組織内アクセス制限機能を使用すると、フィッシングやインサイダー攻撃によるデータの引き出しを防ぐことができます。組織内の管理対象デバイスの場合、組織内アクセス制限機能により、承認された Google Cloud 組織内のリソースにのみアクセスが許可されます。
組織内アクセス制限の仕組み
Google Cloudでは、Identity and Access Management(IAM)がリソースへのアクセスを制御します。管理者は、許可ポリシーと拒否ポリシーを使用して、組織内のリソースにアクセスできるユーザーを制御します。組織では、従業員のアクセスを承認済みの Google Cloud組織内のリソースのみに制限する必要があります。 Google Cloud を管理する管理者と、下り(外向き)プロキシを構成する下り(外向き)プロキシ管理者は、連携して組織内アクセス制限を設定します。 Google Cloud
下り(外向き)プロキシ: 下り(外向き)プロキシ管理者は、管理対象デバイスから送信されたリクエストに組織内アクセス制限ヘッダーを追加するようにプロキシを構成します。このプロキシ構成は、未承認の Google Cloud 組織の Google Cloud リソースにユーザーがアクセスできないようにします。
Google Cloud: Google Cloud の組織内アクセス制限機能は、組織内アクセス制限ヘッダーに対するすべてのリクエストを検査し、アクセスされる組織に基づいてリクエストを許可または拒否します。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[],[],null,["# Introduction to organization restrictions\n\nThis page provides an overview of organization restrictions and how it works.\n\nThe organization restrictions feature lets you prevent data exfiltration\nthrough phishing or insider attacks. For managed devices in an organization, the organization restrictions\nfeature restricts access only to resources in authorized Google Cloud organizations.\n\nHow organization restrictions works\n-----------------------------------\n\nIn Google Cloud, Identity and Access Management (IAM) governs access to resources.\nAdministrators use allow and deny policies to control who can access the\nresources within their organization. There is a need in organizations to\nrestrict access of their employees only to resources in authorized Google Cloud\norganizations. Google Cloud administrators who administer Google Cloud, and\negress proxy administrators, who configure the egress proxy, engage together to\nset up organization restrictions.\n\nThe following diagram illustrates how the different components work to enforce organization restrictions:\n\nThe architecture diagram shows the following components:\n\n- **Managed device**: A device that is governed by the organization policies of\n a company. Employees of an organization use a managed device to access the organization\n resources.\n\n- **Egress proxy**: An egress proxy administrator configures\n the proxy to add organization restrictions headers to any requests originating\n from a managed device. This proxy configuration prevents\n users from accessing any Google Cloud resources in non-authorized Google Cloud organizations.\n\n- **Google Cloud**: The organization restrictions feature in Google Cloud inspects all requests\n for organization restrictions header, and allows or denies the requests based on\n the organization being accessed.\n\nCommon use cases\n----------------\n\nHere are some common organization restrictions use cases:\n\n- Restrict access to employees in your organization so that employees can\n [access resources only in your Google Cloud organization](/resource-manager/docs/organization-restrictions/examples-org-restrictions#access-your-org)\n and not other organizations.\n\n- [Allow your employees to read from Cloud Storage resources](/resource-manager/docs/organization-restrictions/examples-org-restrictions#access-read-org)\n but restrict employee access only to resources in your Google Cloud organization.\n\n- [Allow your employees to access a vendor Google Cloud organization](/resource-manager/docs/organization-restrictions/examples-org-restrictions#access-vendor-org) in addition\n to your Google Cloud organization.\n\nImplementing these use cases require engagement between Google Cloud administrators,\nwho administer Google Cloud, and egress proxy administrators who configure the egress proxy.\n\nWhat's next\n-----------\n\n- Learn about [organization restrictions configuration](/resource-manager/docs/organization-restrictions/configure-organization-restrictions).\n- Learn about the [services supported by organization restrictions](/resource-manager/docs/organization-restrictions/supported-services)."]]