Building Google Cloud Platform Solutions

上QQ阅读APP看书，第一时间看更新

Organization-level policies

The uppermost level of IAM is the organization. Above the organization there is a special role known as the Organization Owner. Generally speaking, there are very few organization owners, and owners are created for the organization by Google directly. Because organization owners work directly with Google, we don't need to dive too deeply into this role here. Under organization owners, there are three additional roles that specifically apply at the organization level: Organization Admins, Organization Viewers, and Project Creators.

Organization Admins have full power over all projects within the organization, and they can create organization-level IAM policies. Policies made at the organizational level tend to apply to teams with specific cross-project needs. A common example of this is that a network security team needs the ability to audit all projects within an organization. In this case, an organization-level policy will allow the team to view every project's network configurations. This removes the need to grant the team access on a per-project basis.
Organization Viewers have full access to view any project within the organization. This role tends to be reserved for a selected few people within the organization that need to do tasks such as auditing projects for compliance.
Project Creators have the ability to create new projects within the organization. When creating a project, the project creator will be made project owner by default. The creator can then add additional owners to the project as needed. This responsibility is usually granted to a specific operations team within the organization. These abilities are also available to organization admins.

If your Google Cloud project does not belong to an organization, the project can be considered the highest level of the IAM hierarchy. For the exercises in this book, we will assume that your project is not part of an organization.

In addition to organizations, Google Cloud supports the notion of folders, which are high-level constructs for organizing collections of cloud resources. A folder may contain one or more project, as well as sub-folders. Billing and IAM policies may be created at any level of the folder structure. In addition to organization-level IAM policies, folders introduce Folder Admin, Folder IAM Admin, Folder Creator, and Folder Mover IAM roles. This allows GCP resources to be organized in a hierarchical manner that resembles an organization's real-world control and billing structure, as shown in the following diagram:

IAM policies may be applied at the organization, folder, or project level. With folders, organizations can create control structures that naturally reflect the real-world.