Creating and Managing Organizations

The Organization resource is the root node in the Google Cloud Platform resource hierarchy and is the hierarchical super node of projects. This page explains how to acquire and manage an Organization resource.

Before you begin

Read an overview of the Organization resource.

Getting an Organization resource

An Organization resource is available for G Suite and Cloud Identity customers:

  • G Suite:
    • An Organization resource is automatically created the first time a user associated with a G Suite domain creates a project or billing account. The Organization will be linked to your G Suite account with the project or billing account set as a child resource. All projects and billing accounts created under your G Suite domain will be children of this Organization.
    • For information about how to migrate pre-existing projects, see Migrating existing projects.
  • Cloud Identity:
    • You can use a free Cloud Identity account to create an Organization resource. Learn About Cloud Identity.

Each G Suite or Cloud Identity account is associated with exactly one organization.

When the Organization resource is created, we communicate its availability to the G Suite or Cloud Identity super admins. These super admin accounts should be used carefully because they have a lot of control over your organization and all the resources underneath it. For this reason, we do not recommend using G Suite or Cloud Identity super admin accounts for the day-to-day management of your organization. For more information about using G Suite or Cloud Identity super admin accounts in GCP, see Super Admin Best Practices.

To actively adopt the Organization resource, the G Suite or Cloud Identity super admins need to assign the Organization Administrator Cloud IAM role to a user or group. For steps on setting up your organization, see Setting up your organization.

  • When the organization is created, all users in your domain are automatically granted Project Creator and Billing Account Creator IAM roles at the organization level. This enables users in your domain to continue creating projects with no disruption.
  • The Organization Administrator will decide when they want to start actively using the organization. They can then change the default permissions and enforce more restrictive policies as needed.
  • If the organization is available and you don't have the Cloud IAM permissions to view it, you can still create projects and billing accounts. These are automatically created under the Organization resource, even if you can't see it.

Getting your organization ID

The organization ID is a unique identifier for an organization and is automatically created when your Organization resource is created. Organization IDs are formatted as decimal numbers, and cannot have leading zeroes.

You can get your organization ID using either the GCP Console, the gcloud tool, or the Resource Manager API.

console


To get your organization ID using the GCP Console:

  1. Go to the GCP Console:

    Go to the GCP Console

  2. At the top of the page, click the project selection drop-down list.
  3. On the Select from window that appears, click the organization drop-down list and then select the organization you want.
  4. On the right side, click More, then click Settings.

The Settings page displays your organization's ID.

gcloud


To find your organization ID, run the following command:

gcloud organizations list

This will list all the organizations to which you belong to, and their corresponding organization IDs.

API


To find your organization ID using the Resource Manager API, call organizations.search() method with the filter domain:[company.com]. The response will contain the metadata of the Organization resource, which includes the Organization ID.

Setting up your organization

If you're a G Suite or Cloud Identity customer, an Organization resource is provided to you automatically.

The G Suite or Cloud Identity super administrators are the first users who can access the organization upon creation. All other users or groups will be able to use GCP as before. They'll be able to see the Organization resource, but they'll only be able to modify it after the correct permissions are set.

The G Suite or Cloud Identity super administrators and the GCP Organization admin are key roles during the setup process and for lifecycle control for the Organization resource. The two roles are generally assigned to different users or groups, although this depends on the organization structure and needs.

G Suite or Cloud Identity super administrator responsibilities, in the context of GCP Organization setup are:

  • Assigning the Organization admin role to some users
  • Being a point of contact in case of recovery issues
  • Controlling the lifecycle of the G Suite or Cloud Identity account and Organization resource as explained under Deleting an Organization resource

The Organization admin, once assigned, can assign IAM roles to other users. The responsibilities of the Organization admin role are:

  • Defining IAM policies
  • Determining the structure of the Resource Hierarchy
  • Delegating responsibility over critical components such as Networking, Billing, Resource Hierarchy through IAM roles

Following the principle of least privilege, this role does not include the permission to perform other actions, such as creating folders. To get these permissions, an Organization admin must assign additional roles to their account.

