Varnish Controller


Permissions are assigned per account, organization and resource type. The permission is either read or write where write implies read.

The available resource type permissions are:

  • vclgroup
  • deployment
  • org - organizations
  • idp - identity provider
  • account - user accounts
  • file - files and also VCL
  • agent
  • perm - Permissions
  • domain
  • tag
  • session
  • routingrules
  • router
  • logentry - API logs

There are some caveats. Currently, system administrator is the only account able to perform the following operations.

  • Delete Agents
  • Delete Routers
  • Create Organizations
  • Delete Organizations
  • Assign the first user of a new organization

The reason for this is that Varnish Controller currently doesn’t support organization owned agents and tags.

Assigning Permissions

Organization user with full permissions can create new organization administrators. It is enough with write permissions to the resource type perm in order to make a user organization administrator. Since that implies that the user can add its own permissions. Hence, be careful what permissions is given to which users.

Revoking Permissions

Permissions can be revoked by a user that have write permissions to the perm resource.

See authorization examples for examples of permission handling.