--- title: "Working with roles and permissions" date: "2024-02-14T06:18:38+00:00" summary: "Efficiently manage user access with Acquia Cloud Platform's role-based permissions. Learn to create, edit, and assign custom roles to streamline team workflows and enhance security for your organization." image: type: "page" url: "/acquia-cloud-platform/working-roles-and-permissions" id: "a5de1fdf-1335-4453-a162-30a63a69f9bc" --- Table of contents will be added A _role_ is a collection of permissions to perform specific operations. Grouping [permissions](/acquia-cloud-platform/access/teams/permissions/default) into roles makes it easier to give and revoke permission to users, based on their job functions. When you assign a user to a team in the Cloud Platform user interface, you assign to them a role defining what they can and cannot do on the team’s applications and environments. The following actions are available on the **Manage** > **Roles** page for an organization: * [View roles](#viewing-a-roles-permissions) * [Compare roles](#comparing-roles) * [Create a role](#cloud-create-custom-role) * [Edit a role](#cloud-edit-role) * [Delete a role](#cloud-delete-role) * [Assign roles to users](#cloud-assign-roles-users) Note * You can manage roles through the [Cloud Platform API](https://cloudapi-docs.acquia.com/). * The [notifications API](https://cloudapi-docs.acquia.com/#/Organizations/getOrganizationNotifications) provides detailed audit logs at the organizational level, capturing all actions and events related to teams and permissions through the Cloud Platform user interface. This includes events such as team and role creation, user additions and removals, and changes to team memberships. With this feature, you can effectively audit your teams and permission changes, maintain compliance with comprehensive log requirements, and ensure FedRAMP compliance. Viewing an organization’s roles ------------------------------- To view the roles existing in an [organization](/acquia-cloud-platform/access/teams/organizations): 1. [Sign in to the Cloud Platform user interface](/node/55875). 2. Click **Manage** in the top menu. 3. Click your organization’s information card. 4. Click **Roles** in the navigation pane. ### Filtering roles If you have many custom roles, you can filter the roles displayed on the **Roles** page. To filter roles, enter text in the **Filter Roles** field. As you type, the **Roles** page displays only the roles whose name matches your filter string. ### Viewing a role’s permissions You can view the permissions granted to a role by clicking **View** next to the role’s name. You can also view the permissions by [comparing](#comparing-roles) two or more roles. Default roles ------------- Each organization has the following default roles based on its associated entitlements: * _Administrator_ * _Team Lead_ * _Senior Developer_ * _Developer_ * _CMS user_ If the allocation of permissions to these roles matches your workflow and business needs, you can use them as-is. You can also create new custom roles or edit the default roles so that their permissions work best with the way your organization runs. You can’t edit the _Administrator_ role; it always includes all possible permissions. An _Administrator_ has that role for the entire organization; it isn’t limited by membership on a team. An organization’s _Owner_ or _Administrator_ can [edit the other default roles](#cloud-edit-role) (including changing the name of a default role) and can [create](#cloud-create-custom-role), edit, and remove custom roles. Common tasks and required permissions ------------------------------------- Use the following table to identify which role, permission, or entitlement to verify for a task: Task Where you perform the task What to verify Create a Support ticket Acquia Help Center or Cloud Platform user interface * Verify that your subscription includes Support tickets and that you have remaining Support tickets. * Verify that your Acquia account is active and associated with an Acquia organization, which is required to get assistance from Support. Create or open a Cloud IDE Cloud Platform user interface Verify that Cloud IDE is available for your Cloud Platform subscription and that your role includes Cloud IDE permissions. Remove a team member’s Cloud IDE Cloud Platform user interface Verify that your role includes the **Manage any Cloud IDEs** permission. Install or remove SSL certificates Cloud Platform user interface Verify that your role includes the following applicable permissions: * **Add or remove SSL certificates for non-production environments** * **Add or remove SSL certificates for production environments** * For Cloud IDE permission names and definitions, visit  [How can I manage permissions for Cloud IDE?](/acquia-cloud-platform/add-ons/cloud-ide/help/68666-how-can-i-manage-permissions-cloud-ide "How can I manage permissions for Cloud IDE?") * For ticket prerequisites and access requirements, visit [Support and TAM ticket information](/service-offerings/support-and-tam-ticket-information "Support and TAM ticket information") and [Contacting Acquia Support](/service-offerings/contacting-acquia-support "Contacting Acquia Support"). * For SSL permission names and definitions, visit [SSL on Cloud Platform](/acquia-cloud-platform/ssl-cloud-platform "SSL on Cloud Platform"). Comparing roles --------------- You can select two or three existing roles and compare their permissions. To compare roles: 1. [Sign in to the Cloud Platform user interface](/node/55875) as an organization owner or administrator. 2. Click **Manage** in the top menu. 3. Click your organization’s information card. 4. Click **Roles** in the navigation pane. 5. Select the roles you want to compare. 