Having two distinct roles ensures separation of duties between the G Suite or Cloud Identity super administrators and the GCP Organization admin. This is often a requirement as the two Google products are typically managed by different departments in the customer’s organization.

To begin actively using the Organization resource, follow the steps below to add an Organization Admin:

Adding an organization admin

Console

To add an Organization admin:

  1. Sign in to the Google Cloud Platform Console as a G Suite or Cloud Identity super administrator and navigate to the IAM & Admin page:

    Open the IAM & Admin page

  2. Select the organization you want to edit:

    1. Click the Select a project drop-down list at the top of the page.

    2. On the Select dialog that appears, click the organization drop-down list, and select the organization to which you want to add an Organization admin.

    3. On the list that appears, click the organization to open its IAM Permissions page.

  3. Click Add, and then enter the email address of one or more users you want to set as organization administrators.

  4. In the Select a role drop-down list, select Resource Manager > Organization Administrator, and then click Add.

  5. The Organization admin can take full control of the organization, and separation of responsibilities between G Suite or Cloud Identity super administrator and GCP administrator is established.

  6. The Organization admin can delegate responsibility over critical functions by assigning the relevant Cloud IAM roles.

As explained in Acquiring an Organization resource, upon creation, all users in the domain are granted Project Creator and Billing Account Creator roles at the organization level by default. This ensures that no disruption is caused to GCP users when the Organization resource is created. As the Organization admin takes control, they may want to remove these Organization level permissions to start locking down access at a finer granularity (for instance, at the folder or project level). Note that, because IAM policies are inherited down the hierarchy, having Project Creator role assigned to the entire domain (domain:mycompany.com) at the organization level implies that every user in the domain can create projects anywhere in the hierarchy.

Creating projects in your organization

Console


You can create a project in the organization using the GCP Console after the Organization resource is enabled for your domain.

To create a new project in the organization:

  1. Go to the Manage resources page in the GCP Console.
    GO TO THE MANAGE RESOURCES PAGE
  2. On the Select organization drop-down list at the top of the page, select the organization in which you want to create a project.
  3. Click Create Project.
  4. In the New Project window that appears, enter a project name and select a billing account as applicable.
  5. If you want to add the project to a folder, enter the folder name in the Location box.
  6. When you're finished entering new project details, click Create.

API


You can create a new project in the organization by creating a project and setting its parent field to the organizationId of the organization.

The following code snippet demonstrates how to create a project in an organization:

...

project = crm.projects().create(
    body={
        'project_id': flags.projectId,
        'name': 'My New Project',
        'parent': {
            'type': 'organization',
            'id': flags.organizationId
         }
}).execute()

...

Viewing projects in an Organization

Users can only view and list projects they have access to via IAM roles. The Organization Admin can view and list all projects in the organization.

Console


To view all projects in an organization using the GCP Console:

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Click on the Organization drop-down on top of the page.

  3. Select your organization.

  4. Click Project drop-down on top of the page and the click View more projects. All projects in the organization are listed on the page.

The No organization option in the Organization drop-down lists the following projects:

  • Projects that do not belong to the Organization yet.
  • Projects for which the user has access to, but are under an Organization to which the user does not have access.

gcloud


To view all projects in an organization, run the following command:

gcloud projects list --filter 'parent.id=[ORGANIZATION_ID] AND \
    parent.type=organization'

API


Use the projects.list() method to list all the projects in an organization, as shown in the following code snippet:

...

filter = 'parent.type:organization parent.id:%s' % flags.organizationId
projects = crm.projects().list(filter=filter).execute()

...

Deleting an Organization resource

The Organization resource is bound to your G Suite or Cloud Identity account.

If you would prefer not to use the Organization resource, we recommend restoring the Organization's IAM policy to the original state using the following steps:

  1. Add your domain to the Project Creator and Billing Account Creator roles.
  2. Remove all other entries in the Organization's IAM policy.

This will allow your users to continue to create Projects and Billing Accounts while allowing the G Suite or Cloud Identity super admins to recover central administration later.

If you want to delete your Organization and all resources associated with it, delete your G Suite account. For Cloud Identity users, cancel all other Google services, then delete your Google account.

Was this page helpful? Let us know how we did:

Send feedback about...

Resource Manager Documentation