Stay organized with collections
Save and categorize content based on your preferences.
This page describes several common examples of how to use organization restrictions.
Restrict access only to your organization
In this example, the Google Cloud administrator and egress proxy administrator of
Organization A engage together to restrict employees to only access resources in their
Google Cloud organization.
To restrict access only to your organization, do the following:
As a Google Cloud administrator, to get the Google Cloud organization ID of
Organization A, use the gcloud organizations list command:
gcloud organizations list
The following is the example output:
DISPLAY_NAME: Organization A
ID: 123456789
DIRECTORY_CUSTOMER_ID: a1b2c3d4
As an egress proxy administrator, after you get the organization ID from the Google Cloud
administrator, compose the JSON representation for the header value in the following format:
For example, if the JSON representation for the header value is stored in the
authorized_orgs.json file, to encode the file, run the following
basenc command:
As an egress proxy administrator, configure the egress proxy such that the following
request header is inserted in all of the requests originating from the managed devices
in Organization A:
Restrict access to your organization and allow read requests to Cloud Storage resources
In this example, the Google Cloud administrator and egress proxy administrator of
Organization A engage together to restrict employees to only access resources in their
Google Cloud organization, except for read requests to Cloud Storage resources.
Administrators might want to omit read requests to Cloud Storage resources from
organization restrictions enforcement to ensure that their employees can access
external websites that use Cloud Storage to host static content. The administrator
uses the cloudStorageReadAllowed option to allow read requests to Cloud Storage resources.
To restrict access only to your organization and allow read requests to Cloud Storage
resources, do the following:
As a Google Cloud administrator, to get the Google Cloud organization ID of
Organization A, use the gcloud organizations list command:
gcloud organizations list
The following is the example output:
DISPLAY_NAME: Organization A
ID: 123456789
DIRECTORY_CUSTOMER_ID: a1b2c3d4
As an egress proxy administrator, after you get the organization ID from the Google Cloud
administrator, compose the JSON representation for the header value in the following format:
For example, if the JSON representation for the header value is stored in the
authorized_orgs.json file, to encode the file, run the following
basenc command:
As an egress proxy administrator, configure the egress proxy such that the following
request header is inserted in all of the requests originating from the managed devices
in Organization A:
The employees of Organization A now have access to their Google Cloud organization
and read access to Cloud Storage resources.
Allow employees access to a vendor Google Cloud organization
In this example, the Google Cloud administrator and egress proxy administrator of
Organization B engage together to allow employees to access a vendor Google Cloud organization
in addition to their existing Google Cloud organization.
To restrict employee access only to your organization and the vendor organization, do the following:
As a Google Cloud administrator, engage with the vendor to get the Google Cloud
organization ID of the vendor organization.
As an egress proxy administrator, to include the vendor organization ID in addition
to the existing organization ID, you must update the JSON representation for
the header value. After you get the vendor organization ID from the Google Cloud
administrator, update the header value in the following format:
For example, if the JSON representation for the header value is stored in the
authorized_orgs.json file, to encode the file, run the following
basenc command:
As an egress proxy administrator, configure the egress proxy such that the following
request header is inserted in all of the requests originating from the managed devices
in Organization B:
The employees of Organization B now have access to both the vendor and their Google Cloud organizations.
Restrict access only for uploads
In this example, the Google Cloud administrator and egress proxy administrator of
Organization C engage together to restrict upload access of employees only to resources in the
Google Cloud organization.
