AccessPolicy is a container for AccessLevels (which define the necessary attributes to use Google Cloud services) and ServicePerimeters (which define regions of services able to freely pass data within a perimeter). An access policy is globally visible within an organization, and the restrictions it specifies apply to all projects within an organization.
Identifier. Resource name of the AccessPolicy. Format: accessPolicies/{access_policy}
parent
string
Immutable. The parent of this AccessPolicy in the Cloud Resource Hierarchy Format: organizations/{organizationId}
title
string
Required. Human readable title. Does not affect behavior.
scopes[]
string
The scopes of the AccessPolicy. Scopes define which resources a policy can restrict and where its resources can be referenced. For example, policy A with scopes=["folders/123"] has the following behavior:
ServicePerimeter within policy A can only reference access levels defined within policy A.
Only one policy can include a given scope; thus, attempting to create a second policy which includes folders/123 will result in an error.
If no scopes are provided, then any resource within the organization can be restricted. Scopes cannot be modified after a policy is created. Policies can only have a single scope. Format: list of folders/{folder_number} or projects/{projectNumber}
etag
string
Output only. An opaque identifier for the current version of the AccessPolicy. This will always be a strongly validated etag, meaning that two Access Policies will be identical if and only if their etags are identical. Clients should not expect this to be in any specific format.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-17 UTC."],[[["\u003cp\u003e\u003ccode\u003eAccessPolicy\u003c/code\u003e is a global container within an organization that holds \u003ccode\u003eAccessLevels\u003c/code\u003e and \u003ccode\u003eServicePerimeters\u003c/code\u003e to define restrictions for Google Cloud services.\u003c/p\u003e\n"],["\u003cp\u003eAn \u003ccode\u003eAccessPolicy\u003c/code\u003e is identified by a resource name (\u003ccode\u003ename\u003c/code\u003e), is tied to an organization (\u003ccode\u003eparent\u003c/code\u003e), has a human-readable title (\u003ccode\u003etitle\u003c/code\u003e), and defines its restriction scopes (\u003ccode\u003escopes\u003c/code\u003e).\u003c/p\u003e\n"],["\u003cp\u003eEach \u003ccode\u003eAccessPolicy\u003c/code\u003e has an \u003ccode\u003eetag\u003c/code\u003e for versioning and is unique; two access policies with the same \u003ccode\u003eetag\u003c/code\u003e are identical.\u003c/p\u003e\n"],["\u003cp\u003eThe available methods for interacting with \u003ccode\u003eAccessPolicy\u003c/code\u003e resources include creating, deleting, retrieving, listing, and updating access policies, alongside managing their IAM policies.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eAccessPolicy\u003c/code\u003e \u003ccode\u003escopes\u003c/code\u003e limit which resources an access policy can restrict, and an organization cannot have multiple policies with overlapping scopes.\u003c/p\u003e\n"]]],[],null,[]]
