If I’m not mistaken documentation here https://cloud.google.com/resource-manager/docs/organization-policy/understanding-hierarchy says that we can set or unset policy inheritance. This way we can define totally new policies at a sublevel
Can somebody confirm?
I presume the restriction around ‘child policies cannot restrict access granted at a higher level" – was specified for IAM policy in the tutorial.
The link you referring to is specifying policies on organization hierarchy which is where based on inheritFromParent=True or False, policy inheritance takes effect
One more thing: I disagree as well with "always additive, never substractive"; in the same link provided, look at example #2 Resource 2 defines a custom policy that sets inheritFromParent to TRUE and denies green circle. Deny values always take precedence during policy reconciliation. The policy from the Organization Node is inherited and merged with the custom policy, and the effective policy evaluates to allow only red square.