Acquia User Management: Roles and Permissions | OpsBlu Docs

Acquia User Management: Roles and Permissions

Manage user roles, permissions, and team access in Acquia — step-by-step admin guide.

This section covers user management, roles, and permissions for Acquia Cloud Platform and associated analytics tools. Acquia provides enterprise-grade Drupal hosting with comprehensive user access controls for teams and organizations.

Overview

Acquia Cloud Platform offers sophisticated user management capabilities designed for enterprise teams working with Drupal applications. The platform provides granular access controls across organizations, teams, applications, and environments, allowing administrators to implement proper separation of duties and maintain security compliance.

User management in Acquia operates at multiple levels:

  • Organization-level access for overall account management
  • Team-based permissions for grouping users with similar roles
  • Application-specific access for project-level control
  • Environment-level permissions for production/staging/development segregation

Platform User Management

Accessing User Management

Access Acquia Cloud Platform user settings through:

  1. Log in to the Acquia Cloud Platform
  2. Navigate to Organization in the top navigation
  3. Select Manage Users or Teams from the dropdown
  4. Alternatively, access from Account Settings > Users & Teams

Organization administrators have full access to user management, while team administrators can only manage users within their assigned teams.

Acquia Cloud Platform Roles

Organization-level Roles

Organization Administrator

  • Full control over organization settings and billing
  • Can create, modify, and delete teams
  • Manages all users across the organization
  • Controls access to all applications and environments
  • Sets organization-wide policies and security settings

Team Administrator

  • Manages users within assigned teams
  • Can add or remove team members
  • Assigns application and environment access for team members
  • Cannot modify organization-level settings

Application Administrator

  • Full control over specific applications
  • Can deploy code and manage environments
  • Configures application settings and workflows
  • Manages domains and SSL certificates
  • Cannot manage users (unless also a team admin)

Developer

  • Can deploy code to non-production environments
  • Access to logs, databases, and performance data
  • Can create and manage development environments
  • Limited production environment access (view only)

Viewer

  • Read-only access to applications and environments
  • Can view logs, metrics, and configuration
  • Cannot deploy code or modify settings
  • Suitable for stakeholders and auditors

Application-level Permissions

Permissions can be granted at the application level for specific Drupal sites:

  • Deploy code to specific environments
  • Access databases for backups and queries
  • View logs for troubleshooting
  • Manage domains and SSL certificates
  • Configure environments (variables, cron, etc.)

Adding and Inviting Users

Adding Individual Users

  1. Navigate to Organization > Manage Users
  2. Click Invite User or Add User
  3. Enter the user's email address
  4. Select the appropriate role (Organization Admin, Team Admin, etc.)
  5. Assign to specific teams (if applicable)
  6. Grant application-level permissions as needed
  7. Click Send Invitation

The user will receive an email invitation to create an Acquia account or link their existing account to your organization.

Adding Users to Teams

  1. Go to Organization > Teams
  2. Select the team or create a new team
  3. Click Add User within the team interface
  4. Select users from your organization
  5. Define team-specific permissions
  6. Save changes

Bulk User Management

For organizations with many users:

  • Use the Acquia Cloud API to automate user provisioning
  • Export current user lists for auditing
  • Import users from CSV files (contact Acquia support)
  • Integrate with SSO/SAML providers for automatic provisioning

Team and Organization Structure

Creating Teams

Teams allow you to group users with similar responsibilities:

  1. Navigate to Organization > Teams
  2. Click Create Team
  3. Enter team name and description
  4. Add team members
  5. Assign applications and environments to the team
  6. Set team-level permissions

Common team structures:

  • Development Team: Access to all non-production environments
  • DevOps Team: Full access including production deployment
  • Content Editors: Access to content management only
  • Support Team: Read-only access for troubleshooting

Organization Hierarchy

Acquia supports multi-level organization structures for large enterprises:

  • Parent organizations can manage multiple sub-organizations
  • Each sub-organization maintains its own users and teams
  • Centralized billing and reporting at the parent level
  • Delegated administration for subsidiaries or departments

API Access and Authentication

Acquia Cloud API

Acquia provides a RESTful API for programmatic access:

  1. Navigate to Account Settings > API Tokens
  2. Click Create Token
  3. Enter a description for the token
  4. Select appropriate scopes and permissions
  5. Save the token credentials securely

API token permissions:

  • Full Access: Complete control over all API endpoints
  • Read-Only: View-only access to resources
  • Limited Scope: Access to specific applications or operations

API Use Cases

  • Automated deployments via CI/CD pipelines
  • User provisioning and deprovisioning
  • Environment management and scaling
  • Log aggregation and monitoring integration
  • Backup and disaster recovery automation

SSH Key Management

Developers need SSH access for Git operations and server access:

  1. Navigate to Account Settings > Credentials
  2. Click Add SSH Key
  3. Paste your public SSH key
  4. Label the key for identification
  5. Save the key

Users can manage multiple SSH keys for different workstations or use cases.

