Hello,

I have created the Google workspace and I have domain with users. I have account: adam@domain.com and I have with this account created the whole workspace and other accounts are under me. There is account of my developer: xxx@domain.com and he has created a GCP on his account. He tries to run the cloud run but cannot set: --allow-unauthenticated because he doesn't have the permission for domain restricted sharing. When he enters the GCP-IAM-Organization Policies-Domain restricted sharing the Edit button is grey, cannot be edited and he sees this message:

The following permissions are required to edit organization policies: orgpolicy.policy.get, orgpolicy.policies.create, orgpolicy.policies.delete, and orgpolicy.policies.update.

The "Organization Policy Administrator" (roles/orgpolicy.policyAdmin) role is an example of a role that contains these permissions.

He also tried to change in GCP from his project to domain.com in IAM organization policies but this is what he sees:

You need additional access to the organization: domain.com This could be because you have insufficient permissions to access the resource, or because a Principal Access Boundary policy is blocking your access to the resource.

To request access, contact your organization administrator and provide them a copy of the following information:

Troubleshooting info:
Principal: xxx@domain.com 
Resource: 666666666666

Missing permissions: orgpolicy.policy.get

So he told me to change it. But when I went to the GCP from my 'admin' adam@domain.com account I didn't see his project, but I saw the organization domain.com in the projects tab. So in IAM-Organization Polices I found Domain restricted sharing, but also for me the button Edit was grey. It is very strange because I am the person that created the domain and administrator and I cannot change this thing in the organization level.

What should I do ?