[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-08 (世界標準時間)。"],[[["\u003cp\u003eThe policy orchestrator feature in VM Manager allows for the creation, updating, and deletion of OS policy assignments across multiple projects and zones.\u003c/p\u003e\n"],["\u003cp\u003ePolicy orchestrator enables iterative management of OS policies, minimizing errors and providing visibility into the rollout status across an organization or folder.\u003c/p\u003e\n"],["\u003cp\u003eNew Google Cloud locations or projects are automatically discovered, allowing the policy orchestrator to enforce policies in these new locations.\u003c/p\u003e\n"],["\u003cp\u003ePolicy orchestrator can perform actions to create, update, or delete OS policies, and it utilizes a policy ID and payload for each project-zone pair in its scope.\u003c/p\u003e\n"],["\u003cp\u003ePre-GA products and features, like the one described, are available "as is" with potentially limited support, as detailed in the "Pre-GA Offerings Terms".\u003c/p\u003e\n"]]],[],null,["This page provides an overview of the OS policy orchestrator feature in\nVM Manager and its capabilities for managing OS policies at scale\nacross projects and zones.\n\nPolicy orchestrator helps you create, update, and delete OS policy assignments\nin your resources in an iterative way to minimize errors. You can also monitor the overall\nrollout status of the OS policy assignments in your organization and folders. If\npolicy assignments fail, then you can choose to edit or delete the policy orchestrator.\n\nTo use this feature, you must be familiar\nwith [OS policies and OS policy assignments](/compute/vm-manager/docs/os-policies/working-with-os-policies).\n\nUse cases\n\nYou can use policy orchestrator to perform these common tasks:\n\n- [Apply policies across your organization](#use-case-apply)\n- [Automatically create policies in new projects and zones](#use-case-create)\n\nApply policies across your organization\n\nUse policy orchestrator to gradually apply OS policy changes across\nmultiple projects and zones in your organization. The following example\ndescribes a typical use case of a policy orchestrator.\n\nYou want to apply OS policies to VMs in a few projects under folder F1 in your\norganization. Consider two test projects P1 and P2 under folder F1. To apply\nthe OS policies across these two projects, do the following:\n\n1. Create an OS policy orchestrator in folder F1 and set the orchestrator scope to P1 and P2.\n2. If the orchestration is successful, expand the orchestration scope by adding more projects in multiple, gradual steps. You can also disable the scope filter completely to roll out changes to all projects under folder F1.\n\nAutomatically create policies in new projects and zones\n\nWhen Google makes new Google Cloud locations available or if you create or\nmove Google Cloud projects in your organization, the policy orchestrator\nautomatically discovers those changes and eventually enforces policies in new\nlocations and projects. You can also define the scope of orchestration and\napply changes to specific projects and resources.\n\nNote that individual project owners can remove or modify policies created by\nthe orchestrator, but policy orchestrator inserts\nor updates the policies in the following iteration.\n\nHow it works\n\nWhen you create a policy orchestrator, you can specify an existing OS policy file and\nthe scope for the orchestration. The policy orchestrator then applies the OS policy to\nyour resources iteratively. In each iteration, the policy orchestrator\nidentifies resources in scope of orchestration and performs the requested action\non these resources.\n\nEach policy orchestrator can perform one of the following actions:\n\n- Create or update (upsert) an existing OS policy\n- Delete an OS policy\n\nIn addition to the action type, the policy orchestrator contains a policy ID\nand a policy payload. For each project-zone pair from the orchestration scope,\npolicy orchestrator creates a resource that is specific to the\npolicy payload and the given policy ID. To [delete OS policy assignments](/compute/vm-manager/docs/os-policies/use-policy-orchestrator#delete-assignments-orchestrator) using policy orchestrator,\nyou must specify this policy ID.\n\nWhat's next?\n\n- Learn about the [prerequisites for using policy orchestrator](/compute/vm-manager/docs/os-policies/orchestrator-prerequisites).\n- Learn how to [manage OS policy assignments using policy orchestrator](/compute/vm-manager/docs/os-policies/use-policy-orchestrator)."]]