About user roles and permissions
- English
- 日本語
This guide explains user roles and permissions and how they control access to your account.
Multiple users often manage accounts, and each user requires different types of access based on their responsibilities within your organization. You manage this access through control panel settings that assign users to various roles and limit the scope of those roles based on each user's responsibilities. Defining roles appropriately ensures your users have the right level of access without unnecessary privileges. This approach prevents unauthorized account changes, supports compliance requirements, and protects sensitive information by restricting access to it.
Limitations and considerations
Keep the following things in mind when working with user roles and permissions:
- Permission changes take effect immediately. Changes to roles and access permissions for existing users apply instantly and save automatically. Plan your changes carefully.
- Automated user provisioning should happen in Okta. If you automate user management, manage your users directly in the Okta application rather than the Fastly control panel. The Okta application automatically updates the Fastly control panel, but the reverse does not occur. Consider scheduling regular imports into your Okta application from the Fastly control panel to keep data synchronized.
- Multiple role assignments require the control panel. Fastly does not support multiple role assignments via Okta's SCIM provisioning. To assign multiple roles to users, manage those assignments directly in the Fastly control panel rather than the Okta application.
- Automation tokens support only single roles. Multiple roles work for user management through the Fastly control panel and API, but automation tokens do not support them.
User roles and what they can do
When you join an account through an invitation, you receive one or more roles that determine what you can view and manage. If you have multiple roles, you receive the combined permissions from each assigned role.
Regardless of your roles, you can manage your personal profile information, personal multi-factor authentication, and personal API tokens. You can also view basic stats information and submit help requests to Fastly Customer Support.
Account management roles
These roles control access to account-level configuration, user management, and billing:
- Superuser: If you have a Superuser role, you typically have full account access, including the ability to manage all aspects of service configurations, user invitation and management, and account settings. This includes full access to billing and payment information and TLS management. You have full access to workspaces by default if your organization has purchased the Fastly Next-Gen WAF. You can also cancel or close an account.
- User Admin: If you have a User Admin role, you typically manage user invitations and access permissions across the account, with the same user management capabilities as Superusers. However, you typically cannot invite, manage, or update Superusers.
- Billing: If you have a Billing role, you typically have full access to view (but not manage) basic information about service configurations, invoices, and account billing history. You can also manage payment information and account types and view real-time and historical stats.
Service configuration roles
These roles control access to service-level settings and deployments:
- Engineer: If you have an Engineer role, you can typically create services and manage their configurations. Some of these abilities may have restrictions on a per-service or per-workspace basis. You can also invite new engineer and user roles via the API.
- User: If you have a User role, you typically have limited ability to view (but not manage) basic information about service configurations and controls. Some of these abilities may have restrictions on a per-service or per-workspace basis. You can also view real-time and historical stats.
TLS management roles
These roles control access to TLS certificate and configuration management for services:
- TLS admin: If you have a TLS admin role, you typically have full access to TLS settings and can manage TLS configuration details. You won't have access to any other service configuration information unrelated to TLS.
- TLS viewer: If you have a TLS viewer role, you typically have limited access to view (but not manage) TLS settings. You won't have access to any other service configuration information unrelated to TLS.
Security (Next-Gen WAF) roles
These roles control access to Next-Gen WAF security features:
- Next-Gen WAF Owner: If you have a Next-Gen WAF Owner role, you typically have full administrative access to all Next-Gen WAF workspaces, including the ability to invite users with any Next-Gen WAF role.
- Next-Gen WAF Admin: If you have a Next-Gen WAF Admin role, you typically have administrative access to your assigned Next-Gen WAF workspaces, including the ability to invite users with Admin, User, or Observer roles for those workspaces.
- Next-Gen WAF User: If you have a Next-Gen WAF User role, you can typically link Next-Gen WAF workspaces to services when you also have write access to both. You cannot invite users or manage Next-Gen WAF roles.
- Next-Gen WAF Observer: If you have a Next-Gen WAF Observer role, you typically have read-only access to Next-Gen WAF workspace information without the ability to modify configurations or invite users.
Workspace access can apply to all workspaces or only specific workspaces.
Access permissions and what they allow
Access permissions associated with each role govern what you can do on an account. You can set those permissions separately for each CDN or Compute service, as well as for each workspace if you've purchased Fastly's Next-Gen WAF.
Service access permissions
If you have a User or Engineer role with access to CDN and Compute services, your access can have limits on a per-service basis at the following permission levels:
- Read-only. You can view most basic service configuration details but cannot issue purge requests for that service or make changes to its configuration. You also have restricted access to certain configurations (such as VCL snippets).
- Purge select. You can view a specific service's configuration and issue purge requests for that service via URL or surrogate key. You cannot use the purge all function on the service or make configuration changes to that service.
- Purge all. You can view a specific service's configuration and issue purge requests for the entire service via the purge all function. You cannot make configuration changes to that service.
- Full access. You have full access to a specific service, including permission to issue purge requests via any method on that service. You can make configuration changes to that service and activate new versions of it at will.
Service permission levels build on each other and each level includes the previous level's permissions. When a superuser adds new services to an account, users and engineers without full access cannot access those services until a superuser specifically grants a permission level.
Workspace access permissions
Workspace access can apply to all workspaces or only specific workspaces if you've purchased Fastly's Next-Gen WAF. By default, Superusers have access to all workspaces.
Account ownership
Fastly assigns the special role of owner to the first user who signs up for an account for your organization and automatically assigns that owner the superuser role. Any superuser on your account can change the permissions for an owner role or transfer ownership via the Company settings, which you can access from the Account controls in the control panel.
Account owners typically serve as the primary point of contact for billing purposes. Invoices go to them unless you've defined a specific billing contact for the account, in which case invoices go to that contact instead. Only owners can cancel accounts.
