Introduction to organization restrictions

This page provides an overview of organization restrictions and how it works.

The organization restrictions feature lets you prevent data exfiltration through phishing or insider attacks. For managed devices in an organization, the organization restrictions feature restricts access only to resources in authorized Google Cloud organizations.

How organization restrictions works

In Google Cloud, Identity and Access Management governs access to resources. Administrators use Identity and Access Management policy to control who can access the resources within their organization. There is a need in organizations to restrict access of their employees only to resources in authorized Google Cloud organizations. Google Cloud administrators who administer Google Cloud, and egress proxy administrators, who configure the egress proxy, engage together to set up organization restrictions.

The following diagram illustrates how the different components work to enforce organization restrictions:

Organization restrictions workflow

The architecture diagram shows the following components:

  • Managed device: A device that is governed by the organizational policies of a company. Employees of an organization use a managed device to access the organization resources.

  • Egress proxy: An egress proxy administrator configures the proxy to add organization restrictions headers to any requests originating from a managed device. This proxy configuration prevents users from accessing any Google Cloud resources in non-authorized Google Cloud organizations.

  • Google Cloud: The organization restrictions feature in Google Cloud inspects all requests for organization restrictions header, and allows or denies the requests based on the organization being accessed.

Common use cases

Here are some common organization restrictions use cases:

Implementing these use cases require engagement between Google Cloud administrators, who administer Google Cloud, and egress proxy administrators who configure the egress proxy.

What's next