assign to users do not affect their ability to submit requests to Fastly Customer Support.
User roles and what they can do
Fastly allows you to assign one of four different roles to each user allowed access to your account. In general, the abilities granted to each role are as follows:
- User. View stats and analytics for all services on an account.
- Billing. View billing information about an account. View stats and analytics information for all services on an account.
- Engineer. View configuration details, issue purge requests, and make configuration changes, including activating new service versions. Some of these abilities may be restricted on a per service basis.
- Superuser. Full account access, including service configuration, user access and control, and account management capabilities for an account. Superusers cannot close or cancel an account unless they are also the account owner.
Abilities granted to user roles are selective, not additive. Specifically, each role has full ( ) or potentially restricted ( ) access to the following functionality:
|View historical stats||X||X||X||X|
|View real-time service stats||X||X||X||X|
|View service configurations||?||X||X||X|
|Compare service versions||?||X|
|View and download generated VCL||?||X|
|Account & Organization|
|Update personal profile settings||X||X||X||X|
|Update company settings||X|
|Invite all new user roles||X|
|Invite new engineer and user roles (API only)||X|
|Assign and change roles and permissions||X|
|Issue password resets||X|
|Delete account users||X|
|Enable and disable personal 2FA||X||X||X||X|
|Enable and disable company-wide 2FA||X|
|Manage personal API tokens||X||X||X||X|
|Revoke account API tokens||X|
|View billing history||X||X|
|Update credit card info||X||X|
|Change account type||X||X|
Service access and permission levels
All user roles grant access by default to every service on an account now and in the future. The engineer role is unique, however, in that you can change that default. Superusers can limit an engineer's access to specific services and can control the level of permissions on each of those services as follows:
- Read-only. Allows an engineer to view a specific service's configuration but does not allow them to issue purge requests for that service nor make changes to its configuration.
- Purge select. Allows an engineer to view a specific service's configuration and also allows them to issue purge requests for that service via URL or surrogate key. They cannot use the purge all function on the service, nor can they make configuration changes to that service.
- Purge all. Allows an engineer to view a specific service's configuration and issue purge requests via URL, surrogate key, or the purge all function. They cannot, however, make configuration changes to that service.
- Full access. Allows an engineer full access to a specific service, including permission to issue purge requests via any method on that service. They can make configuration changes to that service and can activate new versions of it at will.
Permission levels are additive. Each level includes the previous level's permissions. When new services are added to an account by a superuser, engineers with limited access to services will not be granted permissions to those services until a superuser specifically grants those permission levels manually.
Users assigned the role of
engineer can create new services (this is especially useful for learning about configuration options without affecting production services). By default, an engineer will automatically have full access to any service they create until their permission levels on that service are modified by an account superuser.
Changing user roles and access permissions for existing users
Users assigned the superuser role can change the role, service access, or permission levels for any existing user on your account. Plan your changes carefully.
Role, service access, and permission level changes for existing users apply instantly and get saved automatically.
- Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
- Click the User management link. The User management page appears.
- In the Users area, click the gear icon next to a user name and then select Access controls from the menu that appears. The Edit access control page appears for the selected user.
- From the Choose their role choices, optionally select a new role for the user.
- Optionally, check the TLS management box to grant TLS configuration access to a user. Users with the role of superuser have this permission by default.
From the Service access controls, optionally select Limit access to selected services to limit access to selected services for users assigned the role of engineer.
- If you've limited access to selected services for a user assigned the role of engineer, select the specific permission levels for each service associated with the account.
- Click Update. The user's role and permission levels will be changed accordingly.
Account ownership and how to transfer it
We assign account "ownership" to the first user who signs up for an account for your organization and we automatically assign them the superuser role. Any superuser on your account can change that role or even transfer ownership via the Company settings accessible from the Account controls of the web interface.
Accounts can only be canceled by owners. In addition, account owners serve as the primary point of contact for billing purposes. Invoices are sent to them, but if a specific billing contact has been defined for an account, invoices go to that contact instead.