Creating and Managing Organizations

The Organization resource is the root node in the Google Cloud Platform resource hierarchy and is the hierarchical super node of projects. This page explains how to acquire and manage an Organization resource.

Before you begin

Read an overview of the Organization resource.

Acquiring an Organization resource

An Organization resource is available for both G Suite and Cloud Identity customers:

  • G Suite:
    • The first time a user in your domain creates a project or billing account, the Organization resource is automatically created and linked to your company’s G Suite account. The current project and all future projects will automatically belong to the organization.
    • For information about how to migrate pre-existing projects, see Migrating existing projects.
  • Cloud Identity: You can use a free Cloud Identity account to create an Organization resource. Learn About Cloud Identity.

If you aren't a G Suite or Cloud Identity customer, contact our sales team to verify your domain for Google Cloud and create the Organization resource.

When the Organization resource is created, we communicate its availability to the G Suite or Cloud Identity super admin. To actively adopt the Organization resource, the G Suite or Cloud Identity super admin needs assign the Organization Administrator IAM role to some user. See Setting up your organization on how to setup your organization.

By default, when the organization is created your entire domain is granted Project Creator and Billing Account Creator IAM roles at the organization level. This ensures that users in your domain will be able to continue creating projects as they did before and no disruption occurs.

The Organization Administrator will decide when they want to start actively using the organization. They can then change the default permissions and enforce more restrictive policies as needed.

If the organization is available but not visible to you due to missing IAM permissions, you'll still be able to create projects and billing accounts. These are automatically created under the Organization resource, even though that may not be apparent.

Retrieving your organization ID

The organization ID is a unique identifier for an organization and is automatically created when your Organization resource is created.

You can find your organization ID using either the Cloud Platform Console, the gcloud tool, or the Google Cloud Resource Manager API.

console


To find your organization ID using Cloud Platform Console:

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Click on the Organization drop-down on top of the page.

  3. Select your organization in the organization drop-down and then select Settings. The Organization ID is displayed in the Settings page.

gcloud


To find your organization ID, run the following command:

gcloud organizations list

This will list all the organizations to which you belong to, and their corresponding organization IDs.

API


To find your organization ID using the Resource Manager API, call organizations.search() method with the filter domain:[company.com]. The response will contain the metadata of the Organization resource, which includes the Organization ID.

Setting up your organization

If you're a G Suite or Cloud Identity customer, the Organization resource is provided to you automatically.

The G Suite or Cloud Identity super administrator is the first user who can access the organization upon creation. All other users will be able to use GCP as before. They'll be able to see the Organization resource, but they'll only be able to modify it after the correct permissions are set.

The G Suite or Cloud Identity super administrator and the GCP Organization admin are key roles during the setup process and for lifecycle control for the Organization resource. The two roles are generally assigned to different users, although this depends on the organization structure and needs.

G Suite or Cloud Identity super administrator responsibilities, in the context of GCP Organization setup are:

  • Assigning the Organization admin role to some users
  • Being a point of contact in case of recovery issues
  • Controlling the lifecycle of the G Suite or Cloud Identity account and Organization resource as explained under Deleting an Organization resource

The Organization admin, once assigned, has the fundamental ability to assign IAM roles to other users. Following the principle of least privilege, the Organization admin does not have other permissions by default, but they can assign roles as needed. The responsibilities of the Organization admin are:

  • Defining IAM policies
  • Determining the structure of the Resource Hierarchy
  • Delegating responsibility over critical components such as Networking, Billing, Resource Hierarchy through IAM roles

Having two distinct roles ensures separation of duties between the G Suite or Cloud Identity super administrator and the GCP Organization admin. This is often a requirement as the two Google products are typically managed by different departments in the customer’s organization.

To begin actively using the Organization resource, follow the steps below to add an Organization Admin:

Adding an organization admin

Console


To add an Organization admin:

  1. Log in to the Google Cloud Platform Console as the G Suite or Cloud Identity super administrator:

    Go to Google Cloud Platform Console

  2. Go to the IAM & Admin section for the organization and assign the Resource Manager->Organization Administrator role to one or more users in the domain, as explained in Adding an Organization administrator

  3. At this point the Organization admin can take full control of the organization and separation of responsibilities between G Suite or Cloud Identity super administrator and GCP administrator is established.

  4. The Organization admin can delegate responsibility over critical functions by assigning the relevant IAM roles

As explained in Acquiring an Organization resource, upon creation, the entire domain is granted Project Creator and Billing Account Creator roles at the organization level by default. This ensures that no disruption is caused to GCP users when the Organization resource is created. As the Organization admin takes control, they may want to remove these Organization level permissions to start locking down access at a finer granularity (for instance, at the folder or project level). Note that, because IAM policies are inherited down the hierarchy, having Project Creator role assigned to the entire domain (domain:mycompany.com) at the organization level implies that every user in the domain can create projects anywhere in the hierarchy.

Creating projects in your organization

Console


You can create a project in the organization using the Cloud Platform Console after the Organization resource is enabled for your domain.

To create a new project in the organization:

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. On the top bar, click the drop-down to bring up the project selection dialog. By default, this displays the name of the project you're currently viewing, if any.
  3. In the Select dialog that appears, click Create project on the right side. create project button
  4. In the New Project window that appears, enter a project name and select a billing account and organization as applicable.
  5. When you're finished entering new project details, click Create.

API


You can create a new project in the organization by creating a project and setting its parent field to the organizationId of the organization.

The following code snippet demonstrates how to create a project in an organization:

...

project = crm.projects().create(
    body={
        'project_id': flags.projectId,
        'name': 'My New Project',
        'parent': {
            'type': 'organization',
            'id': flags.organizationId
         }
}).execute()

...

Viewing projects in an Organization

Users can only view and list projects they have access to via IAM roles. The Organization Admin can view and list all projects in the organization.

Console


To view all projects in an organization using the Cloud Platform Console:

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Click on the Organization drop-down on top of the page.

  3. Select your organization.

  4. Click Project drop-down on top of the page and the click View more projects. All projects in the organization are listed on the page.

The No organization option in the Organization drop-down lists the following projects:

  • Projects that do not belong to the Organization yet.
  • Projects for which the user has access to, but are under an Organization to which the user does not have access.

gcloud


To view all projects in an organization, run the following command:

gcloud projects list --filter 'parent.id=[ORGANIZATION_ID] AND \
    parent.type=organization'

API


Use the projects.list() method to list all the projects in an organization, as shown in the following code snippet:

...

filter = 'parent.type:organization parent.id:%s' % flags.organizationId
projects = crm.projects().list(filter=filter).execute()

...

Deleting an Organization resource

The Organization resource is bound to your G Suite or Cloud Identity account.

If you would simply prefer not to use the Organization resource, we recommend restoring the Organization's IAM policy to the original state using the following steps:

  1. Add your domain to the Project Creator and Billing Account Creator roles
  2. Remove all other entries in the Organization's IAM policy.

This will allow your users to continue to create Projects and Billing Accounts while allowing the G Suite or Cloud Identity Super Admin to recover central administration later, if desired.

If in fact you wish to delete your Organization and all the resources associated with it, delete your G Suite or Cloud Identity account.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Google Cloud Resource Manager Documentation