Additional considerations

This page lists additional considerations you must be aware of when using organization restrictions.

Multi-resource access

Google Cloud API requests might involve operations on multiple resources. Organization restrictions header service checks whether all resources that are part of the request are in the list of authorized organizations. If any resource is not part of the list of authorized organizations, the request is denied.

Allow download for Vault users

Google Vault is an information governance and eDiscovery tool for Google Workspace. Vault administrators access Google Workspace user data stored in Google-owned Cloud Storage buckets.

By default, the organization restrictions feature restricts Vault administrators from downloading an exported Google Workspace user data from a Google-owned Cloud Storage bucket. To allow requests that originate from the Vault administrators, ensure that organization ID organizations/433637338589, which stores Vault data, is added to the organization restrictions header.

We recommend to add this ID of the organization, which stores Vault data, only in headers for requests from Vault administrators.

Enable access to Google-owned resources

To enable developers to use Google Cloud services, such as BigQuery or Compute Engine, Google Cloud provides Google-owned public resources. For example, Compute Engine provides public OS images that help developers quickly get started with building their own or leveraging one of these images to host their workloads. Other Google Cloud services employ similar public resource patterns. These public resources are hosted in a Google-owned Google Cloud organization.

To ensure that users of your Google Cloud organization continue to have access to these public resources after you enforce organization restrictions, add the following Google-owned Google Cloud organization ID to the list of authorized organizations in the organization restrictions header:


What's next