The Organization node establishes ownership of the projects and folders
underneath it in the Google Cloud Platform resource hierarchy.
Your G Suite or Cloud Identity account is associated with exactly one
Organization node. Each G Suite or Cloud Identity account
is also associated with a single domain, such as example.com
.
It's best to use folders under one Organization node for most use cases. If you want to maintain sub-organizations or departments within your company as isolated entities with no central administration, you can set up multiple G Suite or Cloud Identity accounts. Each account will come with a single Organization node associated with one domain.
Effects of using multiple Organization nodes
Use multiple Organization nodes when you don't want users from one G Suite or Cloud Identity account to access resources created by users from another G Suite or Cloud Identity account. Separating resources into multiple Organization nodes comes with several consequences:
By default, no single user will have central visibility and control over all resources.
Policies that are common across sub-organizations will need to be replicated on each Organization node.
Moving projects and folders from one Organization node to another is not a self-serve operation, and will require a support request.
Each Organization node requires a G Suite account. Operating multiple Organization nodes therefore requires multiple G Suite accounts and the ability to manage identities across them.
Using a single Organization node
Most organizations that want to maintain separate sub-organizations can do so using a single Organization node and folders. If you have a single G Suite account, this account maps to the Organization node, and sub-organizations map to folders.
Choose an organization administrator
Choose one or more users to act as the Cloud IAM organization administrator for the Organization node.
Console
To add an Organization admin:
Sign in to the Google Cloud Console as a G Suite or Cloud Identity super administrator and navigate to the IAM & Admin page:
Select the organization you want to edit:
Click the project drop-down list at the top of the page.
In the Select from dialog, click the organization drop-down list, and select the organization to which you want to add an Organization admin.
On the list that appears, click the organization to open its IAM Permissions page.
Click Add, and then enter the email address of one or more users you want to set as organization administrators.
In the Select a role drop-down list, select Resource Manager > Organization Administrator, and then click Save.
The Organization admin can do the following:
Take full control of the organization. Separation of responsibilities between G Suite or Cloud Identity super administrator and Google Cloud administrator is established.
Delegate responsibility over critical functions by assigning the relevant Cloud IAM roles.
Create folders for sub-organizations
Create a folder under the Organization node for each sub-organization.
To create folders, you must have the Folder Admin or Folder Creator role at the parent level. For example, to create folders at the Organization level, you must have one of these roles at the Organization level.
As part of creating a folder, you must assign it a name. Folder names must meet the following requirements:
- The name may contain letters, digits, spaces, hyphens and underscores.
- The folder's display name must start and end with a letter or digit.
- The name must be 30 characters or less.
- The name must be distinct from all other folders that share its parent.
To create a folder:
console
Folders can be created in the UI using the "Manage Projects and Folders" section.
Go to the Manage resources page in the Cloud Console:
Make sure that your organization name is selected in the organization drop-down list at the top of the page.
Click Create folder.
In the Folder name box, enter your new folder's name.
Under Destination, click Browse, then select the organization node or folder under which you want to create your new folder.
- Click Create.
gcloud
Folders can be created programmatically using the
gcloud
command-line tool.
To create a folder under the Organization resource using the gcloud
command-line tool, run the following command.
gcloud alpha resource-manager folders create \
--display-name=[DISPLAY_NAME] \
--organization=[ORGANIZATION_ID]
To create a folder whose parent is another folder:
gcloud alpha resource-manager folders create \
--display-name=[DISPLAY_NAME] \
--folder=[FOLDER_ID]
Where:
[DISPLAY_NAME]
is the folder's display name. No two folders with the same parent can share a display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores, and can be no longer than 30 characters.[ORGANIZATION_ID]
is the ID of the parent Organization if the parent is an Organization.[FOLDER_ID]
is the ID of the parent folder, if the parent is a folder.
API
Folders can be created with an API request.
