This page lists additional considerations you must be aware of when using organization restrictions.
Multi-resource access
Google Cloud API requests might involve operations on multiple resources. Organization restrictions
header service checks whether all resources that are part of the request
are in the list of authorized organizations. If any resource is not part of the list of authorized
organizations, the request is denied.
Allow download for Vault users
Google Vault
is an information governance
and eDiscovery tool for Google Workspace. Vault administrators access Google Workspace user data stored
in Google-owned Cloud Storage buckets.
By default, the organization restrictions feature restricts Vault administrators from downloading
an exported Google Workspace user data from a Google-owned Cloud Storage bucket.
To allow requests that originate from the Vault administrators, ensure that organization ID
organizations/433637338589
, which stores Vault data, is added to the organization restrictions header.
We recommend to add this ID of the organization, which stores Vault data, only in headers
for requests from Vault administrators.
Enable access to Google-owned resources
To enable developers to use Google Cloud services, such as BigQuery
or Compute Engine, Google Cloud provides Google-owned public resources. For example,
Compute Engine provides
public OS images
that help developers quickly get started with building their own or leveraging one
of these images to host their workloads. Other Google Cloud services employ similar
public resource patterns. These public resources are hosted in a Google-owned Google Cloud organization.
To ensure that users of your Google Cloud organization continue to have access
to these public resources after you enforce organization restrictions, add the
following Google-owned Google Cloud organization ID to the list of authorized organizations
in the organization restrictions header:
organizations/433637338589
What's next