Resources are organised in a hierarchy as shown below
Organization represents a company and is the root node of the tree. Being at the top of the tree means that any policies applied at this level are inherited by all objects in the company
Policies consist of a set of Roles and Role Members that may be configured at each level of the hierarchy. Child policies cannot be more restrictive than the parent i.e. a policiy cannot reduce privileges to a resource granted by a parent policy
Folders represent entities such as departments, products and teams that allow additional delegation of permissions through role assignment and policies
Projects represent a group or resources that provide a set of services and represents a base level organising entity. Resources are configured inside projects.
Resources are the fundamental building blocks of GCP e.g. Compute Engine, and have exactly one parent; from which they also inherit policies
Organization
- Organization Objects are created when a Google Workspace (G-Suite) or Cloud Identity account sets up an identity in GCP Console
- To configure an identity in GCP
- Google Workspace and Cloud Identity super-admins assign the Organization Admin role to users
- The Organization admin role provides users with full control over every resource in a company and is responsible for:
- Defining IAM Policies
- Oranizing the resource hierarchy (folder, projects)
- Assigning responsibility to users for things like Billing, Networking etc
- Any role granted at the organization node is inherited by every resource in the hierarchy e.g. a user granted roles/resourcemanager.projectCreator role is able to create Projects in the organization