The request JSON:
request_json= '{
display_name: "[DISPLAY_NAME]"
}'
The Create Folder curl request:
curl -X POST -H "Content-Type: application/json" \
-H "Authorization: Bearer ${bearer_token}" \
-d "$request_json" \
https://cloudresourcemanager.googleapis.com/v2/folders?parent=[ORGANIZATION_NAME]
Where:
[DISPLAY_NAME]
is the new folder's display name, for example "My Awesome Folder."[ORGANIZATION_NAME]
is the name of the organization under which you're creating the folder, for exampleorganizations/123
.
The Create Folder response:
{
"name": "operations/fc.123456789",
"metadata": {
"@type": "type.googleapis.com/google.cloud.resourcemanager.v2.FolderOperation",
"displayName": "[DISPLAY_NAME]",
"operationType": "CREATE"
}
}
The Get Operation curl request:
curl -H "Authorization: Bearer ${bearer_token}" \
https://cloudresourcemanager.googleapis.com/v1/operations/fc.123456789
The Get Operation response:
{
"name": "operations/fc.123456789",
"metadata": {
"@type": "type.googleapis.com/google.cloud.resourcemanager.v2.FolderOperation",
"displayName": "[DISPLAY_NAME]",
"operationType": "CREATE"
},
"done": true,
"response": {
"@type": "type.googleapis.com/google.cloud.resourcemanager.v2.Folder",
"name": "folders/12345",
"parent": "organizations/123",
"displayName": "[DISPLAY_NAME]",
"lifecycleState": "ACTIVE",
"createTime": "2017-07-19T23:29:26.018Z",
"updateTime": "2017-07-19T23:29:26.046Z"
}
}
Grant folder administrator roles
For each sub-organization folder you create, grant one or more users the Folder Admin role. These users will have administrative control over the folder and the sub-organization it represents.
To configure access to folders, you must have the Folder IAM Administrator or Folder Admin role at the parent level.
console
In the Google Cloud Console, open the Manage Resources page.
Click the Organization drop-down list in the upper left and then select your organization.
Select the checkbox next to the project for which you want to change permissions.
On the right side Info panel, under Permissions, enter the email addresses of the members you want to add.
In the Select a role drop-down list, select the role you want to grant to those members.
Click Add. A notification appears to confirm the addition or update of the members' new role.
gcloud
You can configure access to Folders programmatically using the
gcloud
command-line tool or the API.
gcloud alpha resource-manager folders \
add-iam-policy-binding [FOLDER_ID] \
--member=user:email1@example.com \
--role=roles/resourcemanager.folderEditor
gcloud alpha resource-manager folders \
add-iam-policy-binding [FOLDER_ID] \
--member=user:email1@example.com \
--role=roles/resourcemanager.folderViewer
Alternatively:
gcloud alpha resource-manager \
folders set-iam-policy [FOLDER_ID] [POLICY_FILE]
Where:
[FOLDER_ID]
is the new folder's ID.[POLICY_FILE]
is the path to a policy file for the folder.
API
SetsIamPolicy
sets the access control policy on a folder, replacing any
existing policy. The resource
field should be the folder's resource name,
for example, folders/1234
.
request_json= '{
policy: {
version: "1",
bindings: [
{
role: "roles/resourcemanager.folderEditor",
members: [
"user:email1@example.com",
"user:email2@example.com",
]
}
]
}
}'
The curl request:
curl -X POST -H "Content-Type: application/json" \
-H "Authorization: Bearer ${bearer_token}" \
-d "$request_json" \
https://cloudresourcemanager.googleapis.com/v2/[FOLDER_NAME]:setIamPolicy
Where:
[FOLDER_NAME]
is the name of the folder whose IAM policy is being set, for example folders/123.
Restricting sub-organization roles
Each Folder Admin can restrict the Project Creator role to members of its sub-organization. They can remove the domain from the Project Creator role in the Organization node's IAM policy as well.
G Suite super administrators have irrevocable organization administrator privileges. These super admins typically manage the identities and identity policies, rather than managing Google Cloud resources and resource policies.
Console
To remove the roles assigned to users by default using the Google Cloud Console:
Go to the Manage resources page in the Cloud Console:
Click the Organization drop-down list at the top of the page and then select your organization.
Select the check box for the Organization resource for which you want to change permissions. If you do not have a Folder resource, the Organization resource will not be visible. To continue, see the instructions for revoking roles through the Cloud IAM page.
