Examples of organization restrictions
This page describes several common examples of how to use organization restrictions.
Restrict access only to your organization
In this example, the Trusted Cloud by S3NS administrator and egress proxy administrator of
Organization A engage together to restrict employees to only access resources in their
Trusted Cloud by S3NS organization.
To restrict access only to your organization, do the following:
As a Trusted Cloud by S3NS administrator, to get the Trusted Cloud by S3NS organization ID of
Organization A, use the gcloud organizations list command:
gcloud organizations list
The following is the example output:
DISPLAY_NAME: Organization A
ID: 123456789
DIRECTORY_CUSTOMER_ID: a1b2c3d4
As an egress proxy administrator, after you get the organization ID from the Trusted Cloud by S3NS
administrator, compose the JSON representation for the header value in the following format:
{
"resources": ["organizations/123456789"],
"options": "strict"
}
As an egress proxy administrator, encode the value for the request header by following the RFC 4648 Section 5 specifications.
For example, if the JSON representation for the header value is stored in the
authorized_orgs.json file, to encode the file, run the following
basenc command:
$ cat authorized_orgs.json | basenc --base64url -w0
ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo
As an egress proxy administrator, configure the egress proxy such that the following
request header is inserted in all of the requests originating from the managed devices
in Organization A:
X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo
Restrict access to your organization and allow read requests to Cloud Storage resources
In this example, the Trusted Cloud by S3NS administrator and egress proxy administrator of
Organization A engage together to restrict employees to only access resources in their
Trusted Cloud by S3NS organization, except for read requests to Cloud Storage resources.
Administrators might want to omit read requests to Cloud Storage resources from
organization restrictions enforcement to ensure that their employees can access
external websites that use Cloud Storage to host static content. The administrator
uses the cloudStorageReadAllowed option to allow read requests to Cloud Storage resources.
To restrict access only to your organization and allow read requests to Cloud Storage
resources, do the following:
As a Trusted Cloud by S3NS administrator, to get the Trusted Cloud by S3NS organization ID of
Organization A, use the gcloud organizations list command:
gcloud organizations list
The following is the example output:
DISPLAY_NAME: Organization A
ID: 123456789
DIRECTORY_CUSTOMER_ID: a1b2c3d4
As an egress proxy administrator, after you get the organization ID from the Trusted Cloud by S3NS
administrator, compose the JSON representation for the header value in the following format:
{
"resources": ["organizations/123456789"],
"options": "cloudStorageReadAllowed"
}
As an egress proxy administrator, encode the value for the request header by following the RFC 4648 Section 5 specifications.
For example, if the JSON representation for the header value is stored in the
authorized_orgs.json file, to encode the file, run the following
basenc command:
$ cat authorized_orgs.json | basenc --base64url -w0
ewogICJyZXNvdXJjZXMiOiBbIm9yZ2FuaXphdGlvbnMvMTIzNDU2Nzg5Il0sCiAgIm9wdGlvbnMiOiAiY2xvdWRTdG9yYWdlUmVhZEFsbG93ZCIKfQo=l
As an egress proxy administrator, configure the egress proxy such that the following
request header is inserted in all of the requests originating from the managed devices
in Organization A:
X-Goog-Allowed-Resources: ewogICJyZXNvdXJjZXMiOiBbIm9yZ2FuaXphdGlvbnMvMTIzNDU2Nzg5Il0sCiAgIm9wdGlvbnMiOiAiY2xvdWRTdG9yYWdlUmVhZEFsbG93ZCIKfQo=l
The employees of Organization A now have access to their Trusted Cloud by S3NS organization
and read access to Cloud Storage resources.
Allow employees access to a vendor Trusted Cloud by S3NS organization
In this example, the Trusted Cloud by S3NS administrator and egress proxy administrator of
Organization B engage together to allow employees to access a vendor Trusted Cloud by S3NS organization
in addition to their existing Trusted Cloud by S3NS organization.
To restrict employee access only to your organization and the vendor organization, do the following:
As a Trusted Cloud by S3NS administrator, engage with the vendor to get the Trusted Cloud by S3NS
organization ID of the vendor organization.
As an egress proxy administrator, to include the vendor organization ID in addition
to the existing organization ID, you must update the JSON representation for
the header value. After you get the vendor organization ID from the Trusted Cloud by S3NS
administrator, update the header value in the following format:
{
"resources": ["organizations/1234", "organizations/3456"],
"options": "strict"
}
As an egress proxy administrator, encode the value for the request header by following the RFC 4648 Section 5 specifications.
