Resource Hierarchy in google Cloud

-



Purpose of the GCP resource hierarchy :-
Provide a hierarchy of ownership, which binds the lifecycle of a resource to its immediate parent in the hierarchy.
Provide attach points and inheritance for access control and organization policies.

This hierarchical organization of resources enables you to set access control policies and configuration settings on a parent resource, and the policies and IAM settings are inherited by the child resources.


Organization :-

The Organization resource represents an organization (for example, a company) and is the root node in the GCP resource hierarchy
The IAM access control policies applied on the Organization resource apply throughout the hierarchy on all resources in the organization.
GCP users are not required to have an Organization resource.
A user acquires an Organization resource only if they are also G Suite or Cloud Identity customers.
The G Suite or Cloud Identity account represents a company and is a prerequisite to have access to the Organization resource.
Each G Suite or Cloud Identity account may have exactly one Organization provisioned with it.
Once an Organization resource is created for a domain, all GCP projects created by members of the account domain will by default belong to the Organization resource.
The Organization resource is the root node of the GCP resource hierarchy and all resources that belong to an organization are grouped under the organization node.
Organizational Node provide central visibility and control over every resource that belongs to an organization.
G Suite or Cloud Identity provides identity management, recovery mechanism, ownership and lifecycle management.
In Case of G Suite or Cloud Identity,  G Suite super admin is granted the ability to assign Cloud IAM roles by default and his main duty with respect to GCP is to assign the Organization Administrator IAM role to appropriate users in their domain

Benefits of the Organization resource

With an Organization resource, projects belong to organization instead of the employee who created the project. This means that the projects are no longer deleted when an employee leaves the company; instead they will follow the organization’s lifecycle on Google Cloud Platform.
organization administrators have central control of all resources. They can view and manage all of your company's projects.
you can grant roles at the organization level, which are inherited by all projects and folders under the Organization resource.
For example, you can grant the Network Admin role to your networking team at the organization level, allowing them to manage all the networks in all projects in your company, instead of granting them the role for all individual projects

An Organization resource created using the Resource Manager API consists of the following

 
Folders :-

Folder resources provide an additional grouping mechanism and isolation boundaries between projects
Folders can be used to model different legal entities, departments, and teams within a company.
Folders allow delegation of administration rights, Like a department head can be granted full ownership of all GCP resources that belong to their departments.
Access to resources can be limited by folder, so users in one department can only access and create Cloud resources within that folder
Folders and projects are all mapped under the Organization resource.
IAM roles granted on a folder are automatically inherited by all projects and folders included in that folder.

Projects :-

The project resource is the base-level organizing entity.
Organizations and folders may contain multiple projects.
A project is required to use Google Cloud Platform, and forms the basis for creating, enabling, and using all GCP services, managing APIs, enabling billing, adding and removing collaborators, and managing permissions.
All resources must belong to exactly one project.

All projects consist of the following:
              Two identifiers:
                 Project ID, which is a unique identifier for the project.
                 Project number, which is automatically assigned when you create the project. It is read-only.
                One mutable display name.
               The lifecycle state of the project; for example, ACTIVE or DELETE_REQUESTED.
               A collection of labels that can be used for filtering projects.
               The time when the project was created.

A project ID is the customized name you chose when you created the project. If you activate an API that requires a project, you will be directed to create a project or select a project using its project ID. (Note that the name string, which is displayed in the UI, is not the same as the project ID.)
A project number is automatically generated by GCP. Both the project ID and project number can be found on the dashboard of the project in the Google Cloud Platform Console.
The initial IAM policy for the newly created project resource grants the owner role to the creator of the project.

IAM policy :-

IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies on the resources.
You can set an IAM policy at the organization level, the folder level, the project level, or (in some cases) the resource level.
The effective policy for a resource is the union of the policy set on the resource and the policy inherited from its ancestors
Cloud IAM and Organization policies are inherited through the hierarchy



Comments

Post a Comment

Popular posts from this blog

Azure Storage Account Hot, Cool & Archive Storage

-
Azure Storage Account Hot, Cool & Archive Storage 26 April 2018 Storage Account :- An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner. Two types of storage accounts:       (i)  General-purpose Storage Accounts   ( V1 and V2) Used for Azure Storage services such as Tables, Queues, Files, Blobs and Azure virtual machine disks under a single account.             (ii)  Blob Storage Accounts Blob storage account is a specialized storage account for storing your unstructured data as blobs (objects) in Azure Storage.     Blob storage accounts supports only block and append blobs, and not page blobs.       Sto...
Read more

Why Does Cloning A VM From Template Take A Long Time?

-
Image
Why Does Cloning A VM From Template Take A Long Time? : " Over the past few years I’ve been asked to troubleshoot and explain why cloning a virtual machine (VM) from a master template would take a longer time than expected more than once. Usually when I’m asked the virtualization admin is frustrated at the hypervisor. “This shouldn’t take this long. It needs to be fixed!” they say. “I definitely agree,” I say, “but let’s take a deeper look at what is happening here first before we flame the vendor’s help desk technician on the phone.” So, this post is about taking a deeper look at where the master template VM resides versus where the cloned template is destined. My math my be a little off or may not account for every factor involved, but my point is to be close enough to demonstrate that the disk/array/LUN design is can be the culprit more times than not. When I started this post I emailed for some help. I asked for a sanity check from some storage experts. I’ve been reasonably h...
Read more

RVTools version 2.9 has been released

-
Image
RVTools version 2.9 has been released : " Rob de Veij over at Robware.net has released version 2.9 of the most awesome utility I know, well if you don’t count in the vmClient You better check out the newest release of RVTools . I already did, and recorded a walkthrough which can be watched here in HD quality . You can also take a peek at Vimeo. RVTools is a windows .NET 2.0 application which uses the VI SDK to display information about your virtual machines and ESX hosts. Interacting with VirtualCenter 2.5, ESX 3.5, ESX3i, ESX4i and vSphere 4 RVTools is able to list information about cpu, memory, disks, nics, cd-rom, floppy drives, snapshots, VMware tools, ESX hosts, nics, datastores, switches, ports and health checks. With RVTools you can disconnect the cd-rom or floppy drives from the virtual machines and RVTools is able to list the current version of the VMware Tools installed inside each virtual machine and update them to the latest version. Version 2.9 (April 2010) • On v...
Read more