Method: organizations.locations.workloads.restrictAllowedResources

Restrict the list of resources allowed in the Workload environment. The current list of allowed products can be found at In addition to assuredworkloads.workload.update permission, the user should also have orgpolicy.policy.set permission on the folder resource to use this functionality.

HTTP request

POST https://{endpoint}/v1/{name=organizations/*/locations/*/workloads/*}:restrictAllowedResources

Where {endpoint} is one of the supported service endpoints.

The URLs use gRPC Transcoding syntax.

Path parameters



Required. The resource name of the Workload. This is the workloads's relative path in the API, formatted as "organizations/{organization_id}/locations/{locationId}/workloads/{workload_id}". For example, "organizations/123/locations/us-east1/workloads/assured-workload-1".

Request body

The request body contains data with the following structure:

JSON representation
  "restrictionType": enum (RestrictionType)

enum (RestrictionType)

Required. The type of restriction for using gcp products in the Workload environment.

Response body

If successful, the response body is empty.

Authorization scopes

Requires the following OAuth scope:


For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the name resource:

  • assuredworkloads.workload.update

For more information, see the IAM documentation.


The type of restriction.

RESTRICTION_TYPE_UNSPECIFIED Unknown restriction type.
ALLOW_ALL_GCP_RESOURCES Allow the use all of all gcp products, irrespective of the compliance posture. This effectively removes gcp.restrictServiceUsage OrgPolicy on the AssuredWorkloads Folder.
ALLOW_COMPLIANT_RESOURCES Based on Workload's compliance regime, allowed list changes. See - for the list of supported resources.
APPEND_COMPLIANT_RESOURCES Similar to ALLOW_COMPLIANT_RESOURCES but adds the list of compliant resources to the existing list of compliant resources. Effective org-policy of the Folder is considered to ensure there is no disruption to the existing customer workflows.