Organization

1. Organization

Let's learn more about the organization node. As I mentioned earlier, the organization resource is the root node in the Google Cloud resource hierarchy. This node has many roles, like the Organization Admin. The Organization Admin provides a user like Bob, with access to administer all resources belonging to his organization, which is useful for auditing. There is also a Project Creator role, which allows a user like Alice, to create projects within her organization. I am showing the Project Creator role here because it can also be applied at the organization level, which would then be inherited by all the projects within the organization. The organization resource is closely associated with a Google Workspace or Cloud Identity Account. When a user with a Google Workspace or Cloud Identity account creates a Google Cloud project, an organization resource is automatically provisioned for them. Then, Google Cloud communicates its availability to the Google Workspace or Cloud Identity super admins. These super admin accounts should be used carefully because they have a lot of control over your organization and all the resources underneath it. The Google Workspace or Cloud Identity super administrators, and the Google Cloud Organization Admin, are key roles during the setup process and for lifecycle control for the organization resource. The two roles are generally assigned to different users or groups, although this depends on the organization structure and needs. In the context of Google Cloud organization setup, the Google Workspace or Cloud Identity super administrator responsibilities are: Assign the Organization Admin role to some users, be a point of contact in case of recovery issues, and control the lifecycle of the Google Workspace or Cloud Identity account and organization resource. The responsibilities of the Organization Admin role are: Define IAM policies, determine the structure of the resource hierarchy, and delegate responsibility over critical components, such as networking, billing, and resource hierarchy, through IAM roles. Following the principle of least privilege, this role does not include the permission to perform other actions, such as creating folders. To get these permissions, an Organization Admin must assign additional roles to their account. Let's talk more about folders, because they can be viewed as sub organizations within the organization. Folders provide an additional grouping mechanism and isolation boundary between projects. Folders can be used to model different legal entities, departments, and teams within a company. For example, a first-level of folders could be used to represent the main departments in your organization, like departments X and Y. Because folders can contain projects and other folders, each folder could then include other subfolders to represent different teams, like teams A and B. Each team folder could contain additional subfolders, to represent different applications, like products 1 and 2. Folders allow delegation of administration rights, so for example, each head of a department can be granted full ownership of all Google Cloud resources that belong to their department. Similarly, access to resources can be limited by folder, so users in one department can only access and create Google Cloud resources within that folder. Let's look at some other resource manager roles, while remembering that policies are inherited from top to bottom. The organization node also has a Viewer role that grants view access to all resources within an organization. The folder node has multiple roles that mimic the organizational roles, but are applied to resources within a folder. There is an Admin role that provides full control over folders; a Creator role to browse the hierarchy and create folders; and a Viewer role to view folders and projects below a resource. Similarly, for projects, there is a Creator role that allows a user to create new projects, making that user automatically the owner. There is also a project deleter role that grants deletion privileges for projects.

2. Let's practice!

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.