Enterprise Cloud Platform Overcomes RBAC Limitations Through OpenFGA Implementation
Acquia, a leading cloud platform for Drupal and digital experience management, wanted to move beyond basic role-based access control (RBAC) and adopt a modern, fine-grained authorization layer across its internal systems. AddWeb Solution partnered with Acquia to design and implement an OpenFGA-based authorization model, integrate it with Okta SSO, and ensure a smooth user data migration without disrupting existing production workflows.
The Business Needs
Understanding the Needs of Acquia
Acquia required a quick modernization of its authorization system to overcome the severe constraints of traditional RBAC implementations. Their current system of permission (based on Drupal) did not have the flexibility and granularity to support the complex access cases in their growing cloud services portfolio.
The company required a more advanced and context-aware authorization system that would balance required nuanced permissions across multiple interconnected systems, Constellation and MEO, and would ensure security, scalability, and performance.
Acquia focused on the fact that this change should be implemented with no disruption of current user processes because its platform is a mission-critical asset among enterprise customers operating cloud infrastructure and online experiences.
One of the biggest problems in the project was to implement this architectural change without disrupting the working production environment, which necessitated the need to migrate data without difficulties through the old system to Okta, integrate the new system with the existing SSO systems, and ensure adequate coordination to guarantee zero downtime.
The complexity notwithstanding, Acquia had to be assured of an authorized solution of an enterprise that will be able to align itself with their long-term growth strategy without compromising on their high security standards and operational continuity.
About Our Client: Acquia is a global cloud services provider headquartered in the United Kingdom for this engagement, working with enterprises that rely on Drupal and related tooling to power their digital experience platforms. Their internal teams manage complex user profiles, permissions, and entitlements across multiple applications, including systems like Constellation and MEO, all hosted on AWS.
Our Approach
We approached the engagement as a security and platform modernization initiative rather than just a tech upgrade:
Understood how Constellation, MEO, Drupal, and other services were currently handling permissions. Identified core entities (users, groups, organizations, resources) and important relationships (ownership, membership, admin, viewer, etc.).
Positioned Okta as the single source of truth for identity and authentication. And positioned OpenFGA as the policy and relationship engine for authorization decisions.
Designed an authorization model and ARB (Authorization Relationship Blueprint) to represent how access should work today and scale tomorrow. Ensured the model could coexist with existing Drupal RBAC during the transition.
Built robust APIs (Laravel-based services) to handle: SSO integration with Okta, User migration from legacy auth to Okta, and access checks through OpenFGA. A gradual migration path from Drupal RBAC to OpenFGA.
Ensured that existing behavior remained intact while OpenFGA was introduced incrementally behind APIs and feature flags. And planned for a phased cutover once confidence and coverage were high.
The Solution
A scalable, context-aware authorization platform built for enterprise complexity
We provided a complete OpenFGA-based authorization solution that supersedes the old RBAC framework and has much greater access control features. The key solution elements that we used were:
- Fine-Grained Authorization Model
We designed and implemented a full OpenFGA model supporting complex permission scenarios across Constellation and MEO systems, allowing the use of relationships, attributes, and organizational hierarchies to make context-based access decisions. - Seamless SSO Integration with Okta
We developed a safe API layer to implement single sign-on, which allowed the platform ecosystem of Acquia to create unified authentication and keep security compliance and user experience standards. - Zero-Downtime Data Migration
To maintain business continuity during the transition, we did a gradual import of user data to Okta and added validation workflows, data integrity checks, and rollback procedures to guarantee business continuity during the transition. - Robust Access Control APIs
We developed high-performance API endpoints for real-time access verification, using OpenFGA’s relationship-based authorization model to deliver millisecond-level permission checks at scale.
This solution enabled Acquia to overcome the RBAC limitation, enhance security granularity, and create a base of scalable authorization to support their expanding enterprise platform, and did so with minimal operational impact.
Features
The OpenFGA-powered authorization system offers:
Screenshots
Showcasing Client’s enterprise-grade authorization framework through strategic implementation
Client Success Stories That Define Us
Our Clients Speak for Our Work
Final Outcome
Acquia Profile has moved from basic role-based access control (RBAC) to a more detailed authorization system with OpenFGA. This boosts security and keeps things running smoothly for users. The system is set up to handle permission needs across Acquia’s cloud services as it expands.
The team made sure the change worked well with the existing Okta single sign-on setup. They moved data from the old system without any downtime and rolled out the new system slowly to avoid service interruptions.
Now, the platform can handle access control based on context and relationships, which is important as Acquia gets bigger. It allows for very specific permissions across Constellation, MEO, and future setups. The fast API layer checks access in real time, so security checks don’t slow things down. This setup also means Acquia can change authorization policies on its own, without waiting for long development times, which sets the company up for security and growth in the future.
