Introduction to the Organization Policy Service

This page describes the basic concepts about the Organization Policy service for the Google Cloud Platform.

The Organization Policy service gives you central, programmatic control over your Organization's Cloud resources. It provides a simple mechanism for you to restrict allowed configurations across your entire Cloud Resource hierarchy.

Organization policies provide the following benefits:

  • Policies can be set per project or per organization.
  • Policies are inherited down the resource hierarchy, and can be overridden at any level on which an org policy can be set.
  • Policies are not necessarily managed by the owner of the resource. Instead, policies are managed by your organization's policy administrator (IAM role: roles/orgpolicy.policyAdmin). This means that individual users and project owners cannot override policies.

To be able to use the Organization Policy service API with the Projects and Organizations service, you must enable the Google Cloud Resource Manager api on the consumer project.

Beta caveats

Because this is an Beta release, it is important to discuss what happens in the unlikely event of an Organization Policy service outage.

If calls to the Organization Policy service fail due to an outage, you will not be able to update the organization policies on your resources. Enforcement of organization policies should be unaffected. In the worst case scenario, an organization policy is set on a resource (for example, a policy that doesn't allow a fundamental API to be enabled on a project) and there is production outage that could be solved by updating the policy. In this scenario, the outage may last longer than it would have otherwise. If you experience any outage of the Organization Policy service, please contact your sales or support partner.

Organization policy IAM role

In order to set or clear an organization policy, a user must be assigned the IAM role, Resource Manager/Organization Policy Administrator. This role is only grantable at the organization level. The members of this role can define what restrictions an organization wants to place on the configuration of cloud resources by setting policies. As mentioned earlier, this role cannot be granted at resources below organization-level. This ensures that the project owners, who have the permissions to set IAM permissions, are not able to add themselves to the role on the projects they own, ensuring that the projects remain in compliance and don't get overridden by a project owner.

Two essential concepts are at the heart of the Organization Policy service: constraints and policies.

A constraint defines an aspect of a resource's configuration that can be controlled, and serves as sort of schema for an organization policy. An organization policy defines the boundaries of allowable configuration for the aspect defined by the associated constraint on a given resource and all descendent resources in the resource hierarchy (unless override by another policy below).

Constraints

A constraint describes a way in which a resource's configuration can be restricted. For example, a constraint might control which APIs can be enabled on projects in an organization. Resource configurations can be restricted by the organization's policy administrator to fit the needs of the organization by setting policies for constraints at different locations in the organization's resource hierarchy. Understanding Constraints describes them in more detail.

Policies

An organization policy enables you to control the organization-level configuration of Cloud resources. For example, in Google Compute Engine you can restrict whether or not serial port access is enabled.

A policy respects the hierarchy of resources. That is, a policy applied to a parent resource automatically applies to all its descendent resources, unless augmented or overridden with a policy lower in the hierarchy.

For details about the inheritance rules read Understanding Policies and Hierarchical Evaluation.

Currently, organization policies can be defined and set using the Organization Policy service APIs, which are part of the Google Cloud Resource Manager API set.

Next steps

Send feedback about...

Google Cloud Resource Manager Documentation
Google Cloud Resource Manager Documentation