Google Cloud Organization Policy gives you centralized, programmatic control over your organization's resources. As the organization policy administrator, you can define an organization policy, which is a set of restrictions called constraints that apply to Google Cloud resources and descendants of those resources in the Google Cloud resource hierarchy. You can enforce organization policies at the organization, folder, or project level.
Organization Policy provides predefined constraints for various Google Cloud services. However, if you want more granular, customizable control over the specific fields that are restricted in your organization policies, you can also create custom constraints. Implementing a custom constraint for CCAI Platform requires you to configure your instances for private access. This restricts public internet access to those instances, which means that you need to set up Private Service Connect for your agents, managers, and CCAI Platform administrators to access them. For more information, see Set up Private Service Connect.
Benefits
Organization policies for CCAI Platform let Google Cloud administrators enforce organization-wide constraints over network paths that are not covered by VPC Service Controls. In addition, these organization policies offer fine-grained control over ingress and egress paths by partitioning the network traffic into components. For more information, see Components.
Policy inheritance
By default, organization policies are inherited by the descendants of the resources on which you enforce the policy. For example, if you enforce a policy on a folder, Google Cloud enforces the policy on all projects in the folder. To learn more about this behavior and how to change it, refer to Hierarchy evaluation rules.
Pricing
The Organization Policy Service, including predefined and custom organization policies, is offered at no charge.
Limitations
CCAI Platform is not integrated with Cloud Asset Inventory and therefore the Policy Simulator feature of Policy Intelligence is not available for CCAI Platform Organization Policy.
Before you begin
Before you begin, do the following:
- Follow the steps in Set up your Google Cloud project for CCAI Platform.
- To install and initialize the Google Cloud CLI, do the following:
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
- Ensure that you know your organization ID.
Required roles
To get the permissions that you need to manage organization policies, ask your administrator to grant you the following IAM roles:
-
Organization policy administrator (
roles/orgpolicy.policyAdmin
) on the organization resource -
For full access to CCAI Platform resources:
Contact Center AI Platform Admin (
roles/contactcenteraiplatform.admin
) on the project resource -
For the ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project:
Service Usage Admin (
roles/serviceusage.serviceUsageAdmin
) on the project resource
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to manage organization policies. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to manage organization policies:
-
orgpolicy.customConstraints.get
-
orgpolicy.customConstraints.list
-
orgpolicy.customConstraints.create
-
orgpolicy.customConstraints.update
-
orgpolicy.customConstraints.delete
You might also be able to get these permissions with custom roles or other predefined roles.
Components
You use components when creating custom constraints on CCAI Platform instances. Components are abstractions of network paths associated with specific CCAI Platform functionalities. For example, the agent component represents the group of all ingress network paths related to the tasks that an agent, manager, or CCAI Platform administrator does.
The following table shows the components used in CCAI Platform custom constraints:
Component | Description | Traffic direction | Example value |
---|---|---|---|
AGENT |
The group of all ingress network paths related to the tasks that an agent, manager, or CCAI Platform administrator does. | Ingress | AGENT |
CRM |
Egress traffic to a customer relationship management (CRM) app. | Egress | CRM |
MEDIA |
Media egress traffic. | Egress | MEDIA |
DIRECT_ACCESS_POINT |
Egress traffic to a direct access endpoint (DAP). | Egress | DIRECT_ACCESS_POINT |
EMAIL |
Email egress traffic. | Egress | EMAIL |
COBROWSE |
Co-browse egress traffic. | Egress | COBROWSE |
WORKFORCE_MANAGEMENT |
Workforce management egress traffic. | Egress | WORKFORCE_MANAGEMENT |
Create a custom constraint
A custom constraint is defined in a YAML file by the resources, methods, conditions, and actions that are supported by the service on which you are enforcing the organization policy. Conditions for your custom constraints are defined using Common Expression Language (CEL). For more information about how to build conditions in custom constraints using CEL, see the CEL section of Creating and managing custom constraints.
To define a custom constraint in a YAML file for CCAI Platform, follow these steps:
Create a text file that contains the following lines:
name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME resourceTypes: - contactcenteraiplatform.googleapis.com/ContactCenter methodTypes: - CREATE - UPDATE condition: "CONDITION" actionType: ACTION_TYPE displayName: "DISPLAY_NAME" description: "DESCRIPTION"
Replace the following:
ORGANIZATION_ID
: your organization ID.CONSTRAINT_NAME
: the name of your custom constraint. A custom constraint must start with acustom.
prefix, and can only include uppercase letters, lowercase letters, or numbers—for example,custom.requirePrivateAccess
. This field has a maximum length of 70 characters, not counting the prefix.CONDITION
: a CEL condition that is written against a representation of a supported service resource—for example,resource.privateAccess.ingressSettings.exists(private_component, private_component.name == "AGENT")
. This field has a maximum length of 1000 characters. For more information about the resources that are available to write conditions against, see CCAI Platform supported resources and operations. For more information about components, see Components.ACTION_TYPE
: the action to take if thecondition
is met. SpecifyALLOW
.DISPLAY_NAME
: a human-friendly name for the constraint. This field has a maximum length of 200 characters.DESCRIPTION
: a human-friendly description of the constraint to display as an error message when the policy is violated. This field has a maximum length of 2000 characters.
Save the custom constraint as a YAML file—for example,
customconstraint.yaml
. Use the path to this file as the value of theCONSTRAINT_PATH
variable in Set up a custom constraint.
For more information about custom organization policies and constraint syntax, see Example custom organization policies for common use cases.
