When an organization resource is created, all users in your domain are granted the
Billing Account Creator
and
Project Creator
roles by default. These
default roles allow your users to start using Google Cloud immediately, but
are not intended for use in regular operation of your organization resource.
This page describes how to designate a
Billing Account Creator
and
Project Creator
for regular operations, and how to remove roles that were
assigned by default to the organization resource.
Adding a Billing Account Creator and Project Creator
To migrate existing billing accounts into an organization resource, a user must have the
Billing Account Creator IAM role. Users with the Project Creator
role are able to create and manage Project resources. To add additional Billing
Account Creators and Project Creators, follow these steps:
Console
To grant the Billing Account Creator or Project Creator role using
Google Cloud console:
Go to the
Manage resources
page in the Google Cloud console:
Open the Manage resources page
On the
Organization
drop-down list, select your organization resource.
Select the check box for the organization resource. If you do not have a
Folder resource, the organization resource will not be visible. To
continue, see the instructions for granting roles through the
IAM
page.
On the right side
Info Panel
, under
Permissions
, enter the
email address of the principal you want to add.
In the
Select a role
drop-down, select
Billing > Billing Account Creator
or
Resource Manager > Project Creator
.
Click
Add
. A dialog will appear to confirm the addition or update of
the principal's new role.
Removing default roles from the organization resource
After you designate your own Billing Account Creator and Project Creator roles,
you can remove these roles from the organization resource to restrict those
permissions to specifically designated users. To remove roles from the
organization resource, follow these steps:
Console
To remove the roles assigned to users by default using the Google Cloud console:
Go to the
Manage resources
page in the Google Cloud console:
Open the Manage resources page
Click the
Organization
drop-down list at the top of the page and then select
your organization resource.
Select the check box for the organization resource for which you want to
change permissions. If you do not have a Folder resource, the
organization resource will not be visible. To continue, see the
instructions for revoking roles through the
IAM
page.
On the right side
Info Panel
, under
Permissions
, click to expand the role
from which you want to remove users.
Under the expanded role list, next to the principal you want to remove from
the role, click remove.
On the
Remove principal?
dialog that appears, click
Remove
to confirm removing the role from the specified principal.
Repeat the above two steps for each role you want to remove.