For example, if the JSON representation for the header value is stored in the
authorized_orgs.json file, to encode the file, run the following
basenc command:
$ cat authorized_orgs.json | basenc --base64url -w0
ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K
As an egress proxy administrator, configure the egress proxy such that the following
request header is inserted in all of the requests originating from the managed devices
in Organization B:
X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K
The employees of Organization B now have access to both the vendor and their Trusted Cloud by S3NS organizations.
Restrict access only for uploads
In this example, the Trusted Cloud by S3NS administrator and egress proxy administrator of
Organization C engage together to restrict upload access of employees only to resources in the
Trusted Cloud by S3NS organization.
To restrict upload access only to your organization, do the following:
As a Trusted Cloud by S3NS administrator, to get the Trusted Cloud by S3NS organization ID of
Organization C, use the gcloud organizations list command:
gcloud organizations list
The following is the example output:
DISPLAY_NAME: Organization C
ID: 123456789
DIRECTORY_CUSTOMER_ID: a1b2c3d4
As an egress proxy administrator, after you get the organization ID from the Trusted Cloud by S3NS
administrator, compose the JSON representation for the header value in the following format:
{
"resources": ["organizations/123456789"],
"options": "strict"
}
As an egress proxy administrator, encode the value for the request header by following the RFC 4648 Section 5 specifications.
For example, if the JSON representation for the header value is stored in the
authorized_orgs.json file, to encode the file, run the following
basenc command:
$ cat authorized_orgs.json | basenc --base64url -w0
ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo
As an egress proxy administrator, configure the egress proxy such that the following
request header is inserted only for requests with PUT, POST, and PATCH methods
originating from the managed devices in Organization C:
X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo
What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-28 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Examples of organization restrictions\n\nThis page describes several common examples of how to use organization restrictions.\n\nRestrict access only to your organization\n-----------------------------------------\n\nIn this example, the Google Cloud administrator and egress proxy administrator of\nOrganization A engage together to restrict employees to only access resources in their\nGoogle Cloud organization.\n\nTo restrict access only to your organization, do the following:\n\n1. As a Google Cloud administrator, to get the Google Cloud organization ID of\n Organization A, use the [`gcloud organizations list` command](/sdk/gcloud/reference/organizations/list):\n\n gcloud organizations list\n\n The following is the example output: \n\n ```\n DISPLAY_NAME: Organization A\n ID: 123456789\n DIRECTORY_CUSTOMER_ID: a1b2c3d4\n ```\n2. As an egress proxy administrator, after you get the organization ID from the Google Cloud\n administrator, compose the JSON representation for the header value in the following format:\n\n {\n \"resources\": [\"organizations/123456789\"],\n \"options\": \"strict\"\n }\n\n3. As an egress proxy administrator, encode the value for the request header by following the [RFC 4648 Section 5 specifications](https://datatracker.ietf.org/doc/html/rfc4648#section-5).\n\n For example, if the JSON representation for the header value is stored in the\n `authorized_orgs.json` file, to encode the file, run the following\n [basenc](https://man7.org/linux/man-pages/man1/basenc.1.html) command: \n\n $ cat authorized_orgs.json | basenc --base64url -w0\n ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo\n\n4. As an egress proxy administrator, configure the egress proxy such that the following\n request header is inserted in all of the requests originating from the managed devices\n in Organization A:\n\n X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo\n\nRestrict access to your organization and allow read requests to Cloud Storage resources\n---------------------------------------------------------------------------------------\n\nIn this example, the Google Cloud administrator and egress proxy administrator of\nOrganization A engage together to restrict employees to only access resources in their\nGoogle Cloud organization, except for read requests to Cloud Storage resources.\nAdministrators might want to omit read requests to Cloud Storage resources from\norganization restrictions enforcement to ensure that their employees can access\nexternal websites that use Cloud Storage to host static content. The administrator\nuses the `cloudStorageReadAllowed` option to allow read requests to Cloud Storage resources.