Examples of organization restrictions

Stay organized with collections Save and categorize content based on your preferences.

This page describes several common examples of how to use organization restrictions.

Restrict access only to your organization

In this example, the Google Cloud administrator and egress proxy administrator of Organization A engage together to restrict employees to only access resources in their Google Cloud organization.

To restrict access only to your organization, do the following:

  1. As a Google Cloud administrator, get the Google Cloud organization ID of Organization A by using the following command:

        gcloud organizations list
        DISPLAY_NAME: Organization A
        ID: 123456789
        DIRECTORY_CUSTOMER_ID: a1b2c3d4
    
  2. As an egress proxy administrator, after you get the organization ID from the Google Cloud administrator, compose the JSON representation for the header value in the following format:

     {
     "resources": ["organizations/123456789"],
      "options": "strict"
     }
    
  3. As an egress proxy administrator, encode the value for the request header by following the RFC 4648 Section 5 specifications.

    For example, if the JSON representation for the header value is stored in the authorized_orgs.json file, the following is the encoding through basenc:

     $ cat authorized_orgs.json | basenc --base64url -w0
     ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo
    
  4. As an egress proxy administrator, configure the egress proxy such that the following request header is inserted in all of the requests originating from the managed devices in Organization A:

     X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo
    

Allow employees access to a vendor Google Cloud organization

In this example, the Google Cloud administrator and egress proxy administrator of Organization B engage together to allow employees to access a vendor Google Cloud organization in addition to their existing Google Cloud organization.

To restrict employee access only to your organization and the vendor organization, do the following:

  1. As a Google Cloud administrator, engage with the vendor to get the Google Cloud organization ID of the vendor organization.

  2. As an egress proxy administrator, to include the vendor organization ID in addition to the existing organization ID, you must update the JSON representation for the header value. After you get the vendor organization ID from the Google Cloud administrator, update the header value in the following format:

     {
     "resources": ["organizations/1234", "organizations/3456"],
      "options": "strict"
     }
    
  3. As an egress proxy administrator, encode the value for the request header by following the RFC 4648 Section 5 specifications.

    For example, if the JSON representation for the header value is stored in the authorized_orgs.json file, the following is the encoding through basenc:

     $ cat authorized_orgs.json | basenc --base64url -w0
     ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K
    
  4. As an egress proxy administrator, configure the egress proxy such that the following request header is inserted in all of the requests originating from the managed devices in Organization B:

     X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K
    

    The employees of Organization B now have access to both the vendor and their Google Cloud organizations.

Restrict access only for uploads

In this example, the Google Cloud administrator and egress proxy administrator of Organization C engage together to restrict upload access of employees only to resources in the Google Cloud organization.

To restrict upload access only to your organization, do the following:

  1. As a Google Cloud administrator, get the Google Cloud organization ID of Organization C by using the following command:

        gcloud organizations list
        DISPLAY_NAME: Organization C
        ID: 123456789
        DIRECTORY_CUSTOMER_ID: a1b2c3d4
    
  2. As an egress proxy administrator, after you get the organization ID from the Google Cloud administrator, compose the JSON representation for the header value in the following format:

     {
     "resources": ["organizations/123456789"],
      "options": "strict"
     }
    
  3. As an egress proxy administrator, encode the value for the request header by following the RFC 4648 Section 5 specifications.

    For example, if the JSON representation for the header value is stored in the authorized_orgs.json file, the following is the encoding through basenc:

     $ cat authorized_orgs.json | basenc --base64url -w0
    ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo
    
  4. As an egress proxy administrator, configure the egress proxy such that the following request header is inserted only for requests with PUT, POST, and PATCH methods originating from the managed devices in Organization C:

     X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo
    

What's next