On the right side panel, under Permissions, click to expand the role from which you want to remove users.
Under the expanded role list, next to the member you want to remove from the role, click remove.
On the Remove member? dialog that appears, click Remove to confirm removing the role from the specified member.
Repeat the above two steps for each role you want to remove.
Example
The diagram below illustrates an organization that has used folders to separate two departments. The heads of the engineering and finance departments have administrative control, and other users are prevented from creating projects.
Using multiple Organization nodes
If your organization has multiple G Suite accounts, you will have multiple Organization nodes by default. To maintain central visibility and control, you should choose one Organization node to be the master Organization node. The super administrators of the G Suite account associated with your master Organization node will have administrative control over all resources, including those created by users from the other G Suite accounts. Users from those G Suite accounts will be granted access to a folder under the master Organization node, in which they will be able to create projects.
Choose an organization administrator
Choose one or more users to act as the Cloud IAM organization administrator for the Organization node.
Console
To add an Organization admin:
Sign in to the Google Cloud Console as a G Suite or Cloud Identity super administrator and navigate to the IAM & Admin page:
Select the organization you want to edit:
Click the project drop-down list at the top of the page.
In the Select from dialog, click the organization drop-down list, and select the organization to which you want to add an Organization admin.
On the list that appears, click the organization to open its IAM Permissions page.
Click Add, and then enter the email address of one or more users you want to set as organization administrators.
In the Select a role drop-down list, select Resource Manager > Organization Administrator, and then click Save.
The Organization admin can do the following:
Take full control of the organization. Separation of responsibilities between G Suite or Cloud Identity super administrator and Google Cloud administrator is established.
Delegate responsibility over critical functions by assigning the relevant Cloud IAM roles.
Remove Project Creator role
Remove the Project Creator role from the Organization node to ensure that resources are not created in the other Organization nodes.
Console
To remove the roles assigned to users by default using the Google Cloud Console:
Go to the Manage resources page in the Cloud Console:
Click the Organization drop-down list at the top of the page and then select your organization.
Select the check box for the Organization resource for which you want to change permissions. If you do not have a Folder resource, the Organization resource will not be visible. To continue, see the instructions for revoking roles through the Cloud IAM page.
On the right side panel, under Permissions, click to expand the role from which you want to remove users.
Under the expanded role list, next to the member you want to remove from the role, click remove.
On the Remove member? dialog that appears, click Remove to confirm removing the role from the specified member.
Repeat the above two steps for each role you want to remove.
Create folders for G Suite accounts
Create a folder under the Organization node for each G Suite account.
To create folders, you must have the Folder Admin or Folder Creator role at the parent level. For example, to create folders at the Organization level, you must have one of these roles at the Organization level.
As part of creating a folder, you must assign it a name. Folder names must meet the following requirements:
- The name may contain letters, digits, spaces, hyphens and underscores.
- The folder's display name must start and end with a letter or digit.
- The name must be 30 characters or less.
- The name must be distinct from all other folders that share its parent.
To create a folder:
console
Folders can be created in the UI using the "Manage Projects and Folders" section.
Go to the Manage resources page in the Cloud Console:
Make sure that your organization name is selected in the organization drop-down list at the top of the page.
Click Create folder.
In the Folder name box, enter your new folder's name.
Under Destination, click Browse, then select the organization node or folder under which you want to create your new folder.
- Click Create.
gcloud
Folders can be created programmatically using the
gcloud
command-line tool.
To create a folder under the Organization resource using the gcloud
command-line tool, run the following command.
gcloud alpha resource-manager folders create \
--display-name=[DISPLAY_NAME] \
--organization=[ORGANIZATION_ID]
To create a folder whose parent is another folder:
gcloud alpha resource-manager folders create \
--display-name=[DISPLAY_NAME] \
--folder=[FOLDER_ID]
Where:
[DISPLAY_NAME]
is the folder's display name. No two folders with the same parent can share a display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores, and can be no longer than 30 characters.[ORGANIZATION_ID]
is the ID of the parent Organization if the parent is an Organization.[FOLDER_ID]
is the ID of the parent folder, if the parent is a folder.
