Stay organized with collections
Save and categorize content based on your preferences.
This page provides an overview of organization restrictions and how it works.
The organization restrictions feature lets you prevent data exfiltration
through phishing or insider attacks. For managed devices in an organization, the organization restrictions
feature restricts access only to resources in authorized Google Cloud organizations.
How organization restrictions works
In Google Cloud, Identity and Access Management (IAM) governs access to resources.
Administrators use allow and deny policies to control who can access the
resources within their organization. There is a need in organizations to
restrict access of their employees only to resources in authorized Google Cloud
organizations. Google Cloud administrators who administer Google Cloud, and
egress proxy administrators, who configure the egress proxy, engage together to
set up organization restrictions.
The following diagram illustrates how the different components work to enforce organization restrictions:
The architecture diagram shows the following components:
Managed device: A device that is governed by the organization policies of
a company. Employees of an organization use a managed device to access the organization
resources.
Egress proxy: An egress proxy administrator configures
the proxy to add organization restrictions headers to any requests originating
from a managed device. This proxy configuration prevents
users from accessing any Google Cloud resources in non-authorized Google Cloud organizations.
Google Cloud: The organization restrictions feature in Google Cloud inspects all requests
for organization restrictions header, and allows or denies the requests based on
the organization being accessed.
Common use cases
Here are some common organization restrictions use cases:
Implementing these use cases require engagement between Google Cloud administrators,
who administer Google Cloud, and egress proxy administrators who configure the egress proxy.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Introduction to organization restrictions\n\nThis page provides an overview of organization restrictions and how it works.\n\nThe organization restrictions feature lets you prevent data exfiltration\nthrough phishing or insider attacks. For managed devices in an organization, the organization restrictions\nfeature restricts access only to resources in authorized Google Cloud organizations.\n\nHow organization restrictions works\n-----------------------------------\n\nIn Google Cloud, Identity and Access Management (IAM) governs access to resources.\nAdministrators use allow and deny policies to control who can access the\nresources within their organization. There is a need in organizations to\nrestrict access of their employees only to resources in authorized Google Cloud\norganizations. Google Cloud administrators who administer Google Cloud, and\negress proxy administrators, who configure the egress proxy, engage together to\nset up organization restrictions.\n\nThe following diagram illustrates how the different components work to enforce organization restrictions:\n\nThe architecture diagram shows the following components:\n\n- **Managed device**: A device that is governed by the organization policies of\n a company. Employees of an organization use a managed device to access the organization\n resources.\n\n- **Egress proxy**: An egress proxy administrator configures\n the proxy to add organization restrictions headers to any requests originating\n from a managed device. This proxy configuration prevents\n users from accessing any Google Cloud resources in non-authorized Google Cloud organizations.\n\n- **Google Cloud**: The organization restrictions feature in Google Cloud inspects all requests\n for organization restrictions header, and allows or denies the requests based on\n the organization being accessed.\n\nCommon use cases\n----------------\n\nHere are some common organization restrictions use cases:\n\n- Restrict access to employees in your organization so that employees can\n [access resources only in your Google Cloud organization](/resource-manager/docs/organization-restrictions/examples-org-restrictions#access-your-org)\n and not other organizations.\n\n- [Allow your employees to read from Cloud Storage resources](/resource-manager/docs/organization-restrictions/examples-org-restrictions#access-read-org)\n but restrict employee access only to resources in your Google Cloud organization.\n\n- [Allow your employees to access a vendor Google Cloud organization](/resource-manager/docs/organization-restrictions/examples-org-restrictions#access-vendor-org) in addition\n to your Google Cloud organization.\n\nImplementing these use cases require engagement between Google Cloud administrators,\nwho administer Google Cloud, and egress proxy administrators who configure the egress proxy.\n\nWhat's next\n-----------\n\n- Learn about [organization restrictions configuration](/resource-manager/docs/organization-restrictions/configure-organization-restrictions).\n- Learn about the [services supported by organization restrictions](/resource-manager/docs/organization-restrictions/supported-services)."]]
