Are IAM policies transferred when migrating a project from "No organization" to an organization?

Question

I can't seem to find an answer to this question. I reviewed the special considerations for migrating "No organization" projects but they don't touch on this.

The migration guide says for any migration:

Any policy that is applied directly to the project will still be attached after the migration is complete. Applying policies directly to the project is a good way to verify that the correct policies are applied from the moment the move is complete.

Are the IAM policies of "No organization" projects implicitly "applied directly to the project"?

Answer 1

As @john hanley suggested, due to inheritance, the new organization might affect existing IAM policies.

Google Cloud offers IAM , which lets you assign granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies on the resources.

You can set an IAM policy at the organization level , the folder level , the project level , or (in some cases) the resource level. Resources inherit the policies of the parent resource. If you set a policy at the organization level, it is inherited by all its child folders and project resources, and if you set a policy at the project level, it is inherited by all its child resources.

The effective policy for a resource is the union of the policy set on the resource and the policy inherited from its ancestors. This inheritance is transitive. In other words, resources inherit policies from the project, which inherit policies from the organization resource. Therefore, the organization-level policies also apply at the resource level.

Refer to this document for more information.