Google Cloud resources are organized hierarchically:
The organization is the root node in the hierarchy.
Folders are children of the organization, or of another folder.
Projects are children of the organization, or of a folder.
Resources for each service are descendants of projects.
You can set an allow policy at any level in the resource hierarchy: the organization level, the folder level, the project level, or the resource level. Resources inherit the allow policies of all of their parent resources. The effective allow policy for a resource is the union of the allow policy set on that resource and the allow policies inherited from higher up in the hierarchy.
This policy inheritance is transitive; in other words, resources inherit allow policies from the project, which inherit allow policies from folders, which inherit allow policies from the organization. Therefore, the organization-level allow policies also apply at the resource level.
Google's best practice recommends using multiple projects, one for each environment and application, to isolate environments from each other, give better access control, and avoid changes to the development project accidentally impacting the production environment. Creating four different projects (for each application and environment) is the most effective way. This also allows for better resource management, as each project has its own set of quotas, billing, and monitoring.
Want to print your doc? This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
Resource hierarchy