\n\nTo restrict access only to your organization and allow read requests to Cloud Storage\nresources, do the following:\n\n1. As a Google Cloud administrator, to get the Google Cloud organization ID of\n Organization A, use the [`gcloud organizations list` command](/sdk/gcloud/reference/organizations/list):\n\n gcloud organizations list\n\n The following is the example output: \n\n ```\n DISPLAY_NAME: Organization A\n ID: 123456789\n DIRECTORY_CUSTOMER_ID: a1b2c3d4\n ```\n2. As an egress proxy administrator, after you get the organization ID from the Google Cloud\n administrator, compose the JSON representation for the header value in the following format:\n\n {\n \"resources\": [\"organizations/123456789\"],\n \"options\": \"cloudStorageReadAllowed\"\n }\n\n3. As an egress proxy administrator, encode the value for the request header by following the [RFC 4648 Section 5 specifications](https://datatracker.ietf.org/doc/html/rfc4648#section-5).\n\n For example, if the JSON representation for the header value is stored in the\n `authorized_orgs.json` file, to encode the file, run the following\n [basenc](https://man7.org/linux/man-pages/man1/basenc.1.html) command: \n\n $ cat authorized_orgs.json | basenc --base64url -w0\n ewogICJyZXNvdXJjZXMiOiBbIm9yZ2FuaXphdGlvbnMvMTIzNDU2Nzg5Il0sCiAgIm9wdGlvbnMiOiAiY2xvdWRTdG9yYWdlUmVhZEFsbG93ZCIKfQo=l\n\n4. As an egress proxy administrator, configure the egress proxy such that the following\n request header is inserted in all of the requests originating from the managed devices\n in Organization A:\n\n X-Goog-Allowed-Resources: ewogICJyZXNvdXJjZXMiOiBbIm9yZ2FuaXphdGlvbnMvMTIzNDU2Nzg5Il0sCiAgIm9wdGlvbnMiOiAiY2xvdWRTdG9yYWdlUmVhZEFsbG93ZCIKfQo=l\n\n The employees of Organization A now have access to their Google Cloud organization\n and read access to Cloud Storage resources.\n\nAllow employees access to a vendor Google Cloud organization\n------------------------------------------------------------\n\nIn this example, the Google Cloud administrator and egress proxy administrator of\nOrganization B engage together to allow employees to access a vendor Google Cloud organization\nin addition to their existing Google Cloud organization.\n\nTo restrict employee access only to your organization and the vendor organization, do the following:\n\n1. As a Google Cloud administrator, engage with the vendor to get the Google Cloud\n organization ID of the vendor organization.\n\n2. As an egress proxy administrator, to include the vendor organization ID in addition\n to the existing organization ID, you must update the JSON representation for\n the header value. After you get the vendor organization ID from the Google Cloud\n administrator, update the header value in the following format:\n\n {\n \"resources\": [\"organizations/1234\", \"organizations/3456\"],\n \"options\": \"strict\"\n }\n\n3. As an egress proxy administrator, encode the value for the request header by following the [RFC 4648 Section 5 specifications](https://datatracker.ietf.org/doc/html/rfc4648#section-5).\n\n For example, if the JSON representation for the header value is stored in the\n `authorized_orgs.json` file, to encode the file, run the following\n [basenc](https://man7.org/linux/man-pages/man1/basenc.1.html) command: \n\n $ cat authorized_orgs.json | basenc --base64url -w0\n ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K\n\n4. As an egress proxy administrator, configure the egress proxy such that the following\n request header is inserted in all of the requests originating from the managed devices\n in Organization B:\n\n X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K\n\n The employees of Organization B now have access to both the vendor and their Google Cloud organizations.\n\nRestrict access only for uploads\n--------------------------------\n\nIn this example, the Google Cloud administrator and egress proxy administrator of\nOrganization C engage together to restrict upload access of employees only to resources in the\nGoogle Cloud organization.\n\nTo restrict upload access only to your organization, do the following:\n\n1. As a Google Cloud administrator, to get the Google Cloud organization ID of\n Organization C, use the [`gcloud organizations list` command](/sdk/gcloud/reference/organizations/list):\n\n gcloud organizations list\n\n The following is the example output: \n\n ```\n DISPLAY_NAME: Organization C\n ID: 123456789\n DIRECTORY_CUSTOMER_ID: a1b2c3d4\n ```\n2. As an egress proxy administrator, after you get the organization ID from the Google Cloud\n administrator, compose the JSON representation for the header value in the following format:\n\n {\n \"resources\": [\"organizations/123456789\"],\n \"options\": \"strict\"\n }\n\n3. As an egress proxy administrator, encode the value for the request header by following the [RFC 4648 Section 5 specifications](https://datatracker.ietf.org/doc/html/rfc4648#section-5).\n\n For example, if the JSON representation for the header value is stored in the\n `authorized_orgs.json` file, to encode the file, run the following\n [basenc](https://man7.org/linux/man-pages/man1/basenc.1.html) command: \n\n $ cat authorized_orgs.json | basenc --base64url -w0\n ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo\n\n4. As an egress proxy administrator, configure the egress proxy such that the following\n request header is inserted only for requests with PUT, POST, and PATCH methods\n originating from the managed devices in Organization C:\n\n X-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo\n\nWhat's next\n-----------\n\n- Learn about the [services supported by organization restrictions](/resource-manager/docs/organization-restrictions/supported-services)."]]
