Your company is migrating 12 projects into a new Google Cloud Organization. Each of four departments must have separate development and production environments. A central security team needs to enforce constraints such as disabling external IPs across all production workloads without touching development. Department administrators must not see or modify other departments' resources. Which resource hierarchy design meets these goals with the least repeated policy configuration?
Create one project per department for production and another for development, all under a single department folder. Apply required constraints at the individual project level.
Create a folder for each department directly under the Organization. Rely on project labels to distinguish production and development and use IAM Conditions to control access within each folder.
Keep every project directly under the Organization and tag each with the label env=prod or env=dev. Use IAM Conditions and Organization Policy constraints that reference labels to segregate access and enforce settings.
Create two top-level folders named "production" and "development" under the Organization. Inside each environment folder, add a child folder for every department and place that department's projects there. Apply production-only constraints and IAM roles on the production folder; apply department IAM roles on each department folder.
Inheriting policies down the resource hierarchy is the simplest way to apply broad controls. By placing a "production" folder and a "development" folder directly under the Organization node, the security team can attach production-only Organization Policy constraints (for example, disabling external IP addresses) just once on the production folder. A sister development folder remains unaffected. Creating department sub-folders underneath each environment folder lets central IT grant each department admin roles on only its own folder, preventing cross-department visibility. The label-based and project-level alternatives do not provide an enforced boundary for policy inheritance, so the same constraint would have to be configured individually on every project or rely on labels that Organization Policy does not evaluate for scope, resulting in duplication and higher risk of drift.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it better to use folders rather than relying on project labels for policy enforcement?
Open an interactive chat with Bash
What is Organization Policy and how does it work in Google Cloud?
Open an interactive chat with Bash
How does resource hierarchy simplify IAM role management?
Open an interactive chat with Bash
What is an Organization node in GCP?
Open an interactive chat with Bash
How does policy inheritance work in GCP's resource hierarchy?
Open an interactive chat with Bash
What are Organization Policy constraints in GCP?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Setting up a cloud solution environment
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .