Resource hierarchy (organizations, folders, projects)

  1. Home
  2. Resource hierarchy (organizations, folders, projects)

Go back to GCP Tutorials

In this tutorial we will learn and understand about Resource hierarchy (organizations, folders, projects).

Resource hierarchy Overview

The purpose of the Google Cloud resource hierarchy is two-fold:

  • Firstly, provide a hierarchy of ownership, which binds the lifecycle of a resource to its immediate parent in the hierarchy.
  • Secondly, provide attach points and inheritance for access control and organization policies.

The Organization resource

The Organization resource represents an organization and is the root node in the Google Cloud resource hierarchy. Moreover, this is the hierarchical ancestor of project resources and Folders. The IAM access control policies applied on the Organization resource apply throughout the hierarchy on all resources in the organization.

However, a Google Workspace or Cloud Identity account can have exactly one Organization provisioned with it. And, once an Organization resource is created for a domain. Then, all Google Cloud projects created by members of the account domain will by default belong to the Organization resource. When a managed user creates a project, the requirement is that it must be in some organization. Further, if a user specifies an organization and they have the right permissions, the project get assign to that organization. Otherwise, it will default to the organization the user is associated with.

Benefits of the Organization resource
  • Firstly, with an Organization resource, projects belong to your organization instead of the employee who created the project. That is to say, the projects are no longer deleted when an employee leaves the company. Instead, they will follow the organization’s lifecycle on Google Cloud.
  • Furthermore, organization administrators have central control of all resources. They can view and manage all of your company’s projects. This enforcement means that there can no longer be shadow projects or rogue admins.
  • Also, you can grant roles at the organization level, that inherits by all projects and folders under the Organization resource.
gcp cloud architect practice tests

The Folder resource

Folder resources provide an additional grouping mechanism and isolation boundaries between projects. They can be a sub-organizations within the Organization. Further, folders can model different legal entities, departments, and teams within a company. For example, a first level of folders could be used to represent the main departments in your organization. Since folders can contain projects and other folders, each folder could then include other sub-folders, to represent different teams. Each team folder could contain additional sub-folders to represent different applications.

However, folders allow delegation of administration rights. For example, each head of a department can grant full ownership of all Google Cloud resources that belong to their departments. Similarly, access to resources can be limited by folder. So, users in one department can only access and create Cloud resources within that folder.

The Project resource

The project resource is the base-level organizing entity. Organizations and folders may contain multiple projects. However, a project is required to use Google Cloud, and forms the basis for creating, enabling, and using all Google Cloud services, managing APIs, enabling billing, adding and removing collaborators, and managing permissions.

All projects consist of the following:

  • Firstly, two identifiers:
    • Project ID, which is a unique identifier for the project.
    • Project number, which automatically assigns when you create the project. It is read-only.
  • Secondly, one mutable display name.
  • Thirdly, the lifecycle state of the project; for example, ACTIVE or DELETE_REQUESTED.
  • After that, a collection of labels that can be used for filtering projects.
  • Lastly, the time of the project creation.

Using resource hierarchy for access control

Google Cloud resources are organized hierarchically, where the organization node is the root node in the hierarchy. And, the projects are the children of the organization, and the other resources are descendants of projects. However, you can set Identity and Access Management (IAM) policies at different levels of the resource hierarchy. Resources inherit the policies of the parent resource. The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its parent.

Further, IAM lets you set policies at the following levels of the resource hierarchy:
  • Firstly, Organization level. The organization resource represents your company. IAM roles granted at this level are inherited by all resources under the organization.
  • Secondly, Folder level. Folders can contain projects, other folders, or a combination of both. However, roles granted at the highest folder level will be inherited by projects or other folders that are contained in that parent folder.
  • Thirdly, Project level. Projects represent a trust boundary within your company. Services within the same project have a default level of trust. For example, App Engine instances can access Cloud Storage buckets within the same project.
  • Lastly, Resource level. In addition to the existing Cloud Storage and BigQuery ACL systems, additional resources such as Genomics Datasets, Pub/Sub topics, and Compute Engine instances support lower-level roles so that you can grant certain users permission to a single resource within a project.
Resource hierarchy (organizations, folders, projects) GCP cloud architect  online course

GCP Cloud Architect Practice Questions

Question 1: ABC Inc. is a large organization with multiple departments, and they want to set up a GCP environment to manage their cloud resources. Which resource hierarchy structure should they use to manage their projects and resources effectively?

A. Organizational structure

B. Folder structure

C. Project structure

D. All of the above

Answer: D. All of the above

Explanation: The GCP resource hierarchy consists of three levels – organizations, folders, and projects. Organizations are the highest level and represent the top-level entity that can contain other entities like folders and projects. Folders allow you to group related projects and resources together, and projects are the lowest level and represent the actual resources being used. By using all three levels, ABC Inc. can effectively manage their cloud resources and assign roles and permissions to different departments and users.

Question 2: XYZ Corp. is a startup that has recently migrated its application to GCP. They have a single project and want to manage the resources within the project efficiently. What should they do?

A. Use project-level IAM roles to assign permissions to users.

B. Use organization-level IAM roles to assign permissions to users.

C. Use folder-level IAM roles to assign permissions to users.

D. Use all of the above.

Answer: A. Use project-level IAM roles to assign permissions to users.

Explanation: Since XYZ Corp. has only one project, they should use project-level IAM roles to assign permissions to users. IAM roles are used to manage permissions in GCP, and they can be assigned at the organization, folder, or project level. However, since XYZ Corp. has only one project, it makes sense to assign permissions at the project level.

Question 3: PQR Enterprises is a large organization with multiple departments and several projects. They want to ensure that each department can only access and manage resources within their own projects. What should they do?

A. Create a separate organization for each department.

B. Use folder-level IAM roles to assign permissions to users.

C. Use project-level IAM roles to assign permissions to users.

D. Use service accounts to manage access to resources.

Answer: B. Use folder-level IAM roles to assign permissions to users.

Explanation: PQR Enterprises should use folder-level IAM roles to assign permissions to users. Folders allow you to group related projects together and manage permissions at a higher level than project-level IAM roles. By assigning folder-level IAM roles to each department, PQR Enterprises can ensure that each department can only access and manage resources within their own projects.

Question 4: DEF Corp. is a multinational corporation with several subsidiaries in different countries. They want to manage their GCP environment in a way that allows them to segregate resources by country. What should they do?

A. Create a separate organization for each country.

B. Use folder-level IAM roles to assign permissions to users.

C. Use labels to tag resources by country.

D. Use a combination of folders and labels to organize resources.

Answer: D. Use a combination of folders and labels to organize resources.

Explanation: DEF Corp. should use a combination of folders and labels to organize their resources by country. Folders allow you to group related projects together, while labels are used to tag resources with metadata. By using a combination of folders and labels, DEF Corp. can segregate their resources by country and easily manage their GCP environment.

Reference: Google Documentation, Doc 2

Go back to GCP Tutorials

Menu