Can inherited policies be overridden? If so at what level (org,proj,folder,resource level). The policies, in this case, are applied according to org hierarchy? Can the policy be such that a resource was working before but after application of hierarchy it stopped working?
That is not possible, no. In particular, access that is granted at one level (any level) cannot be revoked at any other level (neither higher nor lower). A slide in the IAM Breakdown – Policies lecture notes:
Always additive ("Allow") and never subtractive (no "Deny")
It’s good to check that you correctly understand things like this. 👍
Not sure if Matt’s response is obsolete…Here is the latest as per GCP docs..
When you set an organization policy on a resource hierarchy node, all descendants of that resource hierarchy node inherit the organization policy by default. If you set an organization policy at the root organization node, then those restrictions are inherited by all child folders, projects, and resources.
You can set custom organization policy on child nodes, which will overwrite or merge with the inherited policy based on the rules of hierarchy evaluation.
Thanks Mattias for the response.