Configuring user roles and permissions

This guide explains how to configure user roles and permissions to manage access to your account.

Accounts are often managed by multiple users, each requiring different types of access based on their roles within your organization. You can manage this access using control panel settings that allow you to assign users to various roles and limit the scope of those roles based on each user's responsibilities. By defining roles appropriately, you can ensure users have the right level of access without granting unnecessary privileges. This allows you to prevent unauthorized account changes, supports compliance requirements, and protects sensitive information by restricting access to it.

Limitations and considerations

Keep the following things in mind when configuring user roles and permissions:

  • Permission changes are immediate. Changes to roles and access permissions for existing users apply instantly and get saved automatically. Plan your changes carefully.
  • Automated user management should be managed in Okta. If you automate user management, we strongly recommend that management happen directly in the Okta application, not in the Fastly control panel. Updates in the Okta application will be automatically reflected in the Fastly control panel, but the reverse is not true. Consider scheduling regular imports into your Okta application from the Fastly control panel to keep data synchronized.
  • Multiple roles can't be assigned via user management automation. Fastly does not support multiple role assignments via Okta's SCIM provisioning. To assign multiple roles to users, manage those assignments directly in the Fastly control panel, not in the Okta application.
  • Multiple roles aren't supported for automation tokens. Multiple roles are available for user management through the Fastly control panel and API, but not supported for automation tokens.

User roles and what they can do

When invited to join an account, you'll be assigned one or more roles. Think of roles as a way for your company to group the main business functions its users perform when invited to an account. When you have multiple roles, you receive the combined permissions from all of them, each of which affords you the ability to view and control a variety of things.

  • User roles typically have limited ability to view (but not manage) basic information about service configurations and controls. Some of these abilities may be restricted on a per-service basis. You'll also have the ability to view real-time and historical stats. You won't have access to billing and payment information unless you've also been assigned the Billing role.
  • Billing roles typically have full access to view (but not manage) basic information about service configurations, invoices, and account billing history. You'll also have the ability to manage payment information and account types and to view real-time and historical stats.
  • Engineer roles typically have the ability to create services and manage their configurations. Some of these abilities may be restricted on a per-service basis. When assigned this role, you'll also be able to invite new engineer and user roles via the API. You won't have access to billing and payment information unless you've also been assigned the Billing role.
  • TLS viewer roles typically have limited availability to view (but not manage) only information about TLS settings. You will not have access to any other service configuration information unrelated to TLS.
  • TLS admin roles typically have full access to TLS settings and will be able to manage TLS configuration details. You will not have access to any other service configuration information unrelated to TLS.
  • Superuser roles have full account access, with the ability to manage all aspects of service configurations, user invitation and management, and account settings, including full access to billing and payment information and TLS management. When assigned this role, you can cancel or close an account.

Regardless of your roles, you'll have the ability to manage you personal profile information, personal multi-factor authentication, and personal API tokens, view basic stats information, and submit help requests to Fastly Customer Support.

Access permissions and what they allow

The ability to do things on an account is governed by access permissions associated with each role. As a superuser, you can set those permissions separately for each CDN or Compute service, as well as for each workspace if you've purchased Fastly's Next-Gen WAF.

CDN and Compute service access permissions

By default, all roles grant some amount of access to every CDN and Compute service on an account, including those services created in the future. The User and Engineer roles, however, can be limited on a per-service basis at the following permission levels:

  • Read-only. Allows a user or engineer to view most basic service configuration details but does not allow them to issue purge requests for that service nor make changes to its configuration. Access to certain configurations (such as VCL snippets) is restricted.
  • Purge select. Allows an engineer to view a specific service's configuration and also allows them to issue purge requests for that service via URL or surrogate key. They cannot use the purge all function on the service, nor can they make configuration changes to that service.
  • Purge all. Allows an engineer to view a specific service's configuration and issue purge requests for the entire service via the purge all function. They cannot, however, make configuration changes to that service.
  • Full access. Allows an engineer full access to a specific service, including permission to issue purge requests via any method on that service. They can make configuration changes to that service and can activate new versions of it at will.

Service permission levels are additive, not selective. Each level includes the previous level's permissions. When new services are added to an account by a superuser, users and engineers with anything but full access to services will not have access to those services until a superuser specifically grants a permission level manually.

Workspace access permissions

Roles also grant some amount of access to specific workspaces if you've purchased Fastly's Next-Gen WAF. Each role grants progressively greater control over those workspaces as follows:

  • The User and Billing roles have access to specific workspaces and can view things related to them (e.g., users, rules, signals, audit logs) but not create or edit them. Think of these roles as "observers" on your account.
  • The Engineer role have access to specific workspaces and can view and edit their configuration settings, but they can't create them or delete them, nor can they manage your account-wide settings.
  • The Superuser role has access to all workspaces and account features. They create and delete workspaces and can edit settings for all of them. They can also invite and remove users to and from an account and manage their roles.

Changing user roles and access permissions for existing users

If you've been assigned the superuser role, you can manage the role, service and workspace access, or permission levels for any existing user on your account.

To change roles and access permissions for existing users, do the following:

  1. Log in to the Fastly control panel.

  2. Go to Account > User management.
  3. In the Active users area, click the Options menu next to a user name and then select Access controls.
  4. (Optional) Select or deselect the Bypass SSO box to allow this superuser to log in with a username and password even when SSO sign-on is enabled.
  5. In the Roles area, review the existing roles assigned to this user. The access permissions for these assigned roles appear in the Access permissions area to the right of the user information.
  6. (Optional) From the Add another role menu, select an additional role for this user. You'll only see roles that can be combined with the roles already assigned. Keep in mind that adding the Superuser role to existing roles is redundant. You should remove other roles first if assigning the Superuser role.
  7. Click Next.
  8. (Optional) Use the services selection controls in the Services area to grant or limit access to selected services for this user. If you cannot select this control, another role assigned to this user already provides access to those services.
  9. (Optional) Limit access to selected workspaces for this user by doing the following:
    • From the Next-Gen WAF workspace access controls, select Limit access to selected workspaces.
    • From the Manage service access controls, click the switch next to the appropriate workspace to allow access to it.
  10. Click Save. The user's roles and permission levels will be changed accordingly.

HINT: Use the search box to search for a specific service or workspace. Click Grant access to all or Revoke access to all to enable or disable access to all services or workspaces at once.

Account ownership

We assign the special role of owner to the first user who signs up for an account for your organization and we automatically assign that owner the superuser role. Any superuser on your account can change the permissions for an owner role or transfer ownership via the Company settings, which are accessible from the Account controls of the control panel.

Account owners typically serve as the primary point of contact for billing purposes. Invoices are sent to them, but if a specific billing contact has been defined for an account, invoices go to that contact instead. In addition, accounts can only be canceled by owners.