Creating and Managing Organization Policies

This page describes how to view, create, and manage your organization policies using the Google Cloud Platform Console.

The Cloud Identity and Access Management role roles/orgpolicy.policyAdmin enables an administrator to manage organization policies. Users must be organization policy administrators to change or override organization policies.

Before you begin

To use this guide, you'll need to be familiar with:

Viewing organization policies

To view organization policies:

  1. Go to the Organization policies page in the Google Cloud Platform Console.
    Go to the Organization policies page

  2. Click Select, and then select the project, folder, or organization for which you want to view organization policies. The Organization policies page displays a list of organization policy constraints that are available.

  3. To filter the list by constraint name, enter a constraint name into the text box.

  4. To filter the list by inheritance status, in the Any inheritance drop-down list, select an inheritance type.

    • To filter based on organization policies that follow the same rules as the parent resource, select Inherited

    • To filter based on resources that have a set organization policy, which merges with the rules set by the parent resource, select Custom.

  5. To display the current inherited policy, click Edit. The inherited policy will appear on the Policy summary panel.

For more details and step-by-step guides for using each constraint, see Organization Policy Constraints.

Creating and editing policies

Organization policies are defined by the values set for each constraint. They are either customized at the level of this resource, inherited from the parent resource, or set to the Google-managed default behavior.

Customizing policies for boolean constraints

To customize a boolean policy:

  1. Go to the Organization policies page in the Google Cloud Platform Console.
    Go to the Organization policies page

  2. Click Select, and then select the project, folder, or organization for which you want to edit organization policies. The Organization policies page displays a list of organization policy constraints that are available.

  3. Select a constraint from the list on the Organization policies page. The Policy details page that appears describes the constraint and provides information about how the constraint is currently applied.

  4. To customize the organization policy for this resource, click Edit.

  5. On the Edit page, select Customize.

  6. Under Enforcement, select an enforcement option:

    • To enable enforcement of this constraint, select On.

    • To disable enforcement of this constraint, select Off.

  7. Click Save.

For gcloud command-line tool instructions, see the boolean constraints section of Using Constraints.

Customizing policies for list constraints

To customize a list constraint:

  1. Go to the Organization policies page in the Google Cloud Platform Console.
    Go to the Organization policies page

  2. Click Select, and then select the project, folder, or organization for which you want to edit organization policies. The Organization policies page displays a list of organization policy constraints that are available.

  3. Select a constraint from the list on the Organization policies page. The Policy details page that appears describes the constraint and provides information about how the constraint is currently applied.

  4. To customize the organization policy for this resource, click Edit.

  5. On the Edit page, select Customize.

  6. Under Policy enforcement, select an enforcement option:

    • To merge and evaluate the organization policies together, select Merge with parent. For more information about inheritance and the resource hierarchy, see Understanding Hierarchy Evaluation.

    • To override the inherited policies completely, select Replace.

  7. Under Policy type, select whether this organization policy will specify allowed or denied values:

    • To specify that the listed values will be the only allowed values, and all other values will be denied, select Allow.

    • To specify that the listed values will be explicitly denied, and all other values will be allowed, select Deny.

  8. Under Policy values, select whether this organization policy will apply to all values or a list of specific values:

    • To apply the above policy type to every possible value, select All.

    • To list explicit values, select Custom. In the Policy value text box that appears, enter a value and then press Enter. You can add multiple entries in this way.

  9. To set a recommendation for other users, click Set recommendation.

    • To set the recommendation, enter a string value into the text box that appears. This string value will be displayed in the GCP Console to provide guidance to users about this organization policy. It is only a communication tool, and does not affect what policy can be set.
  10. To finish and apply the organization policy, click Save.

For gcloud command-line tool instructions, see the list constraints section of Using Constraints.

Inheriting organization policy

You can set an organization policy to inherit the parent organization policy or to use the Google-managed default behavior. Either of these options will remove an existing custom organization policy. To change the behaviors that an organization policy inherits:

  1. Go to the Organization policies page in the Google Cloud Platform Console.
    Go to the Organization policies page

  2. Click Select, and then select the project, folder, or organization for which you want to edit organization policies. The Organization policies page displays a list of organization policy constraints that are available.

  3. Select a constraint from the list on the Organization policies page. The Policy details page that appears describes the constraint and provides information about how the constraint is currently applied.

  4. To remove a custom organization policy on this resource, click Edit and then select an option to specify how the organization policy is evaluated:

    • To make this resource follow the same rules as the parent resource for this constraint, select Inherit parent's policy. This is the default behavior for resources.

    • To override the parent resource's organization policy with the default behavior set by Google for this constraint, select Google-managed default.

Оцените, насколько информация на этой странице была вам полезна:

Оставить отзыв о...

Текущей странице
Resource Manager Documentation