AccessPolicy is a container for AccessLevels (which define the necessary attributes to use Google Cloud services) and ServicePerimeters (which define regions of services able to freely pass data within a perimeter). An access policy is globally visible within an organization, and the restrictions it specifies apply to all projects within an organization.
Output only. Identifier. Resource name of the AccessPolicy. Format: accessPolicies/{access_policy}
parent
string
Required. The parent of this AccessPolicy in the Cloud Resource Hierarchy. Currently immutable once created. Format: organizations/{organizationId}
title
string
Required. Human readable title. Does not affect behavior.
scopes[]
string
The scopes of the AccessPolicy. Scopes define which resources a policy can restrict and where its resources can be referenced. For example, policy A with scopes=["folders/123"] has the following behavior:
ServicePerimeter within policy A can only reference access levels defined within policy A.
Only one policy can include a given scope; thus, attempting to create a second policy which includes folders/123 will result in an error.
If no scopes are provided, then any resource within the organization can be restricted. Scopes cannot be modified after a policy is created. Policies can only have a single scope. Format: list of folders/{folder_number} or projects/{projectNumber}
etag
string
Output only. An opaque identifier for the current version of the AccessPolicy. This will always be a strongly validated etag, meaning that two Access Policies will be identical if and only if their etags are identical. Clients should not expect this to be in any specific format.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-17 UTC."],[[["\u003cp\u003e\u003ccode\u003eAccessPolicy\u003c/code\u003e is a global container within an organization for \u003ccode\u003eAccessLevels\u003c/code\u003e and \u003ccode\u003eServicePerimeters\u003c/code\u003e that define attribute requirements and data flow regions for Google Cloud services.\u003c/p\u003e\n"],["\u003cp\u003eAn \u003ccode\u003eAccessPolicy\u003c/code\u003e's scope determines which resources it can restrict and where its resources can be referenced, with each policy only allowing a single, unmodifiable scope, and no two policies being able to have overlapping scopes.\u003c/p\u003e\n"],["\u003cp\u003eThe JSON representation of an \u003ccode\u003eAccessPolicy\u003c/code\u003e includes its name, parent organization, title, scopes, and an etag for version identification.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eAccessPolicy\u003c/code\u003e objects can be created, deleted, retrieved, updated, and listed, and their IAM policies can be managed via dedicated methods.\u003c/p\u003e\n"],["\u003cp\u003eAn \u003ccode\u003eAccessPolicy\u003c/code\u003e's restrictions apply to all projects within an organization.\u003c/p\u003e\n"]]],[],null,[]]
