Managing Multiple Organizations

The Organization node establishes ownership of the projects and folders underneath it in the Google Cloud Platform resource hierarchy. Your G Suite or Cloud Identity account is associated with exactly one Organization node. Each G Suite or Cloud Identity account is also associated with a single domain, such as example.com.

It's best to use folders under one Organization node for most use cases. If you want to maintain sub-organizations or departments within your company as isolated entities with no central administration, you can set up multiple G Suite or Cloud Identity accounts. Each account will come with a single Organization node associated with one domain.

Effects of using multiple Organization nodes

Use multiple Organization nodes when you don't want users from one G Suite or Cloud Identity account to access resources created by users from another G Suite or Cloud Identity account. Separating resources into multiple Organization nodes comes with several consequences:

By default, no single user will have central visibility and control over all resources.
Policies that are common across sub-organizations will need to be replicated on each Organization node.
Moving projects and folders from one Organization node to another is not a self-serve operation, and will require a support request.
Each Organization node requires a G Suite account. Operating multiple Organization nodes therefore requires multiple G Suite accounts and the ability to manage identities across them.

Using a single Organization node

Most organizations that want to maintain separate sub-organizations can do so using a single Organization node and folders. If you have a single G Suite account, this account maps to the Organization node, and sub-organizations map to folders.

Choose an organization administrator

Choose one or more users to act as the Cloud IAM organization administrator for the Organization node.

Console

To add an Organization admin:

Sign in to the Google Cloud Platform Console as a G Suite or Cloud Identity super administrator and navigate to the IAM & Admin page:
Open the IAM & admin page
Select the organization you want to edit:
1. Click the project drop-down list at the top of the page.
2. In the Select from dialog, click the organization drop-down list, and select the organization to which you want to add an Organization admin.
3. On the list that appears, click the organization to open its IAM Permissions page.
Click Add, and then enter the email address of one or more users you want to set as organization administrators.
In the Select a role drop-down list, select Resource Manager > Organization Administrator, and then click Save.

The Organization admin can do the following:
- Take full control of the organization. Separation of responsibilities between G Suite or Cloud Identity super administrator and GCP administrator is established.
- Delegate responsibility over critical functions by assigning the relevant Cloud IAM roles.

Create folders for sub-organizations

Create a folder under the Organization node for each sub-organization.

To create folders, you must have the Folder Admin or Folder Creator role at the parent level. For example, to create folders at the Organization level, you must have one of these roles at the Organization level.

As part of creating a folder, you must assign it a name. Folder names must meet the following requirements:

The name may contain letters, digits, spaces, hyphens and underscores.
The folder's display name must start and end with a letter or digit.
The name must be 30 characters or less.
The name must be distinct from all other folders that share its parent.

To create a folder:

console

Folders can be created in the UI using the "Manage Projects and Folders" section.

Go to the Manage resources page in the GCP Console:
Open the Manage resources page
Click Create folder.
In the Folder name box, enter your new folder's name.
Under Destination, click Browse, then select the organization node or folder under which you want to create your new folder.
1. Click Create.

gcloud

Folders can be created programmatically using the gcloud command-line tool.

To create a folder under the Organization resource using the gcloud command-line tool, run the following command.

gcloud alpha resource-manager folders create \
   --display-name=[DISPLAY_NAME] \
   --organization=[ORGANIZATION_ID]

To create a folder whose parent is another folder:

gcloud alpha resource-manager folders create \
   --display-name=[DISPLAY_NAME] \
   --folder=[FOLDER_ID]

Where:

[DISPLAY_NAME] is the folder's display name. No two folders with the same parent can share a display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores, and can be no longer than 30 characters.
[ORGANIZATION_ID]is the ID of the parent Organization if the parent is an Organization.
[FOLDER_ID] is the ID of the parent folder, if the parent is a folder.

API

Folders can be created with an API request.

The request JSON:

request_json= '{
  display_name: "[DISPLAY_NAME]"
}'

The Create Folder curl request:

curl -X POST -H "Content-Type: application/json" \
-H "Authorization: Bearer ${bearer_token}" \
-d "$request_json" \
https://cloudresourcemanager.googleapis.com/v2/folders?parent=[ORGANIZATION_NAME]

Where:

[DISPLAY_NAME] is the new folder's display name, for example "My Awesome Folder."
[ORGANIZATION_NAME] is the name of the organization under which you're creating the folder, for example organizations/123.