Set up a custom constraint
After you have created the YAML file for a new custom constraint, you must set it up to make it available for organization policies in your organization. To set up a custom constraint, use thegcloud org-policies set-custom-constraint
command:
gcloud org-policies set-custom-constraint CONSTRAINT_PATH
CONSTRAINT_PATH
with the full path to your
custom constraint file. For example, /home/user/customconstraint.yaml
.
Once completed, your custom constraints are available as organization policies
in your list of Google Cloud organization policies.
To verify that the custom constraint exists, use the
gcloud org-policies list-custom-constraints
command:
gcloud org-policies list-custom-constraints --organization=ORGANIZATION_ID
ORGANIZATION_ID
with the ID of your organization resource.
For more information, see
Viewing organization policies.
Enforce a custom constraint
You can enforce a boolean constraint by creating an organization policy that references it, and applying that organization policy to a Google Cloud resource.
To enforce a custom constraint, follow these steps:
To create an organization policy that enforces a boolean constraint, create a policy YAML file that references the following constraint:
name: projects/PROJECT_ID/policies/CONSTRAINT_NAME spec: rules: - enforce: true
Replace the following:
PROJECT_ID
: the project on which you want to enforce your constraint.CONSTRAINT_NAME
: the name that you defined for your custom constraint—for example,custom.requirePrivateAccess
.
To enforce the organization policy containing the constraint, run the following command:
gcloud org-policies set-policy POLICY_PATH
Replace
POLICY_PATH
with the full path to your organization policy YAML file. The policy will take up to 15 minutes to take effect.
Test the custom constraint
A custom constraint, as defined in Create a custom
constraint (with a component of type AGENT
, as in
the example in the CONDITION
description), enforces the following behaviors:
Creating or updating an instance with a component of type
AGENT
succeeds. For more information, see Create and update a CCAI Platform instance with a component of typeAGENT
.Creating or updating an instance without a component of type
AGENT
fails. For more information, see Create a CCAI Platform instance without a component of typeAGENT
and Update a CCAI Platform instance without a component of typeAGENT
.
Create and update a CCAI Platform instance with a component of type AGENT
To test creating and updating a CCAI Platform instance with a component
of type AGENT
, follow these steps:
Create, set up, and enforce a custom constraint as directed in this document.
Create an instance as directed in Create a CCAI Platform instance configured for private access. The instance creation succeeds.
To update the instance, do the following:
In the Google Cloud console, in the navigation menu, click CCAI Platform.
The CCAI Platform instances page displays.
Click the name of the instance that you created previously in this procedure.
Click Edit, and then click Configure deployments.
Change the deployment schedule, and then click Save. The update succeeds.
Because you created a private CCAI Platform instance, you need to Set up a Private Service Connect connection to access it.
Create a CCAI Platform instance without a component of type AGENT
To test creating and updating a CCAI Platform instance without a
component of type AGENT
, follow these steps:
Create, set up, and enforce a custom constraint as directed in this document.
Attempt to create an instance as directed in Create a CCAI Platform instance, without configuring private access. The instance creation fails.
Update a CCAI Platform instance without a component of type AGENT
As demonstrated in Create a CCAI Platform instance without a component
of type AGENT
, you can't
create an instance without a component of type AGENT
after enforcing the
custom constraint. If you already had such an instance before you enforced the
custom constraint, after enforcing the constraint, updates to the instance fail
(unless the updates include adding a component of type AGENT
—see the
following note).
CCAI Platform supported resources and operations
The following table shows the supported resources and operations for Organization Policy custom constraints.
Resource | Action | Attribute | Operator | Example condition |
---|---|---|---|---|
ContactCenter | Create or update an instance. For more information, see Create a CCAI Platform instance. | name | contains | resource.name.contains("us-central1/contactCenters/myContactCenter") |
matches | resource.name.matches("projects/my-project/locations/us-central1/contactCenters/myContactCenter") |
|||
startsWith | resource.name.startsWith("projects/my-project") |
|||
endsWith | resource.name.endsWith("myContactCenter") |
|||
privateAccess | exists |
resource.privateAccess.ingressSettings.exists(private_component, private_component.name == "AGENT")
Checks that the |
Example custom organization policies for common use cases
The following table provides the syntax of some custom organization policies that you might find useful:
Description | Constraint syntax |
---|---|
All of the specified components are private—in other words, AGENT) . |
name: organizations/ORGANIZATION_ID/customConstraints/custom.requirePrivateAccess resourceTypes: - contactcenteraiplatform.googleapis.com/ContactCenter methodTypes: - CREATE - UPDATE condition: "resource.privateAccess.ingressSettings.exists(private_component, private_component.name == "AGENT")" actionType: ALLOW displayName: Agents cannot connect over the internet. description: Internet access is disallowed for agents. |
All instances, except the single specified instance, must use the specified private AGENT . |
name: organizations/ORGANIZATION_ID/customConstraints/custom.requirePrivateAccess resourceTypes: - contactcenteraiplatform.googleapis.com/ContactCenter methodTypes: - CREATE - UPDATE condition: "resource.privateAccess.ingressSettings.exists(private_component, private_component.name == "AGENT" || resource.name.contains('myContactCenterId')" actionType: ALLOW displayName: Restrict Internet access to AGENT for all instances except a single instance. description: Internet access for agents is restricted except for myContactcenterId CCAI Platform instances. |
What's next
- Introduction to the Organization Policy Service
- Using constraints
- Creating and managing custom organization policies
- Organization policy constraints