What is it that is Hierarchal - IAM or resources?

People talk about hierarchical IAM in GCP.  In reality, it is the resource hierarchy that is hierarchical. IAM just follows the resources.

Can I use a personal email for Org level access?

  • No. Organization level access is given only to the corporate emails.

How does this differ from Org Owner?

  • The Org admin has the ability to edit all IAM permissions. Organization Owner is the original  G-Suite/ cloud IAM super admin.
  • There can be only ONE org owner, whereas multiple org admins can be defined.
  • Best practice would be to create a group of admin users in GCP. The role assigned to this group is Organizational Admin.

Where does the domain name for the Org come from?

  • This is generated from the primary domain name in G Suite or Cloud Identity.

Can you change the GCP Organization Owner?

No. The owner is defined when creating the Organization resource and it cannot be changed once it is set.