Make sure that the delegated administrator to whom the scoped access policy
is delegated has the cloudasset.assets.searchAllResources
permission on the folder or the project to which the scoped policy is bound.
This permission is required by the delegated administrator to search all Google Cloud resources.
Create a scoped access policy and delegate administration to folders and projects in the organization.
After you create a scoped access policy, you cannot change the scope of the policy.
To change the scope of an existing policy, delete the policy, and recreate the policy with the new scope.
Console
In the Google Cloud console navigation menu, click Security, and then
click VPC Service Controls.
If you are prompted, select your organization, folder, or project.
On the VPC Service Controls page, select the access policy that is the
parent of the scoped policy. For example, you can select the default policy
organization policy.
Click Manage policies.
On the Manage VPC Service Controls page, click Create.
On the Create access policy page, in the Access policy name box,
type a name for the scoped access policy.
The scoped access policy name can have a maximum length of 50 characters, must start
with a letter, and can contain only ASCII Latin letters (a-z, A-Z),
numbers (0-9), or underscores (_). The scoped access policy name is case sensitive
and must be unique within an organization's access policy.
To specify a scope for the access policy, click Scopes.
Specify either a project or a folder as the scope of the access policy.
To select a project that you want to add to the scope of the access
policy, do the following:
In the Scopes pane, click Add project.
In the Add project dialog, select that project's checkbox.
Click Done. The added project appears in the Scopes section.
To select a folder that you want to add to the scope of the access policy,
do the following:
In the Scopes pane, click Add folder.
In the Add folders dialog, select that folder's checkbox.
Click Done. The added folder appears in the Scopes section.
To delegate administration of the scoped access policy, click Principals.
To specify the principal
and the role that you want to bind to the access policy, do the following:
In the Principals pane, click Add principals.
In the Add principals dialog, select a principal, such as a user
name or service account.
Select the role that you want to associate with the principal, such
as editor and read roles.
Click Save. The added principal and role appear in the Principals section.
On the Create access policy page, click Create access policy.
ORGANIZATION_ID is the numeric ID of your organization.
POLICY_TITLE is a human-readable title for your policy.
The policy title can have a maximum length of 50 characters, must start
with a letter, and can contain only ASCII Latin letters (a-z, A-Z),
numbers (0-9), or underscores (_). The policy title is case sensitive
and must be unique within an organization's access policy.
SCOPE is the folder or project on which this policy is applicable. You
can specify only one folder or project as the scope, and the scope must exist
within the specified organization. If you don't specify a scope, the policy
applies to the entire organization.
POLICY is ID of the policy or fully qualified identifier for the policy.
PRINCIPAL is the principal to add the binding for. Specify in the
following format: user|group|serviceAccount:email or domain:domain.
ROLE is the role name to assign to the principal. The role name
is the complete path of a predefined role, such as roles/accesscontextmanager.policyEditor,
or the role ID for a custom role, such as
organizations/{ORGANIZATION_ID}/roles/accesscontextmanager.policyEditor.
API
To create a scoped access policy, do the following:
ORGANIZATION_ID is the numeric ID of your organization.
SCOPE is the folder or project on which this policy is applicable.
POLICY_TITLE is a human-readable title for your policy.
The policy title can have a maximum length of 50 characters, must start
with a letter, and can contain only ASCII Latin letters (a-z, A-Z),
numbers (0-9), or underscores (_). The policy title is case sensitive
and must be unique within an organization's access policy.
POST https://accesscontextmanager.googleapis.com/v1/accessPolicies
Response body
If successful, the response body for the call contains an
Operation resource that provides details about the
POST operation.
To delegate administration of the scoped access policy, do the following:
Create a request body.
