I have access to the organization and I'm trying to add someone as owner but system prompts message:
"You are missing at least one of the following required permissions:"
Question is how can I know who the owner of this organization?
By design it's not possible to check who's the owner of the organisation (it would pose too much of a theret for them).
If you don't have a proper permissions just ask your IT department / superiors - someone has a required permissions (Organization Administrator) and will be able to assign required role to your account for you to be able to add another users.
Related
Within an organization of which I am the sole admin, I am unable to enumerate and therefore manage the organizational policies from within the GCP console. Does anyone know why this might be and/or how I'd go about fixing it? Any guidance as to documentation that was perhaps missed during setup, etc. would be appreciated.
Organization Administrator includes the missing permissions resourcemanager.organizations.get along with orgpolicy.constraints.list and orgpolicy.policies.list.
Do note that this role is not automatically granted for being the sole user on the account, this has to be assigned via the IAM menu.
The Owner role does not have these permissions as the Owner is only limited on a Project level.
I am attempting to expand my usage of Google Cloud and running into issues. When I go to IAM & Admin -> IAM and select my organization, I get an error: "You do not have sufficient permissions to view this page". A bit lower: "You are missing the following required permissions: resourcemanager.organizations.getIamPolicy".
I'm confused by this because if I select a project IN the organization I see I have the "Organization Administrator" role which has that exact permission assigned. I also have "Owner" role.
I also cannot upgrade from Basic support to any paid support due to this issue, so I literally cannot get any help from anyone at Google.
I created this org! Do I need to delete everything and start over? (ugh)
Based on what #JohnHanley's shared on the comments:
Organization Admin must be applied (bound) at the organization level. If you created the organization, then you have a Workspace or Identity account. Use that account to login. The problem should be easy to solve once you are using the correct account to authenticate.
In addittion to that;
To administer a particular project or product on GCP, you must ask your organization or the team managing your Google Workspace Admin to increase your role and authorization to a higher hierarchy.
I'm pretty sure this is an actual bug with GCP at the moment. I'm the Organization Admin for the GCP organization (I've quadruple checked this, and that I'm signed in with the correct account).
But when I go to Manage Resources, And try to create a new folder, it doesn't let me select the organization as the location, because I "don't have the required resourcemanager.folders.create permission". If I try to create the folder in a project that's in the organization, I get "Unknown error".
I'm the user who created the organization and all projects in the first place, and the only G-Suite user that even exists on this domain.
If you review the permissions that Organization Administrator has, resourcemanager.folders.create is not one of them.
IAM Roles
Org Admin by itself has almost infinite power because it can set IAM policies. This means the Org Admin can grant any IAM permission to any identity.
Grant yourself the required role such as roles/resourcemanager.folderAdmin.
Note: I recommend keeping the Org Admin as a separate identity that you lock away and only use to manage the organization. Create separate identities for day-to-day operations, development, and deployment.
I am not being able to add an organization to an already exisiting GCP account. The account has two projects running. I created a different account in order to create an organization, because GCP would not let me add an organization in the same account. After creating the account I get the following message:
When you use only your personal account, the projects are attached to a virtual organization named "No Organisation".
If you have a domain name, you can create a Cloud Identity account and an admin user. Remove all licence on your user to pay nothing (even if you need to enroll for a free trial, do this and then remove the licences to pay nothing).
So, now you have a new user (with #domainName), but you don't have your old project. No problem, go to the organisation level, in the IAM page and grand your personal account as Organisation Admin.
Go back in your personal account and you will be able to see your No Organization project and your new organization with the same account. Now, you simply need to migrate project if you want to attach them to the new organization.
Note: it's maybe lot of new stuff and step, but I did it and it worked well. Let me know if you need more guidance!
Yesterday, I signed up for a Google Cloud Account. Since I want to link the user access with our own identity platform, I followed the instructions from this article:
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform
I got as far as the account is created but in the GCP Console, on several screens, I get errors of missing permissions to view things, let alone change things. Here is an example:
I was the one who created the account and in IAM I am listed as the Organization Administrator. How come I am missing so much permissions? Who within Google Cloud Support is listening/reading this and is able to help me?
This is not a bug that needs to be fixed. As the Owner, you can add any roles that you need to your account. Neither the Owner nor the Organization Administrator have all roles assigned. You can, however, add desired roles to grant your identity more permissions. Consult the documentation for permissions assigned to each role. Then add the required roles to your identity (email address).
However, I recommend that you do not use an account with Owner or Organization Admin roles. Lock that identity in your safe after creating several new identities that use the principles of least privilege and have MFA enabled.