Overview
The User and Access Management tab allows you to administrate users and profiles for your various Stacks. If you are using only the default Stack created when you signed up initially, any users created will have access to that Stack by default. You can change these permissions by editing the user profile after you have created new Stacks.
In this section you can also manage your account's Identity and Access Management (IAM) roles, which define how users access your account's resources. StackPath's IAM system defines a user's access to their account or to the Stacks on their account. Operations in StackPath's Control Portal are are validated against the IAM system before they're executed.
Adding a User
Follow the instructions below to invite and add a user to your account. In this process, you will configure the user's permissions:
- In the StackPath Control Portal, in the top, right corner, click your name.
- In the drop-down menu, click User and Access Management.
- Click Add User.
- Enter the new user's name, email address, and phone number.
- Under Permissions, mark the desired permissions for the new user.
Permission Description All Stacks + Billing This permission gives users admin-level privileges.
Specifically, this permission allows users to:
- View and edit all Stacks
- Add new Stacks
- View billing information
- Invite new users
- Delete existing users
- Edit user permissions
All Stacks + User Management This permission gives users access to everything on their account excluding billing-related services.
Specifically, this permission allows users to:
- View and edit all Stacks
- Add new Stacks
- Invite new users
- Delete existing users
- Edit user permissions
Stack level This permission allows users to view and edit only specific Stacks.
When you select this permission, you must select the specific Stack that the user can view and edit. This is represented through a list with a checkbox next to each available Stack. Simply click the checkbox next to the Stack you wish to select.
- Click Add User.
- The new user will receive an email to complete the account creation process.
Update a User's Permissions
Follow the instructions below to update the permissions for an existing user:
- In the StackPath Control Portal, in the top, right corner, click your name.
- In the drop-down menu, click User and Access Management.
- Under Action, click the vertical ellipses for the desired user, and then select Edit.
- Under Permissions, mark the desired permissions.
- Click Edit User.
Delete a User
Deleting a user profile should be done with caution as this action cannot be undone. Also, please note that you cannot update or delete the account owner's profile:
- In the StackPath Control Portal, in the top, right corner, click your name.
- In the drop-down menu, click User and Access Management.
- Under Action, select the corresponding vertical ellipses, and then click Delete.
- Confirm the action.
- The user's credentials will be automatically revoked.
Defining IAM Policies
Policies
A policy associates roles to users. Policies exist for an account or a Stack on an account. Accounts and Stacks have one policy, but that policy can have multiple bindings to allow fine-grained user and role control.
Stacks don't have policies when they're created, but we encourage you to create Stack-based policies to meet your organization's needs.
Roles
A role is a collection of permissions that is applied to a StackPath account or Stack. Users are assigned roles instead of individual permissions as policy bindings.
StackPath's IAM system has two pre-defined global roles:
-
roles/systemOwner
: The user has full access their account and all of the account's Stacks. An account's owner/root user has this role by default, and this role cannot be removed. -
roles/systemAdmin
: The user has access to everything on their account and Stack except billing user related services. This role is useful for resellers who want to assign Stacks to their clients while hiding billing information. We suggest applying this role to non-root users.
Every service in the StackPath platform has pre-defined viewer and admin roles to assign read and read/write permissions to those services. These roles are named according to their associated service:
Service | Pre-defined roles |
Accounts and users |
roles/identityViewer roles/identityAdmin
|
Stacks |
roles/stackViewer roles/stackAdmin
|
Account and Stack IAM policies |
roles/policyViewer roles/policyAdmin
|
DNS |
roles/dnsViewer roles/dnsAdmin
|
Edge compute |
roles/workloadViewer roles/workloadAdmin
|
Edge compute networking |
roles/ipamViewer roles/ipamAdmin
|
Monitoring |
roles/monitoringViewer roles/monitoringAdmin
|
Object storage | roles/storageViewer roles/storageAdmin |
Please note that you cannot edit or remove the roles belonging to the root user/account owner (roles/systemOwner)
. If you ever need to change the account owner, please reach out to our support team.
Managing Account IAM Policies
Follow the instructions below to manage the members and roles for your account's IAM Policy:
- In the StackPath Control Portal, in the top, right corner, click your name.
- In the drop-down menu, click User and Access Management.
- Click the Account IAM Policies tab on the left side of the page. This will pull up a list of your account's members. You can filter this list by Members or Roles by clicking on the drop-down menu.
- To assign a role to a member:
- Click the Assign Role button.
- In the Members field, select the members you would like to edit. You may select more than one member at a time.
-
Click the Roles drop-down menu and select the role you would like to assign to the selected members.
- A member can have multiples roles, however, roles need to be assigned one at a time. If you need to assign multiple roles to multiple members, we recommend using our API.
- When you are finished, click Save.
-
To remove a members roles:
- Click on the three dots in the right-hand column, then click Edit.
- Click to remove roles as you see fit.
- When you are finished, click Save Changes.
Managing Stack IAM Policies
Stack IAM policies function very similarly to account IAM policies, with the main difference being that these policies only apply to your specific Stack, rather than your entire account.
Follow the instructions below to manage the members and roles for your Stack's IAM Policy, in addition to any Service Accounts you may need.
Creating a Service Account
- Click the Create a Service Account button.
- Enter a Name for your Service Account.
- Enter a Display Name.
- Enter a Description.
- Click Create when you're finished.
Editing a Service Account/Generating Credentials
To edit a Service Account or generate credentials:
- Click the three dots in the right-hand column, then click Edit.
- When generating credentials, be sure to store the Client Secret in a safe place, as we will not be able to display it again. If you lose this secret you will have to regenerate a new one.
Assigning Roles to Members
- Click the Assign Role button.
- In the Members field, select the members you would like to edit. You may select more than one member at a time.
-
Click the Roles drop-down menu and select the role you would like to assign to the selected members.
- A member can have multiples roles, however, roles need to be assigned one at a time. If you need to assign multiple roles to multiple members, we recommend using our API.
- When you are finished, click Save.
Removing Roles
- Click on the three dots in the right-hand column, then click Edit.
- Click to remove roles as you see fit.
- When you are finished, click Save Changes.