Additional considerations
This page lists additional considerations you must be aware of when using organization restrictions.
Multi-resource access
Trusted Cloud by S3NS API requests might involve operations on multiple resources. Organization restrictions
header service checks whether all resources that are part of the request
are in the list of authorized organizations. If any resource is not part of the list of authorized
organizations, the request is denied.
Allow download for Vault users
Google Vault is an information governance
and eDiscovery tool for Google Workspace. Vault administrators access Google Workspace user data stored
in Google-owned Cloud Storage buckets.
By default, the organization restrictions feature restricts Vault administrators from downloading
an exported Google Workspace user data from a Google-owned Cloud Storage bucket.
To allow requests that originate from the Vault administrators, ensure that organization ID
organizations/433637338589, which stores Vault data, is added to the organization restrictions header.
We recommend to add this ID of the organization, which stores Vault data, only in headers
for requests from Vault administrators.
Enable access to Google-owned resources
To enable developers to use Trusted Cloud services, such as BigQuery
or Compute Engine, Trusted Cloud provides Google-owned public resources. For example,
Compute Engine provides public OS images
that help developers quickly get started with building their own or leveraging one
of these images to host their workloads. Other Trusted Cloud services employ similar
public resource patterns. These public resources are hosted in a Google-owned Trusted Cloud organization.
To ensure that users of your Trusted Cloud organization continue to have access
to these public resources after you enforce organization restrictions, add the
following Google-owned Trusted Cloud organization ID to the list of authorized organizations
in the organization restrictions header:
organizations/433637338589
What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-25 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Additional considerations\n\nThis page lists additional considerations you must be aware of when using organization restrictions.\n\n### Multi-resource access\n\nGoogle Cloud API requests might involve operations on multiple resources. Organization restrictions\nheader service checks whether all resources that are part of the request\nare in the list of authorized organizations. If any resource is not part of the list of authorized\norganizations, the request is denied.\n\n### Allow download for Vault users\n\n[Google Vault](https://support.google.com/vault/answer/2462365) is an information governance\nand eDiscovery tool for Google Workspace. Vault administrators access Google Workspace user data stored\nin Google-owned Cloud Storage buckets.\n\nBy default, the organization restrictions feature restricts Vault administrators from downloading\nan exported Google Workspace user data from a Google-owned Cloud Storage bucket.\nTo allow requests that originate from the Vault administrators, ensure that organization ID\n`organizations/433637338589`, which stores Vault data, is added to the organization restrictions header.\n\nWe recommend to add this ID of the organization, which stores Vault data, only in headers\nfor requests from Vault administrators.\n\n### Enable access to Google-owned resources\n\nTo enable developers to use Google Cloud services, such as BigQuery\nor Compute Engine, Google Cloud provides Google-owned public resources. For example,\nCompute Engine provides [public OS images](/compute/docs/images#os-compute-support)\nthat help developers quickly get started with building their own or leveraging one\nof these images to host their workloads. Other Google Cloud services employ similar\npublic resource patterns. These public resources are hosted in a Google-owned Google Cloud organization.\n\nTo ensure that users of your Google Cloud organization continue to have access\nto these public resources after you enforce organization restrictions, add the\nfollowing Google-owned Google Cloud organization ID to the list of authorized organizations\nin the organization restrictions header: \n\n organizations/433637338589\n\nWhat's next\n-----------\n\n- Learn about [using organization restrictions](/resource-manager/docs/organization-restrictions/examples-org-restrictions).\n- Learn about the [services supported by organization restrictions](/resource-manager/docs/organization-restrictions/supported-services)."]]