The Create Folder response:

{
  "name": "operations/fc.123456789",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.resourcemanager.v2.FolderOperation",
    "displayName": "[DISPLAY_NAME]",
    "operationType": "CREATE"
  }
}

The Get Operation curl request:

curl -H "Authorization: Bearer ${bearer_token}" \
https://cloudresourcemanager.googleapis.com/v1/operations/fc.123456789

The Get Operation response:

{
  "name": "operations/fc.123456789",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.resourcemanager.v2.FolderOperation",
    "displayName": "[DISPLAY_NAME]",
    "operationType": "CREATE"
  },
  "done": true,
  "response": {
    "@type": "type.googleapis.com/google.cloud.resourcemanager.v2.Folder",
    "name": "folders/12345",
    "parent": "organizations/123",
    "displayName": "[DISPLAY_NAME]",
    "lifecycleState": "ACTIVE",
    "createTime": "2017-07-19T23:29:26.018Z",
    "updateTime": "2017-07-19T23:29:26.046Z"
  }
}

Grant folder administrator roles

For each sub-organization folder you create, grant one or more users the Folder Admin role. These users will have administrative control over the folder and the sub-organization it represents.

To configure access to folders, you must have the Folder IAM Administrator or Folder Admin role at the parent level.

console

In the Google Cloud Platform Console, open the Manage Resources page.
Open the Manage Resources page
Click the Organization drop-down list in the upper left and then select your organization.
Select the checkbox next to the project for which you want to change permissions.
On the right side Info panel, under Permissions, enter the email addresses of the members you want to add.
In the Select a role drop-down list, select the role you want to grant to those members.
Click Add. A notification appears to confirm the addition or update of the members' new role.

gcloud

You can configure access to Folders programmatically using the gcloud command-line tool or the API.

gcloud alpha resource-manager folders \
  add-iam-policy-binding [FOLDER_ID] \
  --member=user:email1@example.com \
  --role=roles/resourcemanager.folderEditor

gcloud alpha resource-manager folders \
  add-iam-policy-binding [FOLDER_ID] \
  --member=user:email1@example.com \
  --role=roles/resourcemanager.folderViewer

Alternatively:

gcloud alpha resource-manager \
  folders set-iam-policy [FOLDER_ID] [POLICY_FILE]

Where:

[FOLDER_ID] is the new folder's ID.
[POLICY_FILE] is the path to a policy file for the folder.

API

SetsIamPolicy sets the access control policy on a folder, replacing any existing policy. The resource field should be the folder's resource name, for example, folders/1234.

 request_json= '{
   policy: {
     version: "1",
     bindings: [
       {
         role: "roles/resourcemanager.folderEditor",
         members: [
           "user:email1@example.com",
           "user:email2@example.com",
         ]
       }
     ]
   }
 }'

The curl request:

   curl -X POST -H "Content-Type: application/json" \
   -H "Authorization: Bearer ${bearer_token}" \
   -d "$request_json" \
   https://cloudresourcemanager.googleapis.com/v2/[FOLDER_NAME]:setIamPolicy

Where:

[FOLDER_NAME] is the name of the folder whose IAM policy is being set, for example folders/123.

Restricting sub-organization roles

Each Folder Admin can restrict the Project Creator role to members of its sub-organization. They can remove the domain from the Project Creator role in the Organization node's IAM policy as well.

G Suite super administrators have irrevocable organization administrator privileges. These super admins typically manage the identities and identity policies, rather than managing GCP resources and resource policies.

Console

To remove the roles assigned to users by default using the Google Cloud Platform Console:

Go to the Manage resources page in the GCP Console:
Open the Manage resources page
Click the Organization drop-down list at the top of the page and then select your organization.
Select the check box for the Organization resource for which you want to change permissions. If you do not have a Folder resource, the Organization resource will not be visible. To continue, see the instructions for revoking roles through the Cloud IAM page.
On the right side panel, under Permissions, click to expand the role from which you want to remove users.
Under the expanded role list, next to the member you want to remove from the role, click remove.
On the Remove member? dialog that appears, click Remove to confirm removing the role from the specified member.
Repeat the above two steps for each role you want to remove.

