Acquia Cloud Roles & Permissions | OpsBlu Docs

Acquia Cloud Roles & Permissions

Acquia Cloud Platform roles, permissions, and team management for Drupal-based sites — organization roles, environment access, and analytics permissions.

Acquia Cloud Platform manages access through organization-level roles and application-level permissions layered on top of Drupal's own role system. Understanding both layers is critical for secure analytics deployment.

Acquia Cloud Platform Roles

Acquia uses a hierarchical permission model: Organization > Team > Application > Environment.

Organization Roles

Role Description
Owner Full control over the organization, billing, and all applications
Administrator Manage teams, applications, and users across the organization
Member Access only to assigned teams and applications

Team Roles

Teams grant application-level access. Each team member gets one of these roles:

Role Manage Apps Deploy Configure Environments Access Logs Manage Team
Admin Yes Yes Yes Yes Yes
Senior Developer No Yes Yes Yes No
Developer No Yes No Yes No

Drupal Site Roles (Application Layer)

Since Acquia hosts Drupal, the CMS itself has its own role system:

Role Administer Users Administer Modules Edit Content Administer Themes
Administrator Yes Yes Yes Yes
Content Editor No No Yes No
Content Author No No Own only No
Authenticated User No No No No
Anonymous No No No No

Analytics-Relevant Permissions

Who Can Install Tracking Scripts

On Acquia-hosted Drupal sites, analytics script installation requires:

  • Acquia Cloud Admin/Senior Developer to deploy module changes
  • Drupal Administrator to enable and configure analytics modules
  • Drupal user with administer google analytics permission for GA configuration
# Check which Drupal roles have analytics permissions via Drush
drush role:list --format=json | python3 -c "
import json, sys
roles = json.load(sys.stdin)
for role_id, role in roles.items():
    perms = role.get('permissions', [])
    analytics_perms = [p for p in perms if 'analytics' in p or 'tag' in p or 'script' in p]
    if analytics_perms:
        print(f'{role_id}: {analytics_perms}')
"

Environment-Specific Permissions

Acquia separates Dev, Stage, and Production environments. Analytics scripts should only be configured for Production:

# Example: Drupal config split for analytics (config/prod/google_analytics.settings.yml)
account: "G-XXXXXXXXXX"
visibility:
  request_path_mode: 0
  request_path_pages: "/admin\n/admin/*"

Custom Roles in Drupal on Acquia

Create custom roles via Drupal's admin UI or Drush:

# Create a custom "Analytics Manager" role via Drush
drush role:create analytics_manager "Analytics Manager"

# Grant analytics-specific permissions
drush role:perm:add analytics_manager "administer google analytics"
drush role:perm:add analytics_manager "access site reports"
drush role:perm:add analytics_manager "view any webform submission"

Navigate to People > Roles (/admin/people/roles) in Drupal to manage roles through the UI.

Acquia Cloud API Token Scopes

Acquia Cloud API v2 uses OAuth2 tokens for programmatic access:

# Generate an API token at https://cloud.acquia.com/a/profile/tokens
# Authenticate and list applications
curl -s -X POST "https://accounts.acquia.com/api/auth/oauth/token" \
  -d "client_id=YOUR_KEY&client_secret=YOUR_SECRET&grant_type=client_credentials" \
  | jq '.access_token'

# List team members for an organization
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://cloud.acquia.com/api/organizations/{org_uuid}/members" \
  | jq '.[] | {email: .mail, roles: .roles}'

API tokens inherit the permissions of the user who created them. There are no granular scopes -- tokens get full access for that user's role level.

Permission Audit

Check How to Verify
Acquia Cloud users Acquia Cloud UI > Organization > Members
Drupal admin accounts drush user:list --roles=administrator
Analytics module access Drupal Admin > People > Permissions > Filter "analytics"
API tokens Acquia Cloud > Profile > API Tokens (each user manages their own)
Environment access Acquia Cloud > Application > Teams

Best Practices

  1. Use Acquia teams to limit environment access -- developers should not have Production deploy rights
  2. Create a dedicated Drupal "Analytics Manager" role rather than granting full admin access
  3. Use config splits to keep analytics configuration separate per environment
  4. Audit Acquia Cloud API tokens quarterly since they inherit full user permissions
  5. Leverage Acquia Shield (IP whitelisting) to restrict admin access on non-production environments
Back to top