Configuring user roles and permissions
Last updated 2023-07-11
Your Fastly account can be managed by multiple users through the role-based access controls in the web interface. These controls allow you to manage the scope of a user's service access and their specific permission levels for that service access, all based on the role assigned to them.
The roles, service access, and permission levels you assign to users do not affect their ability to submit requests to Fastly Customer Support.
When invited to join a Fastly account, you'll be assigned a specific role. Think of roles as a way for your company to group the main business functions its users perform when invited to an account. Your role may afford you the ability to view and control a variety of things.
- User roles typically have some limited ability to view (but not manage) basic information about service configurations and controls, including those related to TLS management information. You'll also have the ability to view real-time and historical stats. You won’t have access to billing and payment information.
- Billing roles typically have full access to view (but not manage) basic information about service configurations, invoices, and account billing history. You'll also have the ability to manage payment information and account types and to view real-time and historical stats.
- Engineer roles typically have the ability to create services and manage their configurations. Some of these abilities may be restricted on a per service basis, however. When assigned this role, you'll also be able to invite new engineer and user roles via the API. You won't have access to billing and payment information.
- Superuser roles have full account access, with the ability to manage all aspects of service configurations and account settings, including full access to billing and payment information. When assigned this role, you cannot close or cancel an account unless you are also the account owner.
Abilities granted to user roles are selective, not additive. Regardless of your role, you'll have the ability to manage you personal profile, personal multi-factor authentication, and personal API tokens, and view basic historical and real-time stats.
The ability to do things on an account is governed by permissions. Each permission has a name associated with it that summarizes the type of actions you're allowed to do when that permission level is granted to you. By default, all roles grant access to every service on an account, including those services created in the future. The engineer role is unique, however, because superusers can limit an engineer's account access on a per-service basis and can assign permissions on each of those services separately as follows:
- Read-only. Allows an engineer to view a specific service's configuration but does not allow them to issue purge requests for that service nor make changes to its configuration.
- Purge select. Allows an engineer to view a specific service's configuration and also allows them to issue purge requests for that service via URL or surrogate key. They cannot use the purge all function on the service, nor can they make configuration changes to that service.
- Purge all. Allows an engineer to view a specific service's configuration and issue purge requests for the entire service via the purge all function. They cannot, however, make configuration changes to that service.
- Full access. Allows an engineer full access to a specific service, including permission to issue purge requests via any method on that service. They can make configuration changes to that service and can activate new versions of it at will.
Permission levels are additive, not selective. Each level includes the previous level's permissions. When new services are added to an account by a superuser, engineers with anything but full access to services will not have access to those services until a superuser specifically grants a permission level manually.
Users assigned the superuser role can change the role, service access, or permission levels for any existing user on your account. Plan your changes carefully.
Role, service access, and permission level changes for existing users apply instantly and get saved automatically.
- Log in to the Fastly web interface and select Account from the account menu. Your account information appears.
Click User management.
In the Active users area, click the Options menu next to a user name and then select Access controls.
(Optional) From the Choose their role choices, select a new role for the user.
(Optional) Check the TLS management box to grant TLS configuration access to a user. Users with the role of superuser have this permission by default.
(Optional) From the Service access controls, select Limit access to selected services to limit access to selected services for users assigned the role of engineer.
(Optional) If you've limited access to selected services for a user assigned the role of engineer, select the specific permission levels for each service associated with the account.
Click Update. The user's role and permission levels will be changed accordingly.
Our guide to adding and deleting users provides instructions on how to add users to an account or delete those users from your account when you no longer want them to have access.
We assign the special role of owner to the first user who signs up for an account for your organization and we automatically assign that owner the superuser role. Any superuser on your account can change the permissions on an owner role or transfer ownership via the Company settings, which are accessible from the Account controls of the web interface.
Account owners typically serve as the primary point of contact for billing purposes. Invoices are sent to them, but if a specific billing contact has been defined for an account, invoices go to that contact instead. In addition, accounts can only be canceled by owners.