{"policy":"IAM_POLICY",}
Where:
IAM_POLICY is a collection of bindings. A binding binds one
or more members, or principals, to a single role. Principals can be user
accounts, service accounts, Google groups, and domains. A role is a named
list of permissions; each role can be an IAM predefined role or a user-created
custom role.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Create a scoped access policy\n\nThis page describes how to create and delegate scoped access policies.\n\nBefore you begin\n----------------\n\n- Read about [scoped policies](/access-context-manager/docs/scoped-policies).\n\n- Read about [granting access to VPC Service Controls](/vpc-service-controls/docs/access-control).\n\n | **Note:** The access control for scoped policies is independent of the projects or folders in their scopes. Any Access Context Manager permissions granted on folders or projects have no effect on scoped policies as permissions can only be granted at the organization-level or on individual policies.\n- Make sure that the delegated administrator to whom the scoped access policy\n is delegated has the [`cloudasset.assets.searchAllResources`](/sdk/gcloud/reference/asset/search-all-resources)\n permission on the folder or the project to which the scoped policy is bound.\n This permission is required by the delegated administrator to search all Google Cloud resources.\n\n- Read about [configuring service perimeters](/vpc-service-controls/docs/service-perimeters).\n\nCreating a scoped access policy\n-------------------------------\n\nCreate a scoped access policy and delegate administration to folders and projects in the organization.\nAfter you create a scoped access policy, you cannot change the scope of the policy.\nTo change the scope of an existing policy, delete the policy, and recreate the policy with the new scope.\n**Warning:** If an organization-level access policy doesn't exist for your organization, scoped policies that you create at the folder or project-level don't work. \n\n### Console\n\n1. In the Google Cloud console navigation menu, click **Security** , and then\n click **VPC Service Controls**.\n\n [Go to VPC Service Controls](https://console.cloud.google.com/security/service-perimeter)\n2. If you are prompted, select your organization, folder, or project.\n\n3. On the **VPC Service Controls** page, select the access policy that is the\n parent of the scoped policy. For example, you can select the `default policy`\n organization policy.\n\n4. Click **Manage policies**.\n\n5. On the **Manage VPC Service Controls** page, click **Create**.\n\n6. On the **Create access policy** page, in the **Access policy name** box,\n type a name for the scoped access policy.\n\n The scoped access policy name can have a maximum length of 50 characters, must start\n with a letter, and can contain only ASCII Latin letters (a-z, A-Z),\n numbers (0-9), or underscores (`_`). The scoped access policy name is case sensitive\n and must be unique within an organization's access policy.\n7. To specify a scope for the access policy, click **Scopes**.\n\n8. Specify either a project or a folder as the scope of the access policy.\n\n - To select a project that you want to add to the scope of the access\n policy, do the following:\n\n 1. In the **Scopes** pane, click **Add project**.\n\n 2. In the **Add project** dialog, select that project's checkbox.\n\n 3. Click **Done** . The added project appears in the **Scopes** section.\n\n - To select a folder that you want to add to the scope of the access policy,\n do the following:\n\n 1. In the **Scopes** pane, click **Add folder**.\n\n 2. In the **Add folders** dialog, select that folder's checkbox.\n\n 3. Click **Done** . The added folder appears in the **Scopes** section.\n\n9. To delegate administration of the scoped access policy, click **Principals**.\n\n10. To specify the [principal](/iam/docs/overview#concepts_related_identity)\n and the role that you want to bind to the access policy, do the following:\n\n 1. In the **Principals** pane, click **Add principals**.\n\n 2. In the **Add principals** dialog, select a principal, such as a user\n name or service account.\n\n 3. Select the role that you want to associate with the principal, such\n as editor and read roles.\n\n 4. Click **Save** . The added principal and role appear in the **Principals** section.\n\n11. On the **Create access policy** page, click **Create access policy**.\n\n### gcloud\n\nTo create a scoped access policy, use the [`gcloud access-context-manager policies create`](/sdk/gcloud/reference/access-context-manager/policies/create)\ncommand. \n\n```bash\ngcloud access-context-manager policies create \\\n--organization ORGANIZATION_ID [--scopes=SCOPE] --title POLICY_TITLE\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e is the numeric ID of your organization.