To restrict upload access only to your organization, do the following:
As a Google Cloud administrator, to get the Google Cloud organization ID of
Organization C, use the gcloud organizations list command:
gcloud organizations list
The following is the example output:
DISPLAY_NAME: Organization C
ID: 123456789
DIRECTORY_CUSTOMER_ID: a1b2c3d4
As an egress proxy administrator, after you get the organization ID from the Google Cloud
administrator, compose the JSON representation for the header value in the following format:
For example, if the JSON representation for the header value is stored in the
authorized_orgs.json file, to encode the file, run the following
basenc command:
As an egress proxy administrator, configure the egress proxy such that the following
request header is inserted only for requests with PUT, POST, and PATCH methods
originating from the managed devices in Organization C:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Examples of organization restrictions\n\nThis page describes several common examples of how to use organization restrictions.\n\nRestrict access only to your organization\n-----------------------------------------\n\nIn this example, the Google Cloud administrator and egress proxy administrator of\nOrganization A engage together to restrict employees to only access resources in their\nGoogle Cloud organization.\n\nTo restrict access only to your organization, do the following:\n\n1. As a Google Cloud administrator, to get the Google Cloud organization ID of\n Organization A, use the [`gcloud organizations list` command](/sdk/gcloud/reference/organizations/list):\n\n gcloud organizations list\n\n The following is the example output: \n\n ```\n DISPLAY_NAME: Organization A\n ID: 123456789\n DIRECTORY_CUSTOMER_ID: a1b2c3d4\n ```\n2. As an egress proxy administrator, after you get the organization ID from the Google Cloud\n administrator, compose the JSON representation for the header value in the following format:\n\n {\n \"resources\": [\"organizations/123456789\"],\n \"options\": \"strict\"\n }\n\n3. As an egress proxy administrator, encode the value for the request header by following the [RFC 4648 Section 5 specifications](https://datatracker.ietf.org/doc/html/rfc4648#section-5).\n\n For example, if the JSON representation for the header value is stored in the\n `authorized_orgs.json` file, to encode the file, run the following\n [basenc](https://man7.org/linux/man-pages/man1/basenc.1.html) command: \n\n $ cat authorized_orgs.json | basenc --base64url -w0\n ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo\n\n4. As an egress proxy administrator, configure the egress proxy such that the following\n request header is inserted in all of the requests originating from the managed devices\n in Organization A:\n\n X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo\n\nRestrict access to your organization and allow read requests to Cloud Storage resources\n---------------------------------------------------------------------------------------\n\nIn this example, the Google Cloud administrator and egress proxy administrator of\nOrganization A engage together to restrict employees to only access resources in their\nGoogle Cloud organization, except for read requests to Cloud Storage resources.\nAdministrators might want to omit read requests to Cloud Storage resources from\norganization restrictions enforcement to ensure that their employees can access\nexternal websites that use Cloud Storage to host static content. The administrator\nuses the `cloudStorageReadAllowed` option to allow read requests to Cloud Storage resources.\n\nTo restrict access only to your organization and allow read requests to Cloud Storage\nresources, do the following:\n\n1. As a Google Cloud administrator, to get the Google Cloud organization ID of\n Organization A, use the [`gcloud organizations list` command](/sdk/gcloud/reference/organizations/list):\n\n gcloud organizations list\n\n The following is the example output: \n\n ```\n DISPLAY_NAME: Organization A\n ID: 123456789\n DIRECTORY_CUSTOMER_ID: a1b2c3d4\n ```\n2. As an egress proxy administrator, after you get the organization ID from the Google Cloud\n administrator, compose the JSON representation for the header value in the following format:\n\n {\n \"resources\": [\"organizations/123456789\"],\n \"options\": \"cloudStorageReadAllowed\"\n }\n\n3. As an egress proxy administrator, encode the value for the request header by following the [RFC 4648 Section 5 specifications](https://datatracker.ietf.org/doc/html/rfc4648#section-5).