Introduction to the Organization Policy Service

The Organization Policy Service gives you centralized and programmatic control over your organization's cloud resources. As the organization policy administrator, you will be able to configure constraints across your entire resource hierarchy.

Benefits

  • Centralize control to configure restrictions on how your organization’s resources can be used.
  • Define and establish guardrails for your development teams to stay within compliance boundaries.
  • Help project owners and their teams move quickly without worry of breaking compliance.

Common use cases

Organization policies allow you to do the following:

There are many more constraints that give you fine-grained control of your organization's resources. For more information, see the list of all Organization Policy Service constraints.

Differences from Identity and Access Management

Identity and Access Management focuses on who, and lets the administrator authorize who can take action on specific resources based on permissions.

Organization Policy focuses on what, and lets the administrator set restrictions on specific resources to determine how they can be configured.

Key Concepts

Organization policy

An organization policy configures a single constraint that restricts one or more Google Cloud services. The organization policy is set on an organization, folder, or project resource to enforce the constraint on that resource and any child resources.

An organization policy contains one or more rules that specify how, and whether, to enforce the constraint. For example, an organization policy could contain one rule that enforces the constraint only on resources tagged environment=development, and another rule that prevents the constraint from being enforced on other resources.

Descendants of the resource to which the organization policy is attached inherit the organization policy. By applying an organization policy to the organization resource, the organization policy administrator can control enforcement of that organization policy and configuration of restrictions across your organization.

Organization policy concepts

Constraints

A constraint is a particular type of restriction against a Google Cloud service or a list of Google Cloud services. Think of the constraint as a blueprint that defines what behaviors are controlled. This blueprint is then applied to a resource in your resource hierarchy as an organization policy, which implements the rules defined in the constraint. The Google Cloud service mapped to that constraint and associated with that resource hierarchy node will then enforce the restrictions configured within the organization policy.

A constraint has a type, either list or boolean. List constraints evaluate the constraint with a list of allowed or denied values that you provide. For example, the following constraint restricts the IP addresses that can connect to a virtual machine:

name: organizations/ORGANIZATION_ID/policies/compute.vmExternalIpAccess
spec:
  rules:
  - values:
      allowedValues:
      - projects/PROJECT_NAME/zones/ZONE_ID/instances/INSTANCE_NAME
      - projects/PROJECT_NAME/zones/ZONE_ID/instances/ANOTHER_INSTANCE_NAME

Boolean constraints are either enforced or not enforced for a given resource, and govern a specific behavior. For example, the following constraint determines whether external service accounts can be created:

name: organizations/ORGANIZATION_ID/policies/iam.disableServiceAccountCreation
spec:
  rules:
  - enforce: true

Tags provide a way to conditionally enforce constraints based on whether a resource has a specific tag. You can use tags and conditional enforcement of constraints to provide centralized control of the resources in your hierarchy.

For example, the following constraint disables Cloud Logging for resources that are tagged with environment=development, but enables it everywhere else:

name: organizations/ORGANIZATION_ID/policies/gcp.disableCloudLogging
spec:
  rules:
  - condition:
      expression: resource.matchTag(\"ORGANIZATION_ID/environment\", \"development\")
      title: ""
    enforce: true
  - enforce: false

Each Google Cloud service evaluates constraint types and values to determine what should be restricted. To learn more about constraints, see the Understanding Constraints page.

Custom organization policies

Custom organization policies can allow or restrict resource creation and updates in the same way that predefined organization policies do, but allow administrators to configure conditions based on request parameters and other metadata.

You can create custom organization policies with constraints that restrict operations on certain service resources, such as Dataproc NodePool resources. For a list of service resources that support custom constraints, see Custom constraint supported services.

To learn more about using custom organization policies, see Creating and managing custom organization policies.

Inheritance

When an organization policy is set on a resource, all descendants of that resource inherit the organization policy by default. If you set an organization policy on the organization resource, then the configuration of restrictions defined by that policy will be passed down through all descendant folders, projects, and service resources.

A user with the Organization Policy Administrator role can set descendant resource hierarchy nodes with another organization policy that either overwrites the inheritance, or merges them based on the rules of hierarchy evaluation. This provides precise control for how your organization policies apply throughout your organization, and where you want exceptions made.

To learn more about hierarchy evaluation, see the Understanding Hierarchy page.

Violations

A violation is when a Google Cloud service acts or is in a state that is counter to the organization policy restriction configuration within the scope of its resource hierarchy. Google Cloud services will enforce constraints to prevent violations, but the application of new organization policies is usually not retroactive. If an organization policy constraint is retroactively enforced, it will be labeled as such on the Organization Policy Constraints page.

If a new organization policy sets a restriction on an action or state that a service is already in, the policy is considered to be in violation, but the service will not stop its original behavior. You will need to address this violation manually. This prevents the risk of a new organization policy completely shutting down your business continuity.

Next steps