0

I'm trying to use the Cloud Resource Manager v1beta1 API's organizations.list method to retrieve a user's organizations, with the ultimate goal of finding the directoryCustomerId of a Google Workspace/G Suite's user's own native tenant. It is one of the few Google APIs available to retrieve this information.

Because this API returns a list of organizations, I assume they represent the list of Google Cloud Platform organizations that the user has access to, including those tenants that the user does not natively belong to.

My question is, is it guaranteed that for ANY Google Workspace/G Suite user, this list will at least include (and most likely only include) the user's own Google Workspace/G Suite organization, even if this organization does not use any Google Cloud products besides Google Workspace/G Suite (and therefore the user has no special access to any such product)?

Donnald Cucharo
  • 3,866
  • 1
  • 10
  • 17
thankyoussd
  • 1,875
  • 1
  • 18
  • 39

2 Answers2

1

Yes, it is guaranteed to work on any account and I have tested it on 3 different accounts:

  • Regular gmail (non G-suite and no GCP resource)
  • G-suite account (w/o GCP Resource)
  • G-suite (with GCP resource)

Just an overview, G-suite is a collection of Google products for end-users that includes GMail, Google Drive, Google Docs, Hangouts, and more. On the other hand, Google Cloud Platform, is a collection of services that Google makes available to developers or super users in order for them to create and run their own apps. Thus, both have the same structure in terms of Organization and Cloud API's. Please see official documentation for more information.

Alex G
  • 1,179
  • 3
  • 15
  • Thanks. So 1. For regular Gmail without GCP resource, the list should be blank (seems to be the case for my test)? 2. For majority of G Suite users out there, I'd assume the list should return a single org, and if that's the case, that org must be the user's native tenant? 3. If many orgs are returned, the user is likely some admin or consultant kind of person with access to many independent Google tenants (should be relatively rare)? – thankyoussd Oct 21 '21 at 16:08
  • That is correct. – Alex G Oct 25 '21 at 00:54
  • Thanks I marked this as answer, but there is one scenario under which I cannot figure out a way to make it work. If john.doe@acme2.com belongs to a G Suite tenant whose primary domain is not acme2.com, but rather acme1.com (and I do not know this info in advance), and john.doe also happens to have access to other organization's resources, I cannot tell which org is his native tenant by looking at his `organizations.list` results, because these entities are only identified by primary domain (`displayName`). Any workaround for this? Thanks again. – thankyoussd Oct 25 '21 at 04:10
  • You will need to use `projects.getAncestry`, this [thread](https://stackoverflow.com/questions/59749855/how-do-i-get-the-organization-id-of-my-current-project-in-google-cloud-platform) should help. – Alex G Oct 25 '21 at 07:29
  • Unfortunately that API won't help because we will not have any project ID/scopes to work with. Our users simply login our web app via Google Sign In. We actually want nothing to do and have zero knowledge about their GCP info. We simply need their G Suite `directoryCustomerId`. It just happens such that `organizations.list` is the only that API provides this without any special permission/info (we only need to ask for the `cloudplatformorganizations.readonly` scope), but this only works if the user's list returns a single org or multiple org but with one matching his email domain. – thankyoussd Oct 25 '21 at 21:10
  • I see that you're looking for a G Suite account identifier that non-admins can access via APIs. Unfortunately, only admin users have access to G Suite organization information, and even then, they can only see information about their own account. This isn't actually an API restriction; rather, it's a blanket restriction. With that in mind, I recommend submitting a proposal to the Google workplace community via this [link](https://support.google.com/a/answer/6284762?hl=en), since it may be useful to other users. – Alex G Oct 27 '21 at 05:57
1

organizations.search requires the resourcemanager.organizations.get permission.

By default, all users of the domain are granted the Billing Account Creator and Project Creator on the organization. Both roles include the resourcemanager.organizations.get permission. So by default, users can see their own organization.

However, it's common practice to remove these two default IAM bindings. Then users can't see their own organization unless you explicitly grant them the Organization Viewer role or another role that includes said permission.

Johannes Passing
  • 2,715
  • 16
  • 13
  • The API I referenced was `organizations.list` under v1beta1, not `organizations.search` under v1. So the API doc page of `organizations.list` here https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/list does not actually mention a role permission, does that mean all users should have access to it? Thanks. – thankyoussd Oct 21 '21 at 15:45
  • You shouldn't use the old `v1beta1` API, `organizations.search` is the `v1` equivalent of `organizations.list`. – Johannes Passing Oct 22 '21 at 08:03
  • But our app actually needs the ability to access this API (on behalf of user) and get the organization from any G Suite user that logs in our service. Based on the info you provided, I actually must use the `v1beta1` to avoid the scenario of lack of `resourcemanager.organizations.get` permission due to the user's tenant admin revoking those default bindings. I can't seem to find any mentioning of v1beta1 being EoL or unsupported soon. Is there a reason I shouldn't use it and if so, is there an alternative to achieve our needs? Thanks. – thankyoussd Oct 22 '21 at 17:14