Solved: Cant assign Organization Policy Administrator role...

oteiza-a · 03-25-2024 08:02 AM

I am the sole owner of the organization, yet when i wanted to modify a policy, it says that i don't have the permission:

I researched and noted that the Organization Policy Administrator role has those permissions, yet, when i want to assign that role to myself, it doesn't appear on the list:

Even though i see it in the roles list:

What am i doing wrong? I am finding this quite frustrating being the fact that I don't have the permissions even though I am the owner of the organization.

Thanks in advance.

DamianS

Hi @oteiza-a

Did you've tried to add this policy AT THE ORGANIZATION level of IAM ?
Or you can use this command

gcloud organizations add-iam-policy-binding YOUR_ORG_ID --member='user:YOUR_EMAIL' --role='roles/orgpolicy.policyAdmin'

cheers,
DamianS

View solution in original post

oteiza-a

This was harder than necessary to understand, but I simply had to select my main organization from the projects selector and then set the permissions, this way the permissions are inherited to the other projects. Also, you can use the gcloud command that @DamianS shows in the console (this was my first time using GCP so i didn't know how to use the gcloud console).

View solution in original post

dionv

Hello @oteiza-a ,

Quoting here a response from @lawrencenelson regarding a question same with yours

Basically, there are different hierarchical levels when setting IAM Policies in Google Cloud. You can set an IAM policy at the organization level, the folder level, the project level, or (in some cases) the resource level. Resources inherit the policies of the parent resource. If you set a policy at the organization level, it is inherited by all its child folder and project resources, and if you set a policy at the project level, it is inherited by all its child resources [1]. You can view the diagram below [2].

In your case, your organization needs the orgpolicy.policies.create, orgpolicy.policies.delete, orgpolicy.policies.update, and orgpolicy.policy.get permissions which are available with the Organization Policy Administrator role.

Including as well the documentation for your reference

https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#inheritance

https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#resource-hierarchy-...

saravanaidea2it

@dionv Question is it is not visible to add the "orgpolicy.policyAdmin" from console. So the answer is not clear. Please let us know how this can be enabled via GCP console portal?

DamianS

Hi @oteiza-a

Did you've tried to add this policy AT THE ORGANIZATION level of IAM ?
Or you can use this command

gcloud organizations add-iam-policy-binding YOUR_ORG_ID --member='user:YOUR_EMAIL' --role='roles/orgpolicy.policyAdmin'

cheers,
DamianS

panikenajr

I rarely leave comments on forums but I want to express sincere gratitude for your assistance!

It's a shame that GCP policies are so complicated and people have to lurk for answers. It's crazy to see that the user who created an organization is not its admin by default! Who else is supposed to be an admin then?

oteiza-a

This was harder than necessary to understand, but I simply had to select my main organization from the projects selector and then set the permissions, this way the permissions are inherited to the other projects. Also, you can use the gcloud command that @DamianS shows in the console (this was my first time using GCP so i didn't know how to use the gcloud console).

riyoutku

@oteiza-a I am facing same problem can anyone help @DamianS i run you code at google cloud shell but it throwing error

Pls check what wrong i am doing here

DamianS

Hello @riyoutku ,Welcome on Google Cloud Community.

This doesn't looks like orgID. You've provided "DIRECTORY_CUSTOMER_ID" instead of organization ID.

Use this command to list all organizations and find your and provide ONLY number after organizations/

gcloud organizations list --format=json

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

NeonRainDevelop

C:\Users\ProoBook\AppData\Local\Google\Cloud SDK>gcloud organizations add-iam-policy-binding ****--member='user
:developer@neonrain.studio' --role='roles/orgpolicy.policyAdmin'
ERROR: (gcloud.organizations.add-iam-policy-binding) User [developer@neonrain.studio] does not have permission to access organizations instance [***:getIamPolicy] (or it may not exist): The caller does not have permission

even tho i using my owner account and i am the sole owner of this organization

Dibene

Good day all, I am having the exact same issue. Can anyone help me? I need to create an JSON account key to Migrate to Microsoft 365.

When I try to disable the Disable Service Account Key Creation policy, I get the below errors

marketinghero

I am facing the exact same issue and cannot figure out how to resolve. I need to create json key for service account to work with page index api.

yew

hey guys, i am also facing the same error, and I know Damian is very helpful above, but I am truly lost as I am a first time user of Google Console.

I am trying to create a JSON key to access Calendar API

DamianS

Hello @yew ,Welcome on Google Cloud Community.
No worries, we are here to help. What you've did so far?

--
cheers,
Damian Sztankowski
LinkedIn medium.com Cloudskillsboost Sessionize Youtube

realestatejot05

If you're unable to assign the Organization Policy Administrator role to yourself, it could be due to insufficient permissions or account restrictions. To assign this role, you must be an existing administrator with the required privileges, such as a Global Administrator or Privileged Role Administrator in your organization. Ensure that your account is not restricted by an active policy or custom roles limiting access. If you don’t have the required permissions, contact your organization’s Global Administrator for assistance. Review the platform's documentation for specific guidelines on assigning roles and troubleshooting common issues related to permissions.

Cant assign Organization Policy Administrator role to myself