Acquia Cloud Roles & Permissions

Acquia Cloud Platform manages access through organization-level roles and application-level permissions layered on top of Drupal's own role system. Understanding both layers is critical for secure analytics deployment.

Acquia Cloud Platform Roles

Acquia uses a hierarchical permission model: Organization > Team > Application > Environment.

Organization Roles

Team Roles

Teams grant application-level access. Each team member gets one of these roles:

Drupal Site Roles (Application Layer)

Since Acquia hosts Drupal, the CMS itself has its own role system:

Analytics-Relevant Permissions

Who Can Install Tracking Scripts

On Acquia-hosted Drupal sites, analytics script installation requires:

• Acquia Cloud Admin/Senior Developer to deploy module changes
• Drupal Administrator to enable and configure analytics modules
• Drupal user with administer google analytics permission for GA configuration

# Check which Drupal roles have analytics permissions via Drush
drush role:list --format=json | python3 -c "
import json, sys
roles = json.load(sys.stdin)
for role_id, role in roles.items():
    perms = role.get('permissions', [])
    analytics_perms = [p for p in perms if 'analytics' in p or 'tag' in p or 'script' in p]
    if analytics_perms:
        print(f'{role_id}: {analytics_perms}')
"

Environment-Specific Permissions

Acquia separates Dev, Stage, and Production environments. Analytics scripts should only be configured for Production:

# Example: Drupal config split for analytics (config/prod/google_analytics.settings.yml)
account: "G-XXXXXXXXXX"
visibility:
  request_path_mode: 0
  request_path_pages: "/admin\n/admin/*"

Custom Roles in Drupal on Acquia

Create custom roles via Drupal's admin UI or Drush:

# Create a custom "Analytics Manager" role via Drush
drush role:create analytics_manager "Analytics Manager"

# Grant analytics-specific permissions
drush role:perm:add analytics_manager "administer google analytics"
drush role:perm:add analytics_manager "access site reports"
drush role:perm:add analytics_manager "view any webform submission"

Navigate to People > Roles (/admin/people/roles) in Drupal to manage roles through the UI.

Acquia Cloud API Token Scopes

Acquia Cloud API v2 uses OAuth2 tokens for programmatic access:

# Generate an API token at https://cloud.acquia.com/a/profile/tokens
# Authenticate and list applications
curl -s -X POST "https://accounts.acquia.com/api/auth/oauth/token" \
  -d "client_id=YOUR_KEY&client_secret=YOUR_SECRET&grant_type=client_credentials" \
  | jq '.access_token'

# List team members for an organization
curl -s -H "Authorization: Bearer $TOKEN" \
  "https://cloud.acquia.com/api/organizations/{org_uuid}/members" \
  | jq '.[] | {email: .mail, roles: .roles}'

API tokens inherit the permissions of the user who created them. There are no granular scopes -- tokens get full access for that user's role level.

Permission Audit

Best Practices

1. Use Acquia teams to limit environment access -- developers should not have Production deploy rights
2. Create a dedicated Drupal "Analytics Manager" role rather than granting full admin access
3. Use config splits to keep analytics configuration separate per environment
4. Audit Acquia Cloud API tokens quarterly since they inherit full user permissions
5. Leverage Acquia Shield (IP whitelisting) to restrict admin access on non-production environments