The Organization Policy Service gives you centralized and programmatic control over your organization's cloud resources. As the organization policy administrator, you will be able to configure constraints across your entire resource hierarchy.
Benefits
- Centralize control to configure restrictions on how your organization’s resources can be used.
- Define and establish guardrails for your development teams to stay within compliance boundaries.
- Help project owners and their teams move quickly without worry of breaking compliance.
Common use cases
Organization policies allow you to do the following:
- Limit resource sharing based on domain.
- Limit the usage of Identity and Access Management service accounts.
- Restrict the physical location of newly created resources.
There are many more constraints that give you fine-grained control of your organization's resources. For more information, see the list of all Organization Policy Service constraints.
Differences from Identity and Access Management
Identity and Access Management focuses on who, and lets the administrator authorize who can take action on specific resources based on permissions.
Organization Policy focuses on what, and lets the administrator set restrictions on specific resources to determine how they can be configured.
Key Concepts
Organization policy
An organization policy configures a single constraint that restricts one or more Google Cloud services. The organization policy is set on an organization, folder, or project resource to enforce the constraint on that resource and any child resources.
An organization policy contains one or more rules that specify how, and
whether, to enforce the constraint. For example, an organization policy could
contain one rule that enforces the constraint only on resources tagged
environment=development, and another rule that prevents the constraint from
being enforced on other resources.
Descendants of the resource to which the organization policy is attached inherit the organization policy. By applying an organization policy to the organization resource, the organization policy administrator can control enforcement of that organization policy and configuration of restrictions across your organization.
Constraints
A constraint is a particular type of restriction against a Google Cloud service or a list of Google Cloud services. Think of the constraint as a blueprint that defines what behaviors are controlled. This blueprint is then applied to a resource in your resource hierarchy as an organization policy, which implements the rules defined in the constraint. The Google Cloud service mapped to that constraint and associated with that resource hierarchy node will then enforce the restrictions configured within the organization policy.
A constraint has a type, either list or boolean. List constraints evaluate the constraint with a list of allowed or denied values that you provide. For example, the following constraint restricts the IP addresses that can connect to a virtual machine:
name: organizations/ORGANIZATION_ID/policies/compute.vmExternalIpAccess
spec:
rules:
- values:
allowedValues:
- projects/PROJECT_NAME/zones/ZONE_ID/instances/INSTANCE_NAME
- projects/PROJECT_NAME/zones/ZONE_ID/instances/ANOTHER_INSTANCE_NAME
Boolean constraints are either enforced or not enforced for a given resource, and govern a specific behavior. For example, the following constraint determines whether external service accounts can be created:
name: organizations/ORGANIZATION_ID/policies/iam.disableServiceAccountCreation
spec:
rules:
- enforce: true
Tags provide a way to conditionally enforce constraints based on whether a resource has a specific tag. You can use tags and conditional enforcement of constraints to provide centralized control of the resources in your hierarchy.
For example, the following constraint disables Cloud Logging for resources
that are tagged with environment=development, but enables it everywhere else:
name: organizations/ORGANIZATION_ID/policies/gcp.disableCloudLogging
spec:
rules:
- condition:
expression: resource.matchTag(\"ORGANIZATION_ID/environment\", \"development\")
title: ""
enforce: true
- enforce: false
Each Google Cloud service evaluates constraint types and values to determine what should be restricted. To learn more about constraints, see the Understanding Constraints page.
Custom constraints
Custom constraints can allow or restrict resource creation and updates in the same way that predefined constraints do, but allow administrators to configure conditions based on request parameters and other metadata.
You can create custom constraints that restrict operations on certain service
resources, such as Dataproc NodePool resources. For a list of service
resources that support custom constraints, see
Custom constraint supported services.
To learn more about using custom constraints in your organization policies, see Creating and managing custom constraints.
Inheritance
When an organization policy is set on a resource, all descendants of that resource inherit the organization policy by default. If you set an organization policy on the organization resource, then the configuration of restrictions defined by that policy will be passed down through all descendant folders, projects, and service resources.
A user with the Organization Policy Administrator role can set descendant resource hierarchy nodes with another organization policy that either overwrites the inheritance, or merges them based on the rules of hierarchy evaluation. This provides precise control for how your organization policies apply throughout your organization, and where you want exceptions made.
To learn more about hierarchy evaluation, see the Understanding Hierarchy page.
Violations
A violation is when a Google Cloud service acts or is in a state that is counter to the organization policy restriction configuration within the scope of its resource hierarchy. Google Cloud services will enforce constraints to prevent violations, but the application of new organization policies is usually not retroactive. If an organization policy constraint is retroactively enforced, it will be labeled as such on the Organization Policy Constraints page.
If a new organization policy sets a restriction on an action or state that a service is already in, the policy is considered to be in violation, but the service will not stop its original behavior. You will need to address this violation manually. This prevents the risk of a new organization policy completely shutting down your business continuity.
Next steps
- Read the Creating and Managing Organizations page to learn how to acquire an organization resource.
- Read about how to create and manage organization policies with the Google Cloud console.
- Learn how to define organization policies using constraints.
- Explore the solutions you can accomplish with organization policy constraints.