Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

GCP related question – Can inherited policies be overridden in case of policies applied according to org hiearchy?

 Can inherited policies be overridden? If so at what level (org,proj,folder,resource level). The policies, in this case, are applied according to org hierarchy? Can the policy be such that a resource was working before but after application of hierarchy it stopped working?

2 Answers

That is not possible, no. In particular, access that is granted at one level (any level) cannot be revoked at any other level (neither higher nor lower). A slide in the IAM Breakdown – Policies lecture notes:

Always additive ("Allow") and never subtractive (no "Deny")  

It’s good to check that you correctly understand things like this. 👍



Thanks Mattias for the response.

Not sure if Matt’s response is obsolete…Here is the latest as per GCP docs..

When you set an organization policy on a resource hierarchy node, all descendants of that resource hierarchy node inherit the organization policy by default. If you set an organization policy at the root organization node, then those restrictions are inherited by all child folders, projects, and resources.

You can set custom organization policy on child nodes, which will overwrite or merge with the inherited policy based on the rules of hierarchy evaluation.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?