Can inherited policies be overridden? If so at what level (org,proj,folder,resource level). The policies, in this case, are applied according to org hierarchy? Can the policy be such that a resource was working before but after application of hierarchy it stopped working?
2 Answers
That is not possible, no. In particular, access that is granted at one level (any level) cannot be revoked at any other level (neither higher nor lower). A slide in the IAM Breakdown – Policies lecture notes:
Always additive ("Allow") and never subtractive (no "Deny")
It’s good to check that you correctly understand things like this. 👍
Mattias
Not sure if Matt’s response is obsolete…Here is the latest as per GCP docs..
https://cloud.google.com/resource-manager/docs/organization-policy/understanding-hierarchy
When you set an organization policy on a resource hierarchy node, all descendants of that resource hierarchy node inherit the organization policy by default. If you set an organization policy at the root organization node, then those restrictions are inherited by all child folders, projects, and resources.
You can set custom organization policy on child nodes, which will overwrite or merge with the inherited policy based on the rules of hierarchy evaluation.
Thanks Mattias for the response.