Resource Hierarchy and Organisation

Resources are organised in a hierarchy as shown below

Organization represents a company and is the root node of the tree. Being at the top of the tree means that any policies applied at this level are inherited by all objects in the company

Policies consist of a set of Roles and Role Members that may be configured at each level of the hierarchy. Child policies cannot be more restrictive than the parent i.e. a policiy cannot reduce privileges to a resource granted by a parent policy

Folders represent entities such as departments, products and teams that allow additional delegation of permissions through role assignment and policies

Projects represent a group or resources that provide a set of services and represents a base level organising entity. Resources are configured inside projects.

Resources are the fundamental building blocks of GCP e.g. Compute Engine, and have exactly one parent; from which they also inherit policies

GCP Resource Hierarchy


  • Google Workspace and Cloud Identity super-admins assign the Organization Admin role to users
  • The Organization admin role provides users with full control over every resource in a company and is responsible for:
    • Defining IAM Policies
    • Oranizing the resource hierarchy (folder, projects)
    • Assigning responsibility to users for things like Billing, Networking etc
  • Any role granted at the organization node is inherited by every resource in the hierarchy e.g. a user granted roles/resourcemanager.projectCreator role is able to create Projects in the organization