Single Sign-On (SSO)

Acquia Cloud Platform supports SAML 2.0 for enterprise authentication:

SSO Configuration

  1. Contact Acquia support to enable SSO for your organization
  2. Configure your identity provider (Okta, Azure AD, etc.)
  3. Exchange metadata with Acquia
  4. Test SSO login flow
  5. Enable SSO enforcement (optional)

SSO Benefits

  • Centralized authentication through your corporate directory
  • Automatic user provisioning and deprovisioning
  • Multi-factor authentication enforcement
  • Compliance with security policies
  • Simplified user onboarding

Security Best Practices

Access Control

  1. Implement Role-Based Access Control (RBAC): Assign users to roles based on job function
  2. Principle of Least Privilege: Grant only necessary permissions
  3. Separate Production Access: Limit production deployment access to senior engineers
  4. Regular Access Reviews: Audit user permissions quarterly
  5. Remove Unused Accounts: Deactivate accounts for departed employees immediately

Authentication Security

  1. Require Multi-Factor Authentication (MFA): Enable for all organization administrators
  2. Rotate API Tokens: Change API credentials periodically
  3. Secure SSH Keys: Use passphrase-protected SSH keys
  4. Monitor Login Activity: Review access logs for suspicious activity
  5. Use SSO When Possible: Centralize authentication management

API Security

  1. Limit API Token Scope: Grant only required permissions
  2. Rotate Tokens Regularly: Change tokens every 90 days
  3. Store Tokens Securely: Use secret management tools (HashiCorp Vault, AWS Secrets Manager)
  4. Monitor API Usage: Set up alerts for unusual API activity
  5. Revoke Unused Tokens: Remove old or unnecessary API credentials

Common Issues and Solutions

Issue: User Cannot Access Application

Solution:

  • Verify the user is assigned to the correct team
  • Check that the team has access to the application
  • Ensure the user has accepted the invitation email
  • Confirm the user's role has appropriate permissions

Issue: Deployment Permissions Denied

Solution:

  • Verify the user has deploy permissions for the target environment
  • Check if production deployments require additional approval
  • Ensure the user is using the correct Git remote
  • Review team-level deployment restrictions

Issue: SSH Access Not Working

Solution:

  • Verify the SSH key is properly added to the user's account
  • Check the SSH key format (must be valid public key)
  • Ensure the user is connecting to the correct environment
  • Verify the user has SSH access permissions

Issue: SSO Login Failures

Solution:

  • Verify SAML configuration with your identity provider
  • Check that user email addresses match between systems
  • Ensure SSO is properly enabled for your organization
  • Review Acquia support documentation for provider-specific setup

Issue: API Authentication Errors

Solution:

  • Verify API token is not expired or revoked
  • Check that the token has appropriate scopes
  • Ensure proper authentication headers are included
  • Review API rate limits and quotas

Analytics Tool Access

Google Analytics 4

Manage GA4 access in Admin > Account/Property Access Management:

  • Administrator: Full control over account settings and users
  • Editor: Can modify configurations and settings
  • Analyst: Can create reports and audiences, no configuration changes
  • Viewer: Read-only access to reports and data

Google Tag Manager

Manage GTM access in Admin > User Management:

  • Administrator: Full control over container and users
  • Publish: Can publish container changes to production
  • Approve: Can approve changes but not publish
  • Edit: Can edit tags and triggers but cannot approve or publish
  • Read: View-only access to container configuration

Meta Business Manager

Manage access in Business Settings > People:

  • Admin: Full control over business settings and assets
  • Employee: Limited access based on assigned assets and permissions

Integration with Analytics Tools

When connecting Acquia applications to analytics platforms:

  1. Install Analytics Modules: Use Drupal modules like Google Analytics or Tag Manager
  2. Environment-Specific Configuration: Use different tracking IDs for dev/staging/production
  3. Manage Access Separately: Analytics platform access is independent of Acquia access
  4. Team Coordination: Ensure marketing and development teams have appropriate access to both platforms

Best Practices

  1. Principle of Least Privilege: Grant minimum required access to users based on their role
  2. Use Teams Effectively: Group users with similar responsibilities for easier management
  3. Regular Access Audits: Review user access quarterly and remove unnecessary permissions
  4. Separate Accounts: Never share login credentials; create individual accounts for each team member
  5. Document Access Policies: Maintain clear documentation of who should have access to what
  6. Enable MFA: Require multi-factor authentication for all administrators
  7. Environment Segregation: Restrict production access to senior team members only
  8. Monitor Activity: Regularly review audit logs for unusual access patterns
  9. Automate Onboarding/Offboarding: Use API or SSO for consistent user lifecycle management
  10. Test in Non-Production: Always test permission changes in development before applying to production

Additional Resources

Back to top