Example

The diagram below illustrates an organization that has used folders to separate two departments. The heads of the engineering and finance departments have administrative control, and other users are prevented from creating projects.

Diagram of hierarchy

Using multiple Organization nodes

If your organization has multiple G Suite accounts, you will have multiple Organization nodes by default. To maintain central visibility and control, you should choose one Organization node to be the master Organization node. The super administrators of the G Suite account associated with your master Organization node will have administrative control over all resources, including those created by users from the other G Suite accounts. Users from those G Suite accounts will be granted access to a folder under the master Organization node, in which they will be able to create projects.

Choose an organization administrator

Choose one or more users to act as the Cloud IAM organization administrator for the Organization node.

Console

To add an Organization admin:

Sign in to the Google Cloud Platform Console as a G Suite or Cloud Identity super administrator and navigate to the IAM & Admin page:
Open the IAM & admin page
Select the organization you want to edit:
1. Click the project drop-down list at the top of the page.
2. In the Select from dialog, click the organization drop-down list, and select the organization to which you want to add an Organization admin.
3. On the list that appears, click the organization to open its IAM Permissions page.
Click Add, and then enter the email address of one or more users you want to set as organization administrators.
In the Select a role drop-down list, select Resource Manager > Organization Administrator, and then click Save.

The Organization admin can do the following:
- Take full control of the organization. Separation of responsibilities between G Suite or Cloud Identity super administrator and GCP administrator is established.
- Delegate responsibility over critical functions by assigning the relevant Cloud IAM roles.

Remove Project Creator role

Remove the Project Creator role from the Organization node to ensure that resources are not created in the other Organization nodes.

Console

To remove the roles assigned to users by default using the Google Cloud Platform Console:

Go to the Manage resources page in the GCP Console:
Open the Manage resources page
Click the Organization drop-down list at the top of the page and then select your organization.
Select the check box for the Organization resource for which you want to change permissions. If you do not have a Folder resource, the Organization resource will not be visible. To continue, see the instructions for revoking roles through the Cloud IAM page.
On the right side panel, under Permissions, click to expand the role from which you want to remove users.
Under the expanded role list, next to the member you want to remove from the role, click remove.
On the Remove member? dialog that appears, click Remove to confirm removing the role from the specified member.
Repeat the above two steps for each role you want to remove.

Create folders for G Suite accounts

Create a folder under the Organization node for each G Suite account.

As part of creating a folder, you must assign it a name. Folder names must meet the following requirements:

The name may contain letters, digits, spaces, hyphens and underscores.
The folder's display name must start and end with a letter or digit.
The name must be 30 characters or less.
The name must be distinct from all other folders that share its parent.

To create a folder:

console

Folders can be created in the UI using the "Manage Projects and Folders" section.

Go to the Manage resources page in the GCP Console:
Open the Manage resources page
Click Create folder.
In the Folder name box, enter your new folder's name.
Under Destination, click Browse, then select the organization node or folder under which you want to create your new folder.
1. Click Create.

gcloud

Folders can be created programmatically using the gcloud command-line tool.

To create a folder under the Organization resource using the gcloud command-line tool, run the following command.

gcloud alpha resource-manager folders create \
   --display-name=[DISPLAY_NAME] \
   --organization=[ORGANIZATION_ID]

To create a folder whose parent is another folder:

gcloud alpha resource-manager folders create \
   --display-name=[DISPLAY_NAME] \
   --folder=[FOLDER_ID]

Where:

[DISPLAY_NAME] is the folder's display name. No two folders with the same parent can share a display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores, and can be no longer than 30 characters.
[ORGANIZATION_ID]is the ID of the parent Organization if the parent is an Organization.
[FOLDER_ID] is the ID of the parent folder, if the parent is a folder.

API

Folders can be created with an API request.

The request JSON:

request_json= '{
  display_name: "[DISPLAY_NAME]"
}'

The Create Folder curl request:

curl -X POST -H "Content-Type: application/json" \
-H "Authorization: Bearer ${bearer_token}" \
-d "$request_json" \
https://cloudresourcemanager.googleapis.com/v2/folders?parent=[ORGANIZATION_NAME]

Where:

[DISPLAY_NAME] is the new folder's display name, for example "My Awesome Folder."
[ORGANIZATION_NAME] is the name of the organization under which you're creating the folder, for example organizations/123.

