The organization resource is the root node in theGoogle Cloud resource hierarchyand is the hierarchical super node of projects. This page explains how toacquire and manage an organization resource.

Before you begin

Read anoverviewof the organization resource.

Getting an organization resource

An organization resource is available for Google Workspace and Cloud Identity customers:

• Google Workspace: Sign up forGoogle Workspace.
• Cloud Identity: Sign up forCloud Identity.

Once you have created your Google Workspace or Cloud Identity account and associated it with a domain, your organization resource will be automatically created for you. The resource will be provisioned at different times depending on your account status:

• If you are new to Google Cloud and have not created a project yet, the organization resource will be created for you when you log in to the Google Cloud console and accept the terms and conditions.

• If you are an existing Google Cloud user, the organization resource will be created for you when you create a new project or billing account. Any projects you created previously will be listed under "No organization", and this is normal. The organization resource will appear and the new project you created will be linked to it automatically.

  You will need to move any projects you created under "No organization" into your new organization resource. For instructions on how to move your projects, seeMigrating projects into an organization resource.

The organization resource that is created will be linked to your Google Workspace or Cloud Identity account with the project or billing account you created set as a child resource. All projects and billing accounts created under your Google Workspace or Cloud Identity domain will be children of this organization resource.

• For information about how to migrate pre-existing projects, seeMigrating existing projects.

Each Google Workspace or Cloud Identity account is associated with exactly one organization resource. An organization resource is associated with exactly one domain, which is set when the organization resource is created.

When the organization resource is created, we communicate its availability tothe Google Workspace or Cloud Identity super admins. Thesesuper admin accounts should be used carefully because they have a lot of controlover your organization resource and all the resources underneath it. For this reason, werecommend against using Google Workspace or Cloud Identity super admin accountsfor day-to-day management of your organization resource. For more information about usingGoogle Workspace or Cloud Identity super admin accounts in Google Cloud,seeSuper administrator account best practices.

To actively adopt the organization resource, the Google Workspace orCloud Identity super admins need to assign theOrganization Administrator(roles/resourcemanager.organizationAdmin) Identity and Access Management (IAM) role to auser or group. For steps on setting up your organization resource, seeSetting up your organization resource.

• When the organization resource is created, all users in your domain are automaticallygranted Project Creator (roles/resourcemanager.projectCreator) andBilling Account Creator (roles/billing.creator) IAM rolesat the organization resource level. This enables users in your domain to continuecreating projects with no disruption.
• The Organization Administrator will decide when they want to startactively using the organization resource. They can then change the defaultpermissions and enforce more restrictive policies as needed.
• If the organization resource is available and you don't have the IAMpermissions to view it, you can still create projects and billing accounts.These are automatically created under the organization resource, even if youcan't see it.

Google Cloud security baseline

Google Cloud security baseline addresses insecure security postures with a bundle of organizationpolicies that are enforced when an organization resource is created. Theseconstraints are automatically created and enforced on your organization when itis created. For information about viewing and managing these constraints,seeGoogle Cloud security baseline constraints.

Getting your organization resource ID

The organization resource ID is a unique identifier for an organization resource and isautomatically created when your organization resource is created. Organization resourceIDs are formatted as decimal numbers, and cannot have leading zeroes.

You can get your organization resource ID using the Google Cloud console,the gcloud CLI, or the Cloud Resource Manager API.

gcloudorganizationslist

GEThttps://cloudresourcemanager.googleapis.com/v3/organizations:search{query=domain:altostrat.com}

Setting up your organization resource

If you're a Google Workspace or Cloud Identity customer, an organizationresource is provided to you automatically.

The Google Workspace or Cloud Identity super administrators are the firstusers who can access the organization resource upon creation. All other users or groupswill be able to use Google Cloud as before. They'll be able to see theorganization resource, but they'll only be able to modify it after the correctpermissions are set.

The Google Workspace or Cloud Identity super administrators and theGoogle CloudOrganization Administrator are key roles during the setupprocess and for lifecycle control for the organization resource. The two rolesare generally assigned to different users or groups, although this depends onthe organization resource's structure and needs.

Google Workspace or Cloud Identity super administrator responsibilities, inthe context of Google Cloud organization resource setup are:

• Assigning theOrganization Administrator role to some users
• Being a point of contact in case of recovery issues
• Controlling the lifecycle of the Google Workspace or Cloud Identityaccount and organization resource as explained underDeleting an organization resource

TheOrganization Administrator, once assigned, can assign Identity and Access Management rolesto other users. The responsibilities of theOrganization Administrator roleare:

• Defining allow and deny policies and granting roles to other users.
• Seeing the structure of theResource Hierarchy

Following the principle of least privilege, this role does not include thepermission to perform other actions, such as creating folders or projects. Toget these permissions, an Organization Administrator must assign additionalroles to their account.

Having two distinct roles ensures separation of duties between theGoogle Workspace or Cloud Identity super administrators and theGoogle Cloud Organization Administrator. This isoften a requirement as the two Google products are typically managed bydifferent departments in the customer's organization.

To begin actively using the organization resource, follow the steps below to addan Organization Administrator:

Adding an Organization Administrator

As explained inAcquiring an organization resource, upon creation,all users in the domain are granted Project Creator and Billing Account Creatorroles at the organization resource level by default. This ensures that no disruption iscaused to Google Cloud users when the organization resource is created. As theOrganization Administrator takes control, they might want to remove theseorganization-level permissions to start locking down access at a finergranularity (for instance, at the folder or project level). Note that, becauseallow and deny policies are inherited down the hierarchy, havingthe Project Creator role assigned to the entire domain(domain:mycompany.com) at the organization resource level implies that every userin the domain can create projects anywhere in the hierarchy.

Creating projects in your organization resource

...project=crm.projects().create(body={'project_id':flags.projectId,'name':'MyNewProject','parent':{'type':'organization','id':flags.organizationId}}).execute()...

Viewing projects in an organization resource

Users can only view and list projects they have access to via IAMroles. The Organization Administrator can view and list all projects in theorganization resource.

gcloudprojectslist--filter 'parent.id=[ORGANIZATION_ID] AND \parent.type=organization'

...filter='parent.type:organizationparent.id:%s'%flags.organizationIdprojects=crm.projects().list(filter=filter).execute()...

Deleting an organization resource

The organization resource is bound to your Google Workspace or Cloud Identityaccount.

If you would prefer not to use the organization resource, we recommendrestoring the organization resource's allow policy to the original state usingthe following steps:

1. Add your domain to theProject Creator andBilling Account Creator roles.
2. Remove all other entries in the organization resource's allow policy.

This will allow your users to continue to create Projects and Billing Accountswhile allowing the Google Workspace or Cloud Identity super admins torecover central administration later.

If you delete yourGoogle Workspaceaccount, it will delete your organization resource andall resources associated withit. Therefore, if you want to delete your organization resource, you can do so bydeleting your Google Workspace account. ForCloud Identityusers, cancel all other Google services, then delete your user account. Thisis potentially a very damaging action that might be impossible to fully reverse,so it is recommended to only take this action if you are certain there are noresources in active use.