This page describes the basic concepts about the Organization Policy service for the Google Cloud Platform.
The Organization Policy service gives you central, programmatic control over your Organization's Cloud resources. It provides a simple mechanism for you to restrict allowed configurations across your entire Cloud Resource hierarchy.
Organization policies provide the following benefits:
- Policies can be set per project or per organization.
- Policies are inherited down the resource hierarchy, and can be overridden at any level on which an org policy can be set.
- Policies are not necessarily managed by the owner of the resource. Instead,
policies are managed by your organization's policy administrator (IAM role:
roles/orgpolicy.policyAdmin). This means that individual users and project owners cannot override policies.
To be able to use the Organization Policy service API with the Projects and Organizations service, you must enable the Google Cloud Resource Manager api on the consumer project.
Because this is an Beta release, it is important to discuss what happens in the unlikely event of an Organization Policy service outage.
If calls to the Organization Policy service fail due to an outage, you will not be able to update the organization policies on your resources. Enforcement of organization policies should be unaffected. In the worst case scenario, an organization policy is set on a resource (for example, a policy that doesn't allow a fundamental API to be enabled on a project) and there is production outage that could be solved by updating the policy. In this scenario, the outage may last longer than it would have otherwise. If you experience any outage of the Organization Policy service, please contact your sales or support partner.
Organization policy IAM role
In order to set or clear an organization policy, a user must be assigned the IAM
Resource Manager/Organization Policy Administrator. This role is only
grantable at the organization level. The members of this role can define what
restrictions an organization wants to place on the configuration of cloud
resources by setting policies. As mentioned earlier, this role cannot be granted
at resources below organization-level. This ensures that the project owners, who
have the permissions to set IAM permissions, are not able to add themselves to
the role on the projects they own, ensuring that the projects remain in
compliance and don't get overridden by a project owner.
Concepts related to the service
Two essential concepts are at the heart of the Organization Policy service: constraints and policies.
A constraint defines an aspect of a resource's configuration that can be controlled, and serves as sort of schema for an organization policy. An organization policy defines the boundaries of allowable configuration for the aspect defined by the associated constraint on a given resource and all descendent resources in the resource hierarchy (unless override by another policy below).
A constraint describes a way in which a resource's configuration can be restricted. For example, a constraint might control which APIs can be enabled on projects in an organization. Resource configurations can be restricted by the organization's policy administrator to fit the needs of the organization by setting policies for constraints at different locations in the organization's resource hierarchy. Understanding Constraints describes them in more detail.
An organization policy enables you to control the organization-level configuration of Cloud resources. For example, in Google Compute Engine you can restrict whether or not serial port access is enabled.
A policy respects the hierarchy of resources. That is, a policy applied to a parent resource automatically applies to all its descendent resources, unless augmented or overridden with a policy lower in the hierarchy.
For details about the inheritance rules read Understanding Policies and Hierarchical Evaluation.
Currently, organization policies can be defined and set using the Organization Policy service APIs, which are part of the Google Cloud Resource Manager API set.