The Create Folder response:

{
  "name": "operations/fc.123456789",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.resourcemanager.v2.FolderOperation",
    "displayName": "[DISPLAY_NAME]",
    "operationType": "CREATE"
  }
}

The Get Operation curl request:

curl -H "Authorization: Bearer ${bearer_token}" \
https://cloudresourcemanager.googleapis.com/v1/operations/fc.123456789

The Get Operation response:

{
  "name": "operations/fc.123456789",
  "metadata": {
    "@type": "type.googleapis.com/google.cloud.resourcemanager.v2.FolderOperation",
    "displayName": "[DISPLAY_NAME]",
    "operationType": "CREATE"
  },
  "done": true,
  "response": {
    "@type": "type.googleapis.com/google.cloud.resourcemanager.v2.Folder",
    "name": "folders/12345",
    "parent": "organizations/123",
    "displayName": "[DISPLAY_NAME]",
    "lifecycleState": "ACTIVE",
    "createTime": "2017-07-19T23:29:26.018Z",
    "updateTime": "2017-07-19T23:29:26.046Z"
  }
}

Grant folder administrator roles

For each of the folders created, grant one or more users the Folder Admin role. These users will be delegated administrative control over the folder and the sub-organization it represents.

To configure access to folders, you must have the Folder IAM Administrator or Folder Admin role at the parent level.

console

In the Google Cloud Platform Console, open the Manage Resources page.
Open the Manage Resources page
Click the Organization drop-down list in the upper left and then select your organization.
Select the checkbox next to the project for which you want to change permissions.
On the right side Info panel, under Permissions, enter the email addresses of the members you want to add.
In the Select a role drop-down list, select the role you want to grant to those members.
Click Add. A notification appears to confirm the addition or update of the members' new role.

gcloud

You can configure access to Folders programmatically using the gcloud command-line tool or the API.

gcloud alpha resource-manager folders \
  add-iam-policy-binding [FOLDER_ID] \
  --member=user:email1@example.com \
  --role=roles/resourcemanager.folderEditor

gcloud alpha resource-manager folders \
  add-iam-policy-binding [FOLDER_ID] \
  --member=user:email1@example.com \
  --role=roles/resourcemanager.folderViewer

Alternatively:

gcloud alpha resource-manager \
  folders set-iam-policy [FOLDER_ID] [POLICY_FILE]

Where:

[FOLDER_ID] is the new folder's ID.
[POLICY_FILE] is the path to a policy file for the folder.

API

SetsIamPolicy sets the access control policy on a folder, replacing any existing policy. The resource field should be the folder's resource name, for example, folders/1234.

 request_json= '{
   policy: {
     version: "1",
     bindings: [
       {
         role: "roles/resourcemanager.folderEditor",
         members: [
           "user:email1@example.com",
           "user:email2@example.com",
         ]
       }
     ]
   }
 }'

The curl request:

   curl -X POST -H "Content-Type: application/json" \
   -H "Authorization: Bearer ${bearer_token}" \
   -d "$request_json" \
   https://cloudresourcemanager.googleapis.com/v2/[FOLDER_NAME]:setIamPolicy

Where:

[FOLDER_NAME] is the name of the folder whose IAM policy is being set, for example folders/123.

Each Folder Admin can then grant users from the associated domain the Project Creator role.

Example

The diagram below illustrates an organization with a primary domain that is kept isolated from an acquired secondary domain. Each of the two domains have their own G Suite accounts, with hypothetical.com being the master Organization node.

Diagram of hierarchy

Effects of using multiple Organization nodes

Using a single Organization node

Choose an organization administrator

Console

Create folders for sub-organizations

console

gcloud

API

Grant folder administrator roles

console

gcloud

API

Restricting sub-organization roles

Console

Example

Using multiple Organization nodes

Choose an organization administrator

Console

Remove Project Creator role

Console

Create folders for G Suite accounts

console

gcloud

API

Grant folder administrator roles

console

gcloud

API

Example

Palautteen aihe: