Some or all of the information on this page might not apply to Trusted Cloud by S3NS. See Differences from Google Cloud for more details.

Examples of organization restrictions

This page describes several common examples of how to use organization restrictions.

Restrict access only to your organization

To restrict access only to your organization, do the following:

As a Trusted Cloud by S3NS administrator, to get the Trusted Cloud by S3NS organization ID of Organization A, use the gcloud organizations list command:
```
    gcloud organizations list
```
The following is the example output:
```
    DISPLAY_NAME: Organization A
    ID: 123456789
    DIRECTORY_CUSTOMER_ID: a1b2c3d4
```
As an egress proxy administrator, after you get the organization ID from the Trusted Cloud by S3NS administrator, compose the JSON representation for the header value in the following format:
```
 {
 "resources": ["organizations/123456789"],
  "options": "strict"
 }
```
As an egress proxy administrator, encode the value for the request header by following the RFC 4648 Section 5 specifications.

For example, if the JSON representation for the header value is stored in the authorized_orgs.json file, to encode the file, run the following basenc command:
```
 $ cat authorized_orgs.json | basenc --base64url -w0
 ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo
```
As an egress proxy administrator, configure the egress proxy such that the following request header is inserted in all of the requests originating from the managed devices in Organization A:
```
 X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo
```

Restrict access to your organization and allow read requests to Cloud Storage resources

In this example, the Trusted Cloud by S3NS administrator and egress proxy administrator of Organization A engage together to restrict employees to only access resources in their Trusted Cloud by S3NS organization, except for read requests to Cloud Storage resources. Administrators might want to omit read requests to Cloud Storage resources from organization restrictions enforcement to ensure that their employees can access external websites that use Cloud Storage to host static content. The administrator uses the cloudStorageReadAllowed option to allow read requests to Cloud Storage resources.

To restrict access only to your organization and allow read requests to Cloud Storage resources, do the following:

As a Trusted Cloud by S3NS administrator, to get the Trusted Cloud by S3NS organization ID of Organization A, use the gcloud organizations list command:
```
    gcloud organizations list
```
The following is the example output:
```
    DISPLAY_NAME: Organization A
    ID: 123456789
    DIRECTORY_CUSTOMER_ID: a1b2c3d4
```
As an egress proxy administrator, after you get the organization ID from the Trusted Cloud by S3NS administrator, compose the JSON representation for the header value in the following format:
```
 {
 "resources": ["organizations/123456789"],
  "options": "cloudStorageReadAllowed"
 }
```
As an egress proxy administrator, encode the value for the request header by following the RFC 4648 Section 5 specifications.

For example, if the JSON representation for the header value is stored in the authorized_orgs.json file, to encode the file, run the following basenc command:
```
 $ cat authorized_orgs.json | basenc --base64url -w0
ewogICJyZXNvdXJjZXMiOiBbIm9yZ2FuaXphdGlvbnMvMTIzNDU2Nzg5Il0sCiAgIm9wdGlvbnMiOiAiY2xvdWRTdG9yYWdlUmVhZEFsbG93ZCIKfQo=l
```
As an egress proxy administrator, configure the egress proxy such that the following request header is inserted in all of the requests originating from the managed devices in Organization A:
```
 X-Goog-Allowed-Resources: ewogICJyZXNvdXJjZXMiOiBbIm9yZ2FuaXphdGlvbnMvMTIzNDU2Nzg5Il0sCiAgIm9wdGlvbnMiOiAiY2xvdWRTdG9yYWdlUmVhZEFsbG93ZCIKfQo=l
```
The employees of Organization A now have access to their Trusted Cloud by S3NS organization and read access to Cloud Storage resources.

Allow employees access to a vendor Trusted Cloud by S3NS organization

In this example, the Trusted Cloud by S3NS administrator and egress proxy administrator of Organization B engage together to allow employees to access a vendor Trusted Cloud by S3NS organization in addition to their existing Trusted Cloud by S3NS organization.

To restrict employee access only to your organization and the vendor organization, do the following:

As a Trusted Cloud by S3NS administrator, engage with the vendor to get the Trusted Cloud by S3NS organization ID of the vendor organization.
As an egress proxy administrator, to include the vendor organization ID in addition to the existing organization ID, you must update the JSON representation for the header value. After you get the vendor organization ID from the Trusted Cloud by S3NS administrator, update the header value in the following format:
```
 {
 "resources": ["organizations/1234", "organizations/3456"],
  "options": "strict"
 }
```
As an egress proxy administrator, encode the value for the request header by following the RFC 4648 Section 5 specifications.

For example, if the JSON representation for the header value is stored in the authorized_orgs.json file, to encode the file, run the following basenc command:
```
 $ cat authorized_orgs.json | basenc --base64url -w0
 ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K
```
As an egress proxy administrator, configure the egress proxy such that the following request header is inserted in all of the requests originating from the managed devices in Organization B:
```
 X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K
```
The employees of Organization B now have access to both the vendor and their Trusted Cloud by S3NS organizations.

Restrict access only for uploads

In this example, the Trusted Cloud by S3NS administrator and egress proxy administrator of Organization C engage together to restrict upload access of employees only to resources in the Trusted Cloud by S3NS organization.

To restrict upload access only to your organization, do the following:

As a Trusted Cloud by S3NS administrator, to get the Trusted Cloud by S3NS organization ID of Organization C, use the gcloud organizations list command:
```
    gcloud organizations list
```
The following is the example output:
```
    DISPLAY_NAME: Organization C
    ID: 123456789
    DIRECTORY_CUSTOMER_ID: a1b2c3d4
```
As an egress proxy administrator, after you get the organization ID from the Trusted Cloud by S3NS administrator, compose the JSON representation for the header value in the following format:
```
 {
 "resources": ["organizations/123456789"],
  "options": "strict"
 }
```
As an egress proxy administrator, encode the value for the request header by following the RFC 4648 Section 5 specifications.

For example, if the JSON representation for the header value is stored in the authorized_orgs.json file, to encode the file, run the following basenc command:
```
 $ cat authorized_orgs.json | basenc --base64url -w0
ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo
```
As an egress proxy administrator, configure the egress proxy such that the following request header is inserted only for requests with PUT, POST, and PATCH methods originating from the managed devices in Organization C:
```
 X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo
```

What's next

Learn about the services supported by organization restrictions.