6. Click **Compare roles**. The **Compare roles** page displays the permissions for the roles you selected. Permissions granted to a role display a green checkbox, while permissions not granted to a role display a black lock icon. Creating a custom role ---------------------- An _Owner_ or _Administrator_ can create custom roles in an organization, in addition to the default roles (_Administrator_, _Team lead_, _Senior developer_, and _Developer_). A custom role can be created only if the [organization](/acquia-cloud-platform/access/teams/organizations) includes at least one [team](/acquia-cloud-platform/access/teams). After you create a custom role, you can assign it to team members in the organization instead of or in addition to a default role. To create a custom role: 1. [Sign in to the Cloud Platform user interface](/node/55875) as an _Owner_ or _Administrator_. 2. Click **Manage** in the top menu. 3. Click your organization’s information card. 4. Click **Roles** in the navigation pane. 5. Click **Create role**. 6. Enter a name and description for the role. 7. (_Optional_) Select an existing role whose permissions you want to copy as a starting point. For more information, see [Copying a role](#cloud-copy-role). 8. Select the permissions you want to give to the new custom role. 9. Click **Create role**. Editing a role -------------- You can edit an existing role, including the default _Team lead_, _Senior developer_, and _Developer_ roles, and any custom roles created for your organization. You can’t edit the _Administrator_ or _Owner_ roles; those users always have all possible permissions. To edit a role: 1. [Sign in to the Cloud Platform user interface](/node/55875) as an _Owner_ or _Administrator_. 2. Click **Manage** in the top menu. 3. Click your organization’s information card. 4. Click **Roles** in the navigation pane. 5. Click **Edit** for the role you want to edit. 6. Add a permission to the role by selecting its checkbox; remove a permission by clearing the checkbox for that permission. You can also [copy an existing role](#cloud-copy-role), update it, or select all or none of the permissions. 7. Click **Update role**. After a role is modified, its description lists the user who last edited it. Deleting a role --------------- You can delete a custom role, but you cannot delete the default roles. Note You cannot delete a custom role when an invite for that role is pending. The invite must be removed before the role can be deleted. To delete a role: 1. [Sign in to the Cloud Platform user interface](/node/55875) as an _Owner_ or _Administrator_. 2. Click **Manage** in the top menu. 3. Click your organization’s information card. 4. Click **Roles** in the navigation pane. 5. Click **Remove** for the role you want to delete. Copying a role -------------- You may want to create or edit a role so it has most of the permissions of an existing role, but differs by a few permissions. While creating or editing a role, you can copy the permission set of a different existing role. To copy an existing role, select the role you want to copy from in the menu under **Copy permissions from existing role**. Cloud Platform sets the current role’s permissions to be the same as the other role. Make the permission modifications you want, and click **Update role**. Assigning roles to users ------------------------ You assign one or more roles to a user when you add or invite them to a team in the organization. A user can have different roles on different teams. You can also change the roles assigned to a user on the **Members** section of the **Organizations** > **Team management** page. For more information, see [Managing team members](/acquia-cloud-platform/access/teams/members). Assigning the Administrator role to a user with a different role ---------------------------------------------------------------- To upgrade the role of an existing member to the _Administrator_ role: 1. [Sign in to the Cloud Platform user interface](/node/55875) as an _Owner_ or _Administrator_. 2. Click **Manage** in the top menu. 3. Click your organization’s information card. 4. Click **Team Management**. 5. In **Members**, click **Invite member**. 6. Select _Administrator_ as the role. 7. Click **Continue**. 8. Specify the email address of the existing user who you want to assign the _Administrator_ role. 9. Click **Continue** > **Invite**. The system sends an email invite to the user. This user must accept the invitation. For such a user, the details appear twice in the team list, once as an _Administrator_ and another as the other role they belong to. Assigning additional roles to an existing user ---------------------------------------------- To assign additional roles to an existing user: 1. [Sign in to the Cloud Platform user interface](/node/55875) as an _Owner_ or _Administrator_. 2. Click **Manage** in the top menu. 3. Click your organization’s information card. 4. Click **Team Management**. 5. In **Members**, click **Edit roles** corresponding to the user to whom you want to assign additional roles. 6. Select the additional roles that you want to assign to the user. 7. Click **Continue**. 8. Review the details and click **Save**. Assigning roles with the Cloud Platform API ------------------------------------------- The [Cloud Platform API](/acquia-cloud-platform/develop-apps/api) offers the following API endpoints for managing roles and teams: * [List all roles for an organization](https://cloudapi-docs.acquia.com/#/Organizations/getOrganizationRoles) * [List all members of a team](http://cloudapi-docs.acquia.com/#/Teams%20and%20Permissions/getTeamMembers) * [Create a role](https://cloudapi-docs.acquia.com/#/Organizations/postOrganizationRoles) * [Display details about a role](https://cloudapi-docs.acquia.com/#/Teams%20and%20Permissions/getRole) * [Update a role](https://cloudapi-docs.acquia.com/#/Teams%20and%20Permissions/putRoleByUuid) * [Grant a team role to a member](https://cloudapi-docs.acquia.com/#/Teams%20and%20Permissions/putTeamsMember) * [Delete a role](https://cloudapi-docs.acquia.com/#/Teams%20and%20Permissions/deleteRole)