- About the web interface controls
- Always-on DDoS mitigation
- Browser recommendations when using the Fastly web interface
- Content and its delivery
- Fastly POP locations
- Getting started with Fastly
- How caching and CDNs work
- How Fastly's CDN Service works
- HTTP status codes cached by default
- Self-provisioned Fastly services
- Sign up and create your first service
- Working with services
Domains & Origins
Domains & Origins
- Changing origins based on user location
- Connecting to origins
- Enabling global POPs
- Failover configuration
- IPv6 support
- Maintaining separate HTTP and HTTPS requests to origin servers
- Routing assets to different origins
- Setting up redundant origin servers
- Specifying an override host
- Using Fastly with apex domains
- About Dynamic Servers
- Cache control tutorial
- Caching configuration best practices
- Controlling caching
- Creating and using pools with Dynamic Servers
- Creating and using server entries with Dynamic Servers
- Enabling API caching
- Enabling automatic gzipping
- Failure modes with large files
- HTTP/2 server push
- Implementing API cache control
- Making query strings agnostic
- Request collapsing
- Segmented Caching
- Serving stale content
- Setting Surrogate-Key headers based on a URL
- Setting Surrogate-Key headers for Amazon S3 origins
- Streaming Miss
- Accept-Language header VCL features
- Authenticating before returning a request
- Basic authentication
- Creating location-based tagging
- Custom responses that don't hit origin servers
- Delivering different content to different devices
- Enabling URL token validation
- Guide to VCL
- Isolating header values without regular expressions
- Manipulating the cache key
- IP geolocation variables: Migrating to the new dataset
- Overriding which IP address the geolocation features use
- Response Cookie handling
- Support for the Edge-Control header
- Understanding the different PASS action behaviors
- Using edge side includes (ESI)
- VCL regular expression cheat sheet
Access Control Lists
Monitoring and testing
- Domain validation for TLS certificates
- Enabling HSTS through Fastly
- Forcing a TLS redirect
- Managing domains on TLS certificates
- Serving HTTPS traffic using certificates you manage
- Serving HTTPS traffic using Fastly-managed certificates
- Setting up free TLS
- TLS key and certificate replacement
- TLS termination
Web Application Firewall
- Log streaming: Amazon S3
- Log streaming: Microsoft Azure Blob Storage
- Log streaming: Cloud Files
- Log streaming: Datadog
- Log streaming: DigitalOcean Spaces
- Log streaming: Elasticsearch
- Log streaming: FTP
- Log streaming: Google BigQuery
- Log streaming: Google Cloud Storage
- Log streaming: Honeycomb
- Log streaming: Kafka
- Log streaming: Log Shuttle
- Log streaming: LogDNA
- Log streaming: Logentries
- Log streaming: Loggly
- Log streaming: Heroku's Logplex
- Log streaming: OpenStack
- Log streaming: Papertrail
- Log streaming: Scalyr
- Log streaming: SFTP
- Log streaming: Splunk
- Log streaming: Sumo Logic
- Log streaming: Syslog
User access and control
Configuring user roles and permissions
Last updated May 23, 2019
Your Fastly account can be managed by multiple users. You can control each user's role, as well as control the scope of their service access and their specific permission levels for that service access.
TIP: The roles, service access, and permission levels you assign to users do not affect their ability to submit requests to Fastly Customer Support.
User roles and what they can do
Fastly allows you to assign one of four different roles to each user allowed access to your account. In general, the abilities granted to each role are as follows:
- User. View stats, analytics, and service configuration information for all services on an account.
- Billing. View billing information about an account. View stats and analytics information for all services on an account.
- Engineer. View configuration details, issue purge requests, and make configuration changes, including activating new service versions. Some of these abilities may be restricted on a per service basis.
- Superuser. Full account access, including service configuration, user access and control, and account management capabilities for an account. Superusers cannot close or cancel an account unless they are also the account owner.
Abilities granted to user roles are selective, not additive. Specifically, each role has full ( ) or potentially restricted ( ) access to the following functionality:
|View historical stats||X||X||X||X|
|View real-time service stats||X||X||X||X|
|View service configurations||?||X||X||X|
|Compare service versions||?||X|
|View and download generated VCL||?||X|
|Account & Organization|
|Update personal profile settings||X||X||X||X|
|Update company settings||X|
|Invite all new user roles||X|
|Invite new engineer and user roles (API only)||X|
|Assign and change roles and permissions||X|
|Issue password resets||X|
|Delete account users||X|
|Enable and disable personal 2FA||X||X||X||X|
|Enable and disable company-wide 2FA||X|
|Manage personal API tokens||X||X||X||X|
|Revoke account API tokens||X|
|View billing history||X||X|
|Update credit card info||X||X|
|Change account type||X||X|
Service access and permission levels
All user roles grant access by default to every service on an account now and in the future. The engineer role is unique, however, in that you can change that default. Superusers can limit an engineer's access to specific services and can control the level of permissions on each of those services as follows:
- Read-only. Allows an engineer to view a specific service's configuration but does not allow them to issue purge requests for that service nor make changes to its configuration.
- Purge select. Allows an engineer to view a specific service's configuration and also allows them to issue purge requests for that service via URL or surrogate key. They cannot use the purge all function on the service, nor can they make configuration changes to that service.
- Purge all. Allows an engineer to view a specific service's configuration and issue purge requests via URL, surrogate key, or the purge all function. They cannot, however, make configuration changes to that service.
- Full access. Allows an engineer full access to a specific service, including permission to issue purge requests via any method on that service. They can make configuration changes to that service and can activate new versions of it at will.
Permission levels are additive. Each level includes the previous level's permissions. When new services are added to an account by a superuser, engineers with limited access to services will not be granted permissions to those services until a superuser specifically grants those permission levels manually.
Users assigned the role of
engineer can create new services (this is especially useful for learning about configuration options without affecting production services). By default, an engineer will automatically have full access to any service they create until their permission levels on that service are modified by an account superuser.
Changing user roles and access permissions for existing users
Users assigned the superuser role can change the role, service access, or permission levels for any existing user on your account. Plan your changes carefully.
WARNING: Role, service access, and permission level changes for existing users apply instantly and get saved automatically.
- Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
- Click the User management link. The User management page appears.
- In the Users area, click the gear icon next to a user name and then select Access controls from the menu that appears. The Edit access control page appears for the selected user.
- From the Choose their role choices, optionally select a new role for the user.
- Optionally, check the TLS management box to grant TLS configuration access to a user. Users with the role of superuser have this permission by default.
From the Service access controls, optionally select Limit access to selected services to limit access to selected services for users assigned the role of engineer.
- If you've limited access to selected services for a user assigned the role of engineer, select the specific permission levels for each service associated with the account.
- Click Update. The user's role and permission levels will be changed accordingly.
Account ownership and how to transfer it
We assign account "ownership" to the first user who signs up for an account for your organization. We automatically assign owners the superuser role, though that role can be changed by another superuser once additional users are added.
Accounts can only be canceled by owners. In addition, account owners serve as the primary point of contact for billing purposes. Invoices are sent to them, but if a specific billing contact has been defined for an account, invoices go to that contact instead.
To transfer account ownership to another user, contact email@example.com for assistance.Back to Top