When you set anorganization policy on a resource, all descendantsof that resource inherit the organization policy by default. If you set anorganization policy on your organization resource, then those restrictions areinherited by all child resources.

You can set the same organization policy with a different configuration on childresources, which will overwrite or merge with the inherited policy based on therules of hierarchy evaluation and the type of constraint defined in theorganization policy.

Before you begin

• Read theUnderstanding constraints page to learnabout what a constraint is.

• Read theoverview of the Organization Policy Service to learn about howorganization policy works.

Example hierarchy

In the following resource hierarchy diagram, each resource sets an organizationpolicy that enforces a legacy managed constraint and defines whether the policyinherits its parent resource's policy. The colored shapes represent the valuesthat the organization policy allows or denies.

A constraint is a particular type of restriction that's enforced on aGoogle Cloud service or a listof Google Cloud services. In the preceding example, theConstraintrepresents theconstraint default, which defines the behavior when theconstraint isn't defined in an organization policy. The constraint default inthis example allowsall_inclusive allvalues. The nodes below it define organizationpolicies that override the constraint default by allowing or denying values.

The effective policy on each node is evaluated based on the rules ofinheritance. If an organization policy isn't set, the resource inheritsthe default constraint behavior. If you set an organization policy, yourpolicy is used instead. In the preceding example, theOrganization Nodedefines a policy that allowssquare redsquare andcircle greencircle.

The resources that are in the hierarchy below theOrganization Nodeare evaluated as follows:

1. Resource 1 defines a policy that setsinheritFromParent toTRUE andallowssquareblue diamond. The policy from theOrganization Node isinherited and merged with the policy set onResource 1. The effectivepolicy evaluates to allowsquare redsquare,circle greencircle, andsquareblue diamond.

2. Resource 2 defines a policy that setsinheritFromParent toTRUE anddeniescircle greencircle. Deny values always take precedence during policyreconciliation. The policy from theOrganization Node is inherited andmerged with the policy set onResource 2. The effective policy evaluatesto allow onlysquare redsquare.

3. Resource 3 defines a policy that setsinheritFromParent toFALSE andallowshexagon yellowhexagon. The policy from theOrganization Node isn'tinherited, so the effective policy evaluates to only allowhexagon yellowhexagon.

4. Resource 4 defines a policy that setsinheritFromParent toFALSE andincludes therestoreDefault value. The policy from theOrganization Node isn't inherited, and the default constraint behavioris used, so the effective policy evaluates to allowall_inclusive allvalues.

Hierarchy evaluation rules

The following rules govern how an organization policy is evaluated at agiven resource. You need theOrganization Policy Administratorrole to set organization policy.

Automatically enforced constraints

If an organization policy isn't enforced, it inherits from its lowest ancestorwhere an organization policy is enforced. If no organization policy is enforcedanywhere in the ancestor hierarchy, the Google-managed default behaviorof the constraint is enforced.

If the Google-managed default behavior of an organization policy constraintrestricts an operation, then that operation is restricted even if you neverexplicitly defined an organization policy. To allow those operations, you mustcreate organization policies that override the parent policy.

For a list of organization policy constraints that have a Google-managed defaultbehavior that restricts operations, seeOrganization policy constraints.

Inheritance

A resource that has an organization policy set by default supersedes anypolicy set by its parent resources in the hierarchy. However, if a resource hassetinheritFromParent = true, then the effective Policy of the parent resourceis inherited, merged, and reconciled to evaluate the resulting effectivepolicy. For example:

• A folder denies the valueprojects/123.
• A project underneath that folder denies the valueprojects/456.

The two policies are merged, and in this case result in an effective policy thatdenies bothprojects/123 andprojects/456.

Note: Managed constraints that are inherited from a parent resource aren't merged to evaluate the effective policy on a given resource. A resource that inherits a managed constraint enforces the constraint as it was set on the parent resource or overrides the constraint with its own policy.

Inheriting default behavior

Default behavior is never merged. When a policy is set, it always replaces anydefault behavior. For example:

• Theconstraints/iam.allowServiceAccountCredentialLifetimeExtension is set toDENY by default at organization level.
• For this constraint, a project directly underneath that organization allowsthe valueSomeServiceAccount.

Since the default behavior is never merged and always replaced, this results inan effective policy which allowsSomeServiceAccount. In contrast, if thepolicy were setexplicitly toDENY at the organization level, the "DENYvalue takes precedence" rule would apply and the effective policy would beDENY.

Disallow inheritance

If a resource has a policy that includesinheritFromParent = false, it doesn'tinherit the organization policy from its parent. Instead, the resource inheritsthe constraint's default behavior unless you set a policy with allowed or deniedvalues.

Reconciling policy conflicts

When a resource inherits organization policies, the inherited policies aremerged and reconciled with the organization policy of the parent resource. Whenevaluating organization policies with list rules,DENY values always takeprecedence. For example:

• A folder denies the valueprojects/123.
• A project underneath that folder allows the valueprojects/123.

The policies are merged and theDENY value takes precedence. The effectivepolicy denies all values, and evaluates the same way whether the parent orchild resource denies the value. We recommend not including a value in both theallowed and denied lists. Doing so can make it harder to understand yourpolicies.

Organization policies with boolean rules don't merge and reconcilepolicies. If a policy is specified on a resource, thatTRUE orFALSE valueis used to determine the effective policy. For example:

• A folder setsenforced: true forconstraints/iam.managed.disableServiceAccountCreation.

• A project underneath that folder setsenforced: false forconstraints/iam.managed.disableServiceAccountCreation.

Theenforced: true value set on the folder is ignored becauseenforced: false is defined on the project itself. The organization policyisn't enforced on that project.

Reset to default policy

By invokingRestoreDefault, the organization policy uses the defaultbehavior of the constraint for this resource. Child resources also inherit thisbehavior.