This page provides an overview of organization restrictions and how it works.
The organization restrictions feature lets you prevent data exfiltration
through phishing or insider attacks. For managed devices in an organization, the organization restrictions
feature restricts access only to resources in authorized Google Cloud organizations.
How organization restrictions works
In Google Cloud, Identity and Access Management governs access to resources. Administrators use
Identity and Access Management policy to control who can access the resources within their
organization. There is a need in organizations to restrict access of their employees
only to resources in authorized Google Cloud organizations. Google Cloud administrators
who administer Google Cloud, and egress proxy administrators, who configure the egress proxy,
engage together to set up organization restrictions.
The following diagram illustrates how the different components work to enforce organization restrictions:
The architecture diagram shows the following components:
Managed device
: A device that is governed by the organizational policies of
a company. Employees of an organization use a managed device to access the organization
resources.
Egress proxy
: An egress proxy administrator configures
the proxy to add organization restrictions headers to any requests originating
from a managed device. This proxy configuration prevents
users from accessing any Google Cloud resources in non-authorized Google Cloud organizations.
Google Cloud
: The organization restrictions feature in Google Cloud inspects all requests
for organization restrictions header, and allows or denies the requests based on
the organization being accessed.
Common use cases
Here are some common organization restrictions use cases:
Implementing these use cases require engagement between Google Cloud administrators,
who administer Google Cloud, and egress proxy administrators who configure the egress proxy.
What's next