stackoom
  简体   繁体   中英

Google Cloud Resource Manager API - will a Google Workspace/G Suite user's own organization ALWAYS be listed in organizations.list?

 原文  2021-10-20 21:00:27       google-cloud-platform/ google-api/ google-workspace/ google-gsuite/ google-cloud-resource-manager

Question

I'm trying to use the Cloud Resource Manager v1beta1 API's organizations.list method to retrieve a user's organizations, with the ultimate goal of finding the directoryCustomerId of a Google Workspace/G Suite's user's own native tenant. It is one of the few Google APIs available to retrieve this information.

Because this API returns a list of organizations, I assume they represent the list of Google Cloud Platform organizations that the user has access to, including those tenants that the user does not natively belong to.

My question is, is it guaranteed that for ANY Google Workspace/G Suite user, this list will at least include (and most likely only include) the user's own Google Workspace/G Suite organization, even if this organization does not use any Google Cloud products besides Google Workspace/G Suite (and therefore the user has no special access to any such product)?

2 answers

solution1
 0  2021-10-21 05:04:00

Yes, it is guaranteed to work on any account and I have tested it on 3 different accounts:

  • Regular gmail (non G-suite and no GCP resource)
  • G-suite account (w/o GCP Resource)
  • G-suite (with GCP resource)

Just an overview, G-suite is a collection of Google products for end-users that includes GMail, Google Drive, Google Docs, Hangouts, and more. On the other hand, Google Cloud Platform, is a collection of services that Google makes available to developers or super users in order for them to create and run their own apps. Thus, both have the same structure in terms of Organization and Cloud API's. Please see official documentation for more information.

solution2
 0  2021-10-21 13:49:07

organizations.search requires the resourcemanager.organizations.get permission.

By default, all users of the domain are granted the Billing Account Creator and Project Creator on the organization. Both roles include the resourcemanager.organizations.get permission. So by default, users can see their own organization.

However, it's common practice to remove these two default IAM bindings. Then users can't see their own organization unless you explicitly grant them the Organization Viewer role or another role that includes said permission.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Google Cloud Resource Manager API: How to list Operations? Enable google Cloud Resource Manager API by API List *all* projects in google cloud resource manager Create Google Cloud Project with Cloud Resource Manager API How to use Google Service Account and Google API to validate G-Suite User's Password against its user ID Google Cloud Resource Manager API: Test IAM Permissions Google cloud endpoints service is not listed in api library Google Cloud Platform project quotas - By organization or by user in the organization or both Google Takeout from G Suite Download from Google Cloud Storage Google Cloud API for user
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM