Creating and managing organization resources

The organization resource is the root node in the Google Cloud resource hierarchy and is the hierarchical super node of projects. This page explains how to acquire and manage an organization resource.

Before you begin

Read an overview of the organization resource.

Getting an organization resource

An organization resource is available for Google Workspace and Cloud Identity customers:

Once you have created your Google Workspace or Cloud Identity account and associated it with a domain, your organization resource will be automatically created for you. The resource will be provisioned at different times depending on your account status:

  • If you are new to Google Cloud and have not created a project yet, the organization resource will be created for you when you log in to the Google Cloud console and accept the terms and conditions.
  • If you are an existing Google Cloud user, the organization resource will be created for you when you create a new project or billing account. Any projects you created previously will be listed under "No organization", and this is normal. The organization resource will appear and the new project you created will be linked to it automatically.

    You will need to move any projects you created under "No organization" into your new organization resource. For instructions on how to move your projects, see Migrating projects into an organization resource.

The organization resource that is created will be linked to your Google Workspace or Cloud Identity account with the project or billing account you created set as a child resource. All projects and billing accounts created under your Google Workspace or Cloud Identity domain will be children of this organization resource.

Each Google Workspace or Cloud Identity account is associated with exactly one organization resource. An organization resource is associated with exactly one domain, which is set when the organization resource is created.

When the organization resource is created, we communicate its availability to the Google Workspace or Cloud Identity super admins. These super admin accounts should be used carefully because they have a lot of control over your organization resource and all the resources underneath it. For this reason, we recommend against using Google Workspace or Cloud Identity super admin accounts for day-to-day management of your organization resource. For more information about using Google Workspace or Cloud Identity super admin accounts in Google Cloud, see Super Admin Best Practices.

To actively adopt the organization resource, the Google Workspace or Cloud Identity super admins need to assign the Organization Administrator (roles/resourcemanager.organizationAdmin) Identity and Access Management (IAM) role to a user or group. For steps on setting up your organization resource, see Setting up your organization resource.

  • When the organization resource is created, all users in your domain are automatically granted Project Creator (roles/resourcemanager.projectCreator) and Billing Account Creator (roles/billing.creator) IAM roles at the organization resource level. This enables users in your domain to continue creating projects with no disruption.
  • The Organization Administrator will decide when they want to start actively using the organization resource. They can then change the default permissions and enforce more restrictive policies as needed.
  • If the organization resource is available and you don't have the IAM permissions to view it, you can still create projects and billing accounts. These are automatically created under the organization resource, even if you can't see it.

Getting your organization resource ID

The organization resource ID is a unique identifier for an organization resource and is automatically created when your organization resource is created. Organization resource IDs are formatted as decimal numbers, and cannot have leading zeroes.

You can get your organization resource ID using the Google Cloud console, the gcloud CLI, or the Cloud Resource Manager API.

console

To get your organization resource ID using the Google Cloud console, do the following:

  1. Go to the Google Cloud console:

    Go to the Google Cloud console

  2. From the project picker at the top of the page, select your organization resource.
  3. On the right side, click More, and then click Settings.

The Settings page displays your organization resource ID.

gcloud

To find your organization resource ID, run the following command:

gcloud organizations list

This command lists all the organization resources to which you belong to, and their corresponding organization resource IDs.

API

To find your organization resource ID using the Cloud Resource Manager API, use the organizations.search() method, including a query for your domain. For example:

GET https://cloudresourcemanager.googleapis.com/v3/organizations:search{query=domain:altostrat.com}

The response contains the metadata of the organization resource that belongs to altostrat.com, which includes the organization resource ID.

Setting up your organization resource

If you're a Google Workspace or Cloud Identity customer, an organization resource is provided to you automatically.

The Google Workspace or Cloud Identity super administrators are the first users who can access the organization resource upon creation. All other users or groups will be able to use Google Cloud as before. They'll be able to see the organization resource, but they'll only be able to modify it after the correct permissions are set.

The Google Workspace or Cloud Identity super administrators and the Google Cloud Organization Administrator are key roles during the setup process and for lifecycle control for the organization resource. The two roles are generally assigned to different users or groups, although this depends on the organization resource's structure and needs.

Google Workspace or Cloud Identity super administrator responsibilities, in the context of Google Cloud organization resource setup are:

  • Assigning the Organization Administrator role to some users
  • Being a point of contact in case of recovery issues
  • Controlling the lifecycle of the Google Workspace or Cloud Identity account and organization resource as explained under Deleting an organization resource

The Organization Administrator, once assigned, can assign Identity and Access Management roles to other users. The responsibilities of the Organization Administrator role are:

  • Defining IAM policies and granting IAM roles to other users.
  • Seeing the structure of the Resource Hierarchy

Following the principle of least privilege, this role does not include the permission to perform other actions, such as creating folders or projects. To get these permissions, an Organization Administrator must assign additional roles to their account.

Having two distinct roles ensures separation of duties between the Google Workspace or Cloud Identity super administrators and the Google Cloud Organization Administrator. This is often a requirement as the two Google products are typically managed by different departments in the customer’s organization.

To begin actively using the organization resource, follow the steps below to add an Organization Administrator:

Adding an Organization Administrator

Console

To add an Organization Administrator:

  1. Sign in to the Google Cloud console as a Google Workspace or Cloud Identity super administrator and navigate to the IAM & Admin page:

    Open the IAM & admin page

  2. Select the organization resource you want to edit:

    1. Click the project drop-down list at the top of the page.

    2. In the Select from dialog, click the organization drop-down list, and select the organization resource to which you want to add an Organization Administrator.

    3. On the list that appears, click the organization resource to open its IAM Permissions page.

  3. Click Add, and then enter the email address of one or more users you want to set as Organization Administrators.

  4. In the Select a role drop-down list, select Resource Manager > Organization Administrator, and then click Save.

    The Organization Administrator can do the following:

    • Take full control of the organization resource. Separation of responsibilities between Google Workspace or Cloud Identity super administrator and Google Cloud administrator is established.

    • Delegate responsibility over critical functions by assigning the relevant IAM roles.

As explained in Acquiring an organization resource, upon creation, all users in the domain are granted Project Creator and Billing Account Creator roles at the organization resource level by default. This ensures that no disruption is caused to Google Cloud users when the organization resource is created. As the Organization Administrator takes control, they might want to remove these organization-level permissions to start locking down access at a finer granularity (for instance, at the folder or project level). Note that, because IAM policies are inherited down the hierarchy, having the Project Creator role assigned to the entire domain (domain:mycompany.com) at the organization resource level implies that every user in the domain can create projects anywhere in the hierarchy.

Creating projects in your organization resource

Console


You can create a project in the organization resource using the Google Cloud console after the organization resource is enabled for your domain.

To create a new project in the organization resource:

To create a new project, do the following:

  1. Go to the Manage resources page in the Google Cloud console.

    Go to Manage Resources

    The remaining steps appear in the Google Cloud console.

  2. On the Select organization drop-down list at the top of the page, select the organization resource in which you want to create a project. If you are a free trial user, skip this step, as this list does not appear.
  3. Click Create Project.
  4. In the New Project window that appears, enter a project name and select a billing account as applicable. A project name can contain only letters, numbers, single quotes, hyphens, spaces, or exclamation points, and must be between 4 and 30 characters.
  5. Enter the parent organization or folder resource in the Location box. That resource will be the hierarchical parent of the new project. If No organization is an option, you can select it to create your new project as the top level of its own resource hierarchy.
  6. When you're finished entering new project details, click Create.

API


You can create a new project in the organization resource by creating a project and setting its parent field to the organizationId of the organization resource.

The following code snippet demonstrates how to create a project in an organization resource:

...

project = crm.projects().create(
    body={
        'project_id': flags.projectId,
        'name': 'My New Project',
        'parent': {
            'type': 'organization',
            'id': flags.organizationId
         }
}).execute()

...

Viewing projects in an organization resource

Users can only view and list projects they have access to via IAM roles. The Organization Administrator can view and list all projects in the organization resource.

Console


To view all projects in an organization resource using the Google Cloud console:

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Click on the Organization drop-down on top of the page.

  3. Select your organization resource.

  4. Click Project drop-down on top of the page and then click View more projects. All projects in the organization resource are listed on the page.

The No organization option in the Organization drop-down lists the following projects:

  • Projects that do not belong to the organization resource yet.
  • Projects for which the user has access to, but are under an organization resource to which the user does not have access.

gcloud


To view all projects in an organization resource, run the following command:

gcloud projects list --filter 'parent.id=[ORGANIZATION_ID] AND \
    parent.type=organization'

API


Use the projects.list() method to list all the projects under a parent resource, as shown in the following code snippet:

...

filter = 'parent.type:organization parent.id:%s' % flags.organizationId
projects = crm.projects().list(filter=filter).execute()

...

Deleting an organization resource

The organization resource is bound to your Google Workspace or Cloud Identity account.

If you would prefer not to use the organization resource, we recommend restoring the organization resource's IAM policy to the original state using the following steps:

  1. Add your domain to the Project Creator and Billing Account Creator roles.
  2. Remove all other entries in the organization resource's IAM policy.

This will allow your users to continue to create Projects and Billing Accounts while allowing the Google Workspace or Cloud Identity super admins to recover central administration later.

If you delete your Google Workspace account, it will delete your organization resource and all resources associated with it. Therefore, if you want to delete your organization resource, you can do so by deleting your Google Workspace account. For Cloud Identity users, cancel all other Google services, then delete your Google account. This is potentially a very damaging action that might be impossible to fully reverse, so it is recommended to only take this action if you are certain there are no resources in active use.

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Get started for free