I am having issues with my access, even through I am the owner of the account. I can’t grant myself owner access at the organisation level even through it’s my account and I am Super admin in workspace.
-
I am the Super Admin for your Workspace domain.
-
There is no Owner assigned in my Google Cloud organization.
-
I need to be assigned as the Owner at the organization level.
Any assistance on assigning myself as the owner would be appreciated. A also can’t sign up for tech support as I need to be the owner to to that too.
2 Likes
Hello @Cathy_Riddell , Welcome on forums.
Would you be able to paste error which you are getting during assigning Owner role ?
Additionally, did you at first assigned Organization Administrator role at the Org level, before assigning Owner predefined role?
cheers,
Damian Sztankowski | GDE in Cloud
Hi, thanks for your quick response. I have gone into my organisation. Once in the organisation, It doesn’t allow me to assign an owner. It also doesn’t show any owner. Is there another way which I can assign this at the org level? See images for my previous attempts. Thanks again
Tbh with Org Admin role, you should be able to assign any kind of role, via IAM. What is happening, when you are hit “Grant access” button?
I can assign roles but I can’t assign owner roles. It’s like the organisation was set up without an owner and now there is no way to access. AI says below - not sure how accurate this is though:
This is a known Google Cloud issue. Sometimes, organizations are created without an explicit Owner, and only Google can resolve it.
- As Super Admin of Google Workspace, you have authority over the domain, but not always over the Cloud org if the linkage didn’t happen perfectly.
Well, are we able to make fast meet and you will show me how are you trying to assign Owner role? Because as I’ve said, once you have Organization Admin role, you should be able to search for Owner role and assign it. By default such role is not assigned at all from security reasons.
BTW I have same permissions as you. Also, I’m Super Admin ( Workspace Admin ) as well.
I think the issue is that I don’t have the organisation admin role but without this role, how can I assign
But on your screenshot I’m able to see already assigned Org Admin role 
so If I am the organisation administrator, shouldn’t I be able to change permissions for the organisation? When I try, it says I need further permissions
this is what I get when I try:
The following permissions are required to edit organisation policies: orgpolicy.policy.get, orgpolicy.policies.create, orgpolicy.policies.delete and orgpolicy.policies.update.
The ‘Organisation Policy Administrator’ (roles/orgpolicy.policyAdmin) role is an example of a role that contains these permissions.
Okay, so now you are mixing two things. See,
-
If you are Super Admin ( workspace super account ), you are able to grant permissions ( roles ) on Google Cloud IAM. However non of such roles will be assigned automatically, due to security reasons. So, if you want to assign roles like Owner, Org Admin, Security Admin and such, you have to do it explicitly.
-
Google Cloud IAM is following SOD approach ( Separation of Duties ). Due to that, even tho you have Org Admin role, you will not be able to act as super admin and change organization policies ( like on your screen), unless you explicitly assign particular roles like Org Policy Admin.
So to summarize it:
Super Admin ( Workspace Account) is only starting point. As Google Cloud is quite separated product, you have to manage permissions separately. This is why predefined roles have been made. So if you want to managed IAM permissions, you have to have assigned to your user roles like Organization Admin or Security Admin. If you have manage Organization Policies and turn on Service Account Key Creation which I don’t recommend, you have to assign Organization Policy Admin predefined role.
Also, IAM permissions are totally different things, than Organization Policies.
IAM permissions defining what you can do with resources like virtual machine, database and such. Organization Policies are sticked with Organization, and should be threat as company rules which have to be followed or not ( depends on settings).
OK thank you, that makes sense. So how do I give myself access to be able to amend these policies?
Simply go to IAM → Grant access → Add your principal ( user ) → Search for Organization Policy Administrator → Save.
Make sure that you are doing it on Organization level ( top left search box, next to Google Cloud logo)
It doesn’t give me the option of : Organization Policy Administrator
Are you sure that you are on the org level at IAM ?
yes. I have selected the organisation for this. I think it’s some sort of access issue. It won’t let me sign up to google tech support either as I don’t have the right access
What error you are getting when you’ve trying to assign this role?
Btw, we can schedule a meeting to help you make this issue sorted out.
Btw2: are you logging with user cathy@yourorg.com ? This user who have Org Admin permissions ?
Why am I asking about those all things? Because if you;
- Login with a user who has either Organization Admin or Security Admin roles assigned on organization level
And
- You are trying to assign Org Policy Admin on the organization level
You must be able to assign IAM roles. If no, you should receive error which could be helpful for debugging