API
Folders can be created with an API request.
The request JSON:
request_json= '{
display_name: "[DISPLAY_NAME]"
}'
The Create Folder curl request:
curl -X POST -H "Content-Type: application/json" \
-H "Authorization: Bearer ${bearer_token}" \
-d "$request_json" \
https://cloudresourcemanager.googleapis.com/v2/folders?parent=[ORGANIZATION_NAME]
Where:
[DISPLAY_NAME]
is the new folder's display name, for example "My Awesome Folder."[ORGANIZATION_NAME]
is the name of the organization under which you're creating the folder, for exampleorganizations/123
.
The Create Folder response:
{
"name": "operations/fc.123456789",
"metadata": {
"@type": "type.googleapis.com/google.cloud.resourcemanager.v2.FolderOperation",
"displayName": "[DISPLAY_NAME]",
"operationType": "CREATE"
}
}
The Get Operation curl request:
curl -H "Authorization: Bearer ${bearer_token}" \
https://cloudresourcemanager.googleapis.com/v1/operations/fc.123456789
The Get Operation response:
{
"name": "operations/fc.123456789",
"metadata": {
"@type": "type.googleapis.com/google.cloud.resourcemanager.v2.FolderOperation",
"displayName": "[DISPLAY_NAME]",
"operationType": "CREATE"
},
"done": true,
"response": {
"@type": "type.googleapis.com/google.cloud.resourcemanager.v2.Folder",
"name": "folders/12345",
"parent": "organizations/123",
"displayName": "[DISPLAY_NAME]",
"lifecycleState": "ACTIVE",
"createTime": "2017-07-19T23:29:26.018Z",
"updateTime": "2017-07-19T23:29:26.046Z"
}
}
Grant folder administrator roles
For each of the folders created, grant one or more users the Folder Admin role. These users will be delegated administrative control over the folder and the sub-organization it represents.
To configure access to folders, you must have the Folder IAM Administrator or Folder Admin role at the parent level.
console
In the Google Cloud Console, open the Manage Resources page.
Click the Organization drop-down list in the upper left and then select your organization.
Select the checkbox next to the project for which you want to change permissions.
On the right side Info panel, under Permissions, enter the email addresses of the members you want to add.
In the Select a role drop-down list, select the role you want to grant to those members.
Click Add. A notification appears to confirm the addition or update of the members' new role.
gcloud
You can configure access to Folders programmatically using the
gcloud
command-line tool or the API.
gcloud alpha resource-manager folders \
add-iam-policy-binding [FOLDER_ID] \
--member=user:email1@example.com \
--role=roles/resourcemanager.folderEditor
gcloud alpha resource-manager folders \
add-iam-policy-binding [FOLDER_ID] \
--member=user:email1@example.com \
--role=roles/resourcemanager.folderViewer
Alternatively:
gcloud alpha resource-manager \
folders set-iam-policy [FOLDER_ID] [POLICY_FILE]
Where:
[FOLDER_ID]
is the new folder's ID.[POLICY_FILE]
is the path to a policy file for the folder.
API
SetsIamPolicy
sets the access control policy on a folder, replacing any
existing policy. The resource
field should be the folder's resource name,
for example, folders/1234
.
request_json= '{
policy: {
version: "1",
bindings: [
{
role: "roles/resourcemanager.folderEditor",
members: [
"user:email1@example.com",
"user:email2@example.com",
]
}
]
}
}'
The curl request:
curl -X POST -H "Content-Type: application/json" \
-H "Authorization: Bearer ${bearer_token}" \
-d "$request_json" \
https://cloudresourcemanager.googleapis.com/v2/[FOLDER_NAME]:setIamPolicy
Where:
[FOLDER_NAME]
is the name of the folder whose IAM policy is being set, for example folders/123.
Each Folder Admin can then grant users from the associated domain the Project Creator role.
Example
The diagram below illustrates an organization with a primary domain that is kept isolated from an acquired secondary domain. Each of the two domains have their own G Suite accounts, with hypothetical.com being the master Organization node.