\n\n- \u003cvar translate=\"no\"\u003ePOLICY_TITLE\u003c/var\u003e is a human-readable title for your policy.\n The policy title can have a maximum length of 50 characters, must start\n with a letter, and can contain only ASCII Latin letters (a-z, A-Z),\n numbers (0-9), or underscores (`_`). The policy title is case sensitive\n and must be unique within an organization's access policy.\n\n- \u003cvar translate=\"no\"\u003eSCOPE\u003c/var\u003e is the folder or project on which this policy is applicable. You\n can specify only one folder or project as the scope, and the scope must exist\n within the specified organization. If you don't specify a scope, the policy\n applies to the entire organization.\n\nThe following output appears (where \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e\nis a unique [numeric identifier for the policy](https://cloud.google.com/access-context-manager/docs/manage-access-policy#get_the_name_of_an_access_policy)\nassigned by Google Cloud): \n\n```\nCreate request issued\nWaiting for operation [accessPolicies/POLICY_NAME/create/1521580097614100] to complete...done.\nCreated.\n```\n\nTo delegate administration by binding a principal and role with a scoped access policy, use the [`add-iam-policy-binding`](/sdk/gcloud/reference/access-context-manager/policies/add-iam-policy-binding)\ncommand. \n\n```bash\ngcloud access-context-manager policies add-iam-policy-binding \\\n[POLICY] --member=PRINCIPAL --role=ROLE\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003ePOLICY\u003c/var\u003e is ID of the policy or fully qualified identifier for the policy.\n\n- \u003cvar translate=\"no\"\u003ePRINCIPAL\u003c/var\u003e is the principal to add the binding for. Specify in the\n following format: `user|group|serviceAccount:email` or `domain:domain`.\n\n- \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e is the role name to assign to the principal. The role name\n is the complete path of a predefined role, such as `roles/accesscontextmanager.policyEditor`,\n or the role ID for a custom role, such as\n `organizations/{ORGANIZATION_ID}/roles/accesscontextmanager.policyEditor`.\n\n### API\n\nTo create a scoped access policy, do the following:\n\n1. Create a request body.\n\n ```json\n {\n \"parent\": \"\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e\",\n \"scope\": \"\u003cvar translate=\"no\"\u003eSCOPE\u003c/var\u003e\"\n \"title\": \"\u003cvar translate=\"no\"\u003ePOLICY_TITLE\u003c/var\u003e\"\n }\n ```\n\n Where:\n - \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e is the numeric ID of your organization.\n\n - \u003cvar translate=\"no\"\u003eSCOPE\u003c/var\u003e is the folder or project on which this policy is applicable.\n\n - \u003cvar translate=\"no\"\u003ePOLICY_TITLE\u003c/var\u003e is a human-readable title for your policy.\n The policy title can have a maximum length of 50 characters, must start\n with a letter, and can contain only ASCII Latin letters (a-z, A-Z),\n numbers (0-9), or underscores (`_`). The policy title is case sensitive\n and must be unique within an organization's access policy.\n\n2. Create the access policy by\n calling [`accessPolicies.create`](/access-context-manager/docs/reference/rest/v1/accessPolicies/create).\n\n ```\n POST https://accesscontextmanager.googleapis.com/v1/accessPolicies\n ```\n\n#### Response body\n\nIf successful, the response body for the call contains an\n[`Operation`](/access-context-manager/docs/reference/rest/Shared.Types/Operation) resource that provides details about the\n`POST` operation.\n\nTo delegate administration of the scoped access policy, do the following:\n\n1. Create a request body.\n\n ```json\n {\n \"policy\": \"\u003cvar translate=\"no\"\u003eIAM_POLICY\u003c/var\u003e\",\n }\n ```\n\n Where:\n - \u003cvar translate=\"no\"\u003eIAM_POLICY\u003c/var\u003e is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains. A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.\n2. Delegate the access policy by\n calling [`accessPolicies.setIamPolicy`](/access-context-manager/docs/reference/rest/v1/accessPolicies/setIamPolicy).\n\n ```\n POST https://accesscontextmanager.googleapis.com/v1/accessPolicies\n ```\n\n#### Response body\n\nIf successful, the response body contains an instance of [`policy`](/access-context-manager/docs/reference/rest/Shared.Types/Policy).\n\nWhat's next\n-----------\n\n- Learn how to [manage existing](/vpc-service-controls/docs/manage-service-perimeters) service perimeters."]]
