Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Additional considerations

This page lists additional considerations you must be aware of when using organization restrictions.

Multi-resource access

Cloud de Confiance by S3NS API requests might involve operations on multiple resources. Organization restrictions header service checks whether all resources that are part of the request are in the list of authorized organizations. If any resource is not part of the list of authorized organizations, the request is denied.

Allow download for Vault users

Google Vault is an information governance and eDiscovery tool for Google Workspace. Vault administrators access Google Workspace user data stored in Google-owned Cloud Storage buckets.

By default, the organization restrictions feature restricts Vault administrators from downloading an exported Google Workspace user data from a Google-owned Cloud Storage bucket. To allow requests that originate from the Vault administrators, ensure that organization ID organizations/433637338589, which stores Vault data, is added to the organization restrictions header.

We recommend to add this ID of the organization, which stores Vault data, only in headers for requests from Vault administrators.

Enable access to Google-owned resources

To enable developers to use Cloud de Confiance services, such as BigQuery or Compute Engine, Cloud de Confiance provides Google-owned public resources. For example, Compute Engine provides public OS images that help developers quickly get started with building their own or leveraging one of these images to host their workloads. Other Cloud de Confiance services employ similar public resource patterns. These public resources are hosted in a Google-owned Cloud de Confiance organization.

To ensure that users of your Cloud de Confiance organization continue to have access to these public resources after you enforce organization restrictions, add the following Google-owned Cloud de Confiance organization ID to the list of authorized organizations in the organization restrictions header:

   organizations/433637338589

What's next

Learn about using organization restrictions.
Learn about the services supported by organization restrictions.