Introduction to the Organization Policy Service

This page describes the basic concepts about the Organization Policy service for the Google Cloud Platform.

The Organization Policy service gives you central, programmatic control over your Organization's Cloud resources. It provides a simple mechanism for you to restrict allowed configurations across your entire Cloud Resource hierarchy.

Organization policies provide the following benefits:

  • Policies can be set per project or per organization.
  • Policies are inherited down the resource hierarchy, and can be overridden at any level on which an org policy can be set.
  • Policies are not necessarily managed by the owner of the resource. Instead, policies are managed by your organization's policy administrator (IAM role: roles/orgpolicy.policyAdmin). This means that individual users and project owners cannot override policies.

To be able to use the Organization Policy service API with the Projects and Organizations service, you must enable the Google Cloud Resource Manager api on the consumer project.

Organization policy IAM role

In order to set or clear an organization policy, a user must be assigned the IAM role, Resource Manager/Organization Policy Administrator. This role is only grantable at the organization level. The members of this role can define what restrictions an organization wants to place on the configuration of cloud resources by setting policies. As mentioned earlier, this role cannot be granted at resources below organization-level. This ensures that the project owners, who have the permissions to set IAM permissions, are not able to add themselves to the role on the projects they own, ensuring that the projects remain in compliance and don't get overridden by a project owner.

Two essential concepts are at the heart of the Organization Policy service: constraints and policies.

A constraint defines an aspect of a resource's configuration that can be controlled, and serves as sort of schema for an organization policy. An organization policy defines the boundaries of allowable configuration for the aspect defined by the associated constraint on a given resource and all descendent resources in the resource hierarchy (unless override by another policy below).

Constraints

A constraint describes a way in which a resource's configuration can be restricted. For example, a constraint might control which APIs can be enabled on projects in an organization. Resource configurations can be restricted by the organization's policy administrator to fit the needs of the organization by setting policies for constraints at different locations in the organization's resource hierarchy. Understanding Constraints describes them in more detail.

Policies

An organization policy enables you to control the organization-level configuration of Cloud resources. For example, in Google Compute Engine you can restrict whether or not serial port access is enabled.

A policy respects the hierarchy of resources. That is, a policy applied to a parent resource automatically applies to all its descendent resources, unless augmented or overridden with a policy lower in the hierarchy.

For details about the inheritance rules read Understanding Policies and Hierarchical Evaluation.

Currently, organization policies can be defined and set using the Organization Policy service APIs, which are part of the Google Cloud Resource Manager API set.

Next steps

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Google Cloud Resource Manager Documentation