Introduction to the Organization Policy Service

The Organization Policy Service gives you centralized and programmatic control over your organization's cloud resources. As the organization policy administrator, you will be able to configure restrictions across your entire resource hierarchy.

Benefits

  • Centralize control to configure restrictions on how your organization’s resources can be used.
  • Define and establish guardrails for your development teams to stay within compliance boundaries.
  • Help project owners and their teams move quickly without worry of breaking compliance.

Common use cases

See the list of all Organization Policy Service constraints.

Differences from Cloud Identity and Access Management

Cloud Identity and Access Management focuses on who, and lets the administrator authorize who can take action on specific resources based on permissions.

Organization Policy focuses on what, and lets the administrator set restrictions on specific resources to determine how they can be configured.

Key Concepts

Organization policy

An organization policy is a configuration of restrictions. You, as the organization policy administrator, define an organization policy, and you set that organization policy on a resource hierarchy node in order to enforce the restrictions on that resource hierarchy node and its descendants.

In order to define an organization policy, you choose a constraint, which is a particular type of restriction against either a GCP service or a group of GCP services. You configure that constraint with your desired restrictions.

Descendants of the targeted resource hierarchy node inherit the organization policy. By applying an organization policy to the root organization node, you are able to effectively drive enforcement of that organization policy and configuration of restrictions across your organization.

Organization policy concepts

Constraints

A constraint is a particular type of restriction against a GCP service or a list of GCP services. Think of the constraint as a blueprint that defines what behaviors are controlled. This blueprint is then applied to a resource hierarchy node as an organization policy, which implements the rules defined in the constraint. The GCP service mapped to that constraint and associated with that resource hierarchy node will then enforce the restrictions configured within the organization policy.

A constraint has a type, which denotes the organization policy values that can be entered and used for checking enforcement. The enforcing GCP service will evaluate the constraint type and value to determine restriction.

The possible types include:

Constraint type Sample Constraint used Configuration restriction
List Restrict configuration of external IPs to a list of instances constraints/compute.vmExternalIpAccess Allowing
projects/P1/zones/Z1/instances/123,
projects/P2/zones/Z1/instances/456
Boolean Disable serial port access for VMs constraints/compute.disableSerialPortAccess True

To learn more about constraints, see the Understanding Constraints page.

Inheritance

When an organization policy is set on a resource hierarchy node, all descendants of that node inherit the organization policy by default. If you set an organization policy at the root organization node, then the configuration of restrictions defined by that policy will be passed down through all descendant folders, projects, and sub-projects.

A user with the Organization Policy Administrator role can set descendant resource hierarchy nodes with another organization policy that either overwrites the inheritance, or merges them based on the rules of hierarchy evaluation. This provides precise control for how your organization policies apply throughout your organization, and where you want exceptions made.

To learn more about hierarchy evaluation, see the Understanding Hierarchy page.

Violations

A violation is when a GCP service acts or is in a state that is counter to the organization policy restriction configuration within the scope of its resource hierarchy. Normally, GCP services will enforce a constraint to prevent the violation.

However, if a new organization policy sets a restriction on an action or state that a service is already in, a violation occurs. This is because organization policy is not retroactive in order to prevent the risk of completely shutting down your business continuity.

Next steps

Send feedback about...

Resource Manager Documentation