I researched and noted that the Organization Policy Administrator role has those permissions, yet, when i want to assign that role to myself, it doesn’t appear on the list:
What am i doing wrong? I am finding this quite frustrating being the fact that I don’t have the permissions even though I am the owner of the organization.
Quoting here a response from @lawrencenelson regarding a question same with yours
Basically, there are different hierarchical levels when setting IAM Policies in Google Cloud. You can set an IAM policy at the organization level, the folder level, the project level, or (in some cases) the resource level. Resources inherit the policies of the parent resource. If you set a policy at the organization level, it is inherited by all its child folder and project resources, and if you set a policy at the project level, it is inherited by all its child resources [1]. You can view the diagram below [2].> >
> > In your case, your organization needs the orgpolicy.policies.create, orgpolicy.policies.delete, orgpolicy.policies.update, and orgpolicy.policy.get permissions which are available with the Organization Policy Administrator role.
Including as well the documentation for your reference
@dionv Question is it is not visible to add the “orgpolicy.policyAdmin” from console. So the answer is not clear. Please let us know how this can be enabled via GCP console portal?
This was harder than necessary to understand, but I simply had to select my main organization from the projects selector and then set the permissions, this way the permissions are inherited to the other projects. Also, you can use the gcloud command that @DamianS shows in the console (this was my first time using GCP so i didn’t know how to use the gcloud console).
C:\Users\ProoBook\AppData\Local\Google\Cloud SDK>gcloud organizations add-iam-policy-binding *–member=‘user
:developer@neonrain.studio’ --role=‘roles/orgpolicy.policyAdmin’
ERROR: (gcloud.organizations.add-iam-policy-binding) User [developer@neonrain.studio] does not have permission to access organizations instance [:getIamPolicy] (or it may not exist): The caller does not have permission
even tho i using my owner account and i am the sole owner of this organization
If you’re unable to assign the Organization Policy Administrator role to yourself, it could be due to insufficient permissions or account restrictions. To assign this role, you must be an existing administrator with the required privileges, such as a Global Administrator or Privileged Role Administrator in your organization. Ensure that your account is not restricted by an active policy or custom roles limiting access. If you don’t have the required permissions, contact your organization’s Global Administrator for assistance. Review the platform’s documentation for specific guidelines on assigning roles and troubleshooting common issues related to permissions.
I rarely leave comments on forums but I want to express sincere gratitude for your assistance!
It’s a shame that GCP policies are so complicated and people have to lurk for answers. It’s crazy to see that the user who created an organization is not its admin by default! Who else is supposed to be an admin then?
