You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Organisation policies are guardrails that restrict what can and cannot be done across your GCP environment. While IAM controls who can do things, organisation policies control what can be done — regardless of IAM permissions.
| Aspect | IAM | Organisation Policies |
|---|---|---|
| Controls | Who has access | What is allowed |
| Mechanism | Roles and permissions | Constraints |
| Example | "Alice can create VMs" | "VMs can only be created in europe-west2" |
| Override | Cannot override with more permissions | Cannot be bypassed, even by owners |
Even a user with the roles/owner role cannot violate an organisation policy.
Organisation policies are applied at the organisation, folder, or project level and are inherited downward:
Organisation: Constraint — no public IP on VMs
├── Folder: Engineering
│ └── Project: eng-prod — inherits "no public IP"
│ (cannot override)
└── Folder: Sandbox
└── Project: sandbox-1 — can be EXEMPTED by the org admin
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.