Modifying Domain Restricted Policy

i am the org policy administrator for my google cloud platform. i am trying to create a rule that in the Domain Restricted Policy that will allow me to add a principle (with a gmail) that is not part of the organization. When i go into my DRP, I create a new rule to “Allow All”, but i am being asked to provide conditions. The screenshot is where i am stuck. I don’t know which options to choose and how to correctly use them ( i.e. expressions,tags,etc.

) to apply a satisfactory condtion that will be accepted. please advise.

Hi @Kristen-DLS ,

Welcome to Google Cloud Community!

Here’s how to configure the condition in the Organization Policies console, using the “Expression” condition type:

The best way to add an expression, is to use the Condition Editor
Steps

• Open the “Condition Editor” tab.

• To add a condition to a role binding, you define the condition field:

  "bindings": [
    {
      "role": "ROLE",
      "members": [
        "MEMBER_1",
        "MEMBER_2"
      ],
      "condition": {
        "title": "TITLE",
        "description": "DESCRIPTION",
        "expression": "EXPRESSION"
      }
    }
  ]
  

• Click “Save”: Save the condition

• After setting up the conditions, click "Set Policy" to apply the changes.
  For your reference you may check this IAM Conditions to understand access control for Google Cloud resources.

Note: You cannot use conditions when you grant legacy basic roles, including Owner (roles/owner), Editor (roles/editor), and Viewer (roles/viewer). Also, you cannot use conditions when you grant roles to all users (allUsers) or all authenticated users (allAuthenticatedUsers).

If you have any questions and need further assistance with specific configurations, please reach out to our Google Cloud Support team.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.