Introduction to the Organization Policy Service

The Organization Policy Service gives you centralized and programmatic control over your organization's cloud resources. As the organization policy administrator, you will be able to configure constraints across your entire resource hierarchy.

Benefits

  • Centralize control to configure restrictions on how your organization’s resources can be used.
  • Define and establish guardrails for your development teams to stay within compliance boundaries.
  • Help project owners and their teams move quickly without worry of breaking compliance.

Common use cases

Organization policies are made up of constraints that allow you to:

There are many more constraints that give you fine-grained control of your organization's resources. For more information, see the list of all Organization Policy Service constraints.

Differences from Identity and Access Management

Identity and Access Management focuses on who, and lets the administrator authorize who can take action on specific resources based on permissions.

Organization Policy focuses on what, and lets the administrator set restrictions on specific resources to determine how they can be configured.

Key Concepts

Organization policy

An organization policy is a configuration of restrictions. You, as the organization policy administrator, define an organization policy, and you set that organization policy on organizations, folders, and projects in order to enforce the restrictions on that resource and its descendants.

In order to define an organization policy, you choose a constraint, which is a particular type of restriction against either a Google Cloud service or a group of Google Cloud services. You configure that constraint with your desired restrictions.

Descendants of the targeted resource hierarchy node inherit the organization policy. By applying an organization policy to the root organization node, you are able to effectively drive enforcement of that organization policy and configuration of restrictions across your organization.

Organization policy concepts

Constraints

A constraint is a particular type of restriction against a Google Cloud service or a list of Google Cloud services. Think of the constraint as a blueprint that defines what behaviors are controlled. This blueprint is then applied to a resource hierarchy node as an organization policy, which implements the rules defined in the constraint. The Google Cloud service mapped to that constraint and associated with that resource hierarchy node will then enforce the restrictions configured within the organization policy.

A constraint has a type, either list or boolean. List constraints evaluate the constraint with a list of allowed or denied values that you provide, such as an allowlist of IP addresses that can connect to a virtual machine. Boolean constraints are either enforced or not enforced for a given resource, and govern a specific behavior, such as whether external service accounts can be created.

Constraint type Business need Constraint configuration
List Restrict configuration of external IPs to a list of instances 
resource: "organizations/ORGANIZATION_ID"
policy: {
  constraint: "constraints/compute.vmExternalIpAccess"
  listPolicy: {
    allowedValues: [
      projects/PROJECT_NAME/zones/ZONE_ID/instances/INSTANCE_NAME,
      projects/PROJECT_NAME/zones/ZONE_ID/instances/INSTANCE_NAME
    ]
  }
}
Boolean Disable service account creation 
resource: "organizations/ORGANIZATION_ID"
policy: {
  constraint: "constraints/iam.disableServiceAccountCreation"
  booleanPolicy: {
    enforced: true
  }
}

Each Google Cloud service evaluates constraint types and values to determine what should be restricted. To learn more about constraints, see the Understanding Constraints page.

Custom constraints

Custom constraints can allow or restrict resource creation and updates in the same way that predefined constraints do, but allow administrators to configure conditions based on request parameters and other metadata.

You can create custom constraints that restrict operations on certain service resources, such as Dataproc NodePool resources. For a list of service resources that support custom constraints, see Custom constraint supported services.

To learn more about using custom constraints in your organization policies, see Creating and managing custom constraints.

Inheritance

When an organization policy is set on a resource hierarchy node, all descendants of that node inherit the organization policy by default. If you set an organization policy at the root organization node, then the configuration of restrictions defined by that policy will be passed down through all descendant folders, projects, and service resources.

A user with the Organization Policy Administrator role can set descendant resource hierarchy nodes with another organization policy that either overwrites the inheritance, or merges them based on the rules of hierarchy evaluation. This provides precise control for how your organization policies apply throughout your organization, and where you want exceptions made.

To learn more about hierarchy evaluation, see the Understanding Hierarchy page.

Violations

A violation is when a Google Cloud service acts or is in a state that is counter to the organization policy restriction configuration within the scope of its resource hierarchy. Google Cloud services will enforce constraints to prevent violations, but the application of new organization policies is usually not retroactive. If an organization policy constraint is retroactively enforced, it will be labeled as such on the Organization Policy Constraints page.

If a new organization policy sets a restriction on an action or state that a service is already in, the policy is considered to be in violation, but the service will not stop its original behavior. You will need to address this violation manually. This prevents the risk of a new organization policy completely shutting down your business continuity.

Next steps