\n\n For example, if the JSON representation for the header value is stored in the\n `authorized_orgs.json` file, to encode the file, run the following\n [basenc](https://man7.org/linux/man-pages/man1/basenc.1.html) command: \n\n $ cat authorized_orgs.json | basenc --base64url -w0\n ewogICJyZXNvdXJjZXMiOiBbIm9yZ2FuaXphdGlvbnMvMTIzNDU2Nzg5Il0sCiAgIm9wdGlvbnMiOiAiY2xvdWRTdG9yYWdlUmVhZEFsbG93ZCIKfQo=l\n\n4. As an egress proxy administrator, configure the egress proxy such that the following\n request header is inserted in all of the requests originating from the managed devices\n in Organization A:\n\n X-Goog-Allowed-Resources: ewogICJyZXNvdXJjZXMiOiBbIm9yZ2FuaXphdGlvbnMvMTIzNDU2Nzg5Il0sCiAgIm9wdGlvbnMiOiAiY2xvdWRTdG9yYWdlUmVhZEFsbG93ZCIKfQo=l\n\n The employees of Organization A now have access to their Google Cloud organization\n and read access to Cloud Storage resources.\n\nAllow employees access to a vendor Google Cloud organization\n------------------------------------------------------------\n\nIn this example, the Google Cloud administrator and egress proxy administrator of\nOrganization B engage together to allow employees to access a vendor Google Cloud organization\nin addition to their existing Google Cloud organization.\n\nTo restrict employee access only to your organization and the vendor organization, do the following:\n\n1. As a Google Cloud administrator, engage with the vendor to get the Google Cloud\n organization ID of the vendor organization.\n\n2. As an egress proxy administrator, to include the vendor organization ID in addition\n to the existing organization ID, you must update the JSON representation for\n the header value. After you get the vendor organization ID from the Google Cloud\n administrator, update the header value in the following format:\n\n {\n \"resources\": [\"organizations/1234\", \"organizations/3456\"],\n \"options\": \"strict\"\n }\n\n3. As an egress proxy administrator, encode the value for the request header by following the [RFC 4648 Section 5 specifications](https://datatracker.ietf.org/doc/html/rfc4648#section-5).\n\n For example, if the JSON representation for the header value is stored in the\n `authorized_orgs.json` file, to encode the file, run the following\n [basenc](https://man7.org/linux/man-pages/man1/basenc.1.html) command: \n\n $ cat authorized_orgs.json | basenc --base64url -w0\n ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K\n\n4. As an egress proxy administrator, configure the egress proxy such that the following\n request header is inserted in all of the requests originating from the managed devices\n in Organization B:\n\n X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K\n\n The employees of Organization B now have access to both the vendor and their Google Cloud organizations.\n\nRestrict access only for uploads\n--------------------------------\n\nIn this example, the Google Cloud administrator and egress proxy administrator of\nOrganization C engage together to restrict upload access of employees only to resources in the\nGoogle Cloud organization.\n\nTo restrict upload access only to your organization, do the following:\n\n1. As a Google Cloud administrator, to get the Google Cloud organization ID of\n Organization C, use the [`gcloud organizations list` command](/sdk/gcloud/reference/organizations/list):\n\n gcloud organizations list\n\n The following is the example output: \n\n ```\n DISPLAY_NAME: Organization C\n ID: 123456789\n DIRECTORY_CUSTOMER_ID: a1b2c3d4\n ```\n2. As an egress proxy administrator, after you get the organization ID from the Google Cloud\n administrator, compose the JSON representation for the header value in the following format:\n\n {\n \"resources\": [\"organizations/123456789\"],\n \"options\": \"strict\"\n }\n\n3. As an egress proxy administrator, encode the value for the request header by following the [RFC 4648 Section 5 specifications](https://datatracker.ietf.org/doc/html/rfc4648#section-5).\n\n For example, if the JSON representation for the header value is stored in the\n `authorized_orgs.json` file, to encode the file, run the following\n [basenc](https://man7.org/linux/man-pages/man1/basenc.1.html) command: \n\n $ cat authorized_orgs.json | basenc --base64url -w0\n ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo\n\n4. As an egress proxy administrator, configure the egress proxy such that the following\n request header is inserted only for requests with PUT, POST, and PATCH methods\n originating from the managed devices in Organization C:\n\n X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo\n\nWhat's next\n-----------\n\n- Learn about the [services supported by organization restrictions](/resource-manager/docs/organization-restrictions/supported-services)."]]