Creating and Managing Organizations

The Organization resource is the root node in the Google Cloud Platform resource hierarchy and is the hierarchical super node of projects. This page explains how to acquire and manage an Organization resource.

Before you begin

Read an overview of the Organization resource.

Acquiring an Organization resource

An Organization resource is available for both G Suite and Cloud Identity customers:

  • G Suite:
    • The first time a user in your domain creates a project or billing account, the Organization resource is automatically created and linked to your company’s G Suite account. The current project and all future projects will automatically belong to the organization.
    • For information about how to migrate pre-existing projects, see Migrating existing projects.
  • Cloud Identity: You can use a free Cloud Identity account to create an Organization resource. Learn About Cloud Identity.

If you aren't a G Suite or Cloud Identity customer, contact our sales team to verify your domain for Google Cloud and create the Organization resource.

When the Organization resource is created, we communicate its availability to the G Suite or Cloud Identity super admins. To actively adopt the Organization resource, the G Suite or Cloud Identity super admins need to assign the Organization Administrator IAM role to some user or group. See Setting up your organization on how to setup your organization.

By default, when the organization is created, all users in your domain are granted Project Creator and Billing Account Creator IAM roles at the organization level. This ensures that users in your domain will be able to continue creating projects as they did before and no disruption occurs.

The Organization Administrator will decide when they want to start actively using the organization. They can then change the default permissions and enforce more restrictive policies as needed.

If the organization is available but not visible to you due to missing IAM permissions, you'll still be able to create projects and billing accounts. These are automatically created under the Organization resource, even though that may not be apparent.

Retrieving your organization ID

The organization ID is a unique identifier for an organization and is automatically created when your Organization resource is created.

You can find your organization ID using either the GCP Console, the gcloud tool, or the Resource ManagerAPI.

console


To find your organization ID using GCP Console:

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Click on the Organization drop-down on top of the page.

  3. Select your organization in the organization drop-down and then select Settings. The Organization ID is displayed in the Settings page.

gcloud


To find your organization ID, run the following command:

gcloud organizations list

This will list all the organizations to which you belong to, and their corresponding organization IDs.

API


To find your organization ID using the Resource Manager API, call organizations.search() method with the filter domain:[company.com]. The response will contain the metadata of the Organization resource, which includes the Organization ID.

Setting up your organization

If you're a G Suite or Cloud Identity customer, the Organization resource is provided to you automatically.

The G Suite or Cloud Identity super administrators are the first users who can access the organization upon creation. All other users or groups will be able to use GCP as before. They'll be able to see the Organization resource, but they'll only be able to modify it after the correct permissions are set.

The G Suite or Cloud Identity super administrators and the GCP Organization admin are key roles during the setup process and for lifecycle control for the Organization resource. The two roles are generally assigned to different users or groups, although this depends on the organization structure and needs.

G Suite or Cloud Identity super administrator responsibilities, in the context of GCP Organization setup are:

  • Assigning the Organization admin role to some users
  • Being a point of contact in case of recovery issues
  • Controlling the lifecycle of the G Suite or Cloud Identity account and Organization resource as explained under Deleting an Organization resource

The Organization admin, once assigned, can assign IAM roles to other users. Following the principle of least privilege, the Organization admin by default does not have other permissions like billing or organization role administration. The responsibilities of the Organization admin are:

  • Defining IAM policies
  • Determining the structure of the Resource Hierarchy
  • Delegating responsibility over critical components such as Networking, Billing, Resource Hierarchy through IAM roles

Having two distinct roles ensures separation of duties between the G Suite or Cloud Identity super administrators and the GCP Organization admin. This is often a requirement as the two Google products are typically managed by different departments in the customer’s organization.

To begin actively using the Organization resource, follow the steps below to add an Organization Admin:

Adding an organization admin

Console


To add an Organization admin:

  1. Log in to the Google Cloud Platform Console as a G Suite or Cloud Identity super administrator:

    Go to Google Cloud Platform Console

  2. Go to the IAM & Admin section for the organization and assign the Resource Manager->Organization Administrator role to one or more users or groups in the domain, as explained in Granting access to an organization

  3. At this point the Organization admin can take full control of the organization and separation of responsibilities between G Suite or Cloud Identity super administrator and GCP administrator is established.

  4. The Organization admin can delegate responsibility over critical functions by assigning the relevant IAM roles

As explained in Acquiring an Organization resource, upon creation, all users in the domain are granted Project Creator and Billing Account Creator roles at the organization level by default. This ensures that no disruption is caused to GCP users when the Organization resource is created. As the Organization admin takes control, they may want to remove these Organization level permissions to start locking down access at a finer granularity (for instance, at the folder or project level). Note that, because IAM policies are inherited down the hierarchy, having Project Creator role assigned to the entire domain (domain:mycompany.com) at the organization level implies that every user in the domain can create projects anywhere in the hierarchy.

Creating projects in your organization

Console


You can create a project in the organization using the GCP Console after the Organization resource is enabled for your domain.

To create a new project in the organization:

  1. Go to the GCP Console Manage resources page.
    GO TO THE MANAGE RESOURCES PAGE
  2. On the drop-down at the top of the page, select the organization in which you want to create a project.
  3. Click Create Project
  4. In the New Project window that appears, enter a project name and select a billing account as applicable.
  5. If you want to add the project to a folder, enter the folder name in the Location box.
  6. When you're finished entering new project details, click Create.

API


You can create a new project in the organization by creating a project and setting its parent field to the organizationId of the organization.

The following code snippet demonstrates how to create a project in an organization:

...

project = crm.projects().create(
    body={
        'project_id': flags.projectId,
        'name': 'My New Project',
        'parent': {
            'type': 'organization',
            'id': flags.organizationId
         }
}).execute()

...

Viewing projects in an Organization

Users can only view and list projects they have access to via IAM roles. The Organization Admin can view and list all projects in the organization.

Console


To view all projects in an organization using the GCP Console:

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Click on the Organization drop-down on top of the page.

  3. Select your organization.

  4. Click Project drop-down on top of the page and the click View more projects. All projects in the organization are listed on the page.

The No organization option in the Organization drop-down lists the following projects:

  • Projects that do not belong to the Organization yet.
  • Projects for which the user has access to, but are under an Organization to which the user does not have access.

gcloud


To view all projects in an organization, run the following command:

gcloud projects list --filter 'parent.id=[ORGANIZATION_ID] AND \
    parent.type=organization'

API


Use the projects.list() method to list all the projects in an organization, as shown in the following code snippet:

...

filter = 'parent.type:organization parent.id:%s' % flags.organizationId
projects = crm.projects().list(filter=filter).execute()

...

Deleting an Organization resource

The Organization resource is bound to your G Suite or Cloud Identity account.

If you would simply prefer not to use the Organization resource, we recommend restoring the Organization's IAM policy to the original state using the following steps:

  1. Add your domain to the Project Creator and Billing Account Creator roles
  2. Remove all other entries in the Organization's IAM policy.

This will allow your users to continue to create Projects and Billing Accounts while allowing the G Suite or Cloud Identity super admins to recover central administration later, if desired.

If in fact you wish to delete your Organization and all the resources associated with it, delete your G Suite or Cloud Identity account.

Send feedback about...

Google Cloud Resource Manager Documentation