> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/gcp/gcp_parent_organization.md).

# GCP\_PARENT\_ORGANIZATION

## Summary

|                            |                                  |
| -------------------------- | -------------------------------- |
| **FSProtect ACL Alias**    | GCP\_PARENT\_ORGANIZATION        |
| **GCP Alias**              | Entity Relation (Structural)     |
| **Affected Object Types**  | Organizations, Folders, Projects |
| **Exploitation Certainty** | Certain                          |

## Description

`GCP_PARENT_ORGANIZATION` is a structural edge representing that a folder or project sits **directly under a GCP Organization** as its parent in the resource hierarchy. Every GCP resource ultimately traces its lineage to an organization — this edge identifies the immediate parent-organization relationship for top-level folders and projects.

The GCP resource hierarchy roots at the organization node:

```
Organization  ←── GCP_PARENT_ORGANIZATION ─── Folder (top-level)
Organization  ←── GCP_PARENT_ORGANIZATION ─── Project (top-level, no folder)
```

This edge is distinct from `GCP_IN_FOLDER` (folder containment) because it specifically represents the **organization as the direct parent**, not a folder. Top-level folders and projects that sit directly under the org — without an intermediate folder — have a `GCP_PARENT_ORGANIZATION` edge rather than `GCP_IN_FOLDER`.

IAM bindings at the **organization level** are the most powerful in GCP — they cascade down through all folders and projects. `GCP_PARENT_ORGANIZATION` enables the graph to trace the full scope of org-level role bindings.

## Identification

### gcloud CLI

```bash
# List all top-level folders (direct children of the org)
ORG_ID=$(gcloud organizations list --format="value(name)" | head -1)
gcloud resource-manager folders list --organization=$ORG_ID \
  --format="table(name, displayName, createTime)"

# List all top-level projects (directly under the org, not in any folder)
gcloud projects list --filter="parent.type=organization AND parent.id=$(echo $ORG_ID | cut -d/ -f2)" \
  --format="table(projectId, name, projectNumber)"

# Get organization-level IAM bindings (highest blast radius)
gcloud organizations get-iam-policy $ORG_ID --format=json | \
  jq '.bindings[] | {role: .role, members: .members}'
```

### GCP Console

1. Open **GCP Console** → **IAM & Admin** → **Manage Resources**.
2. The root of the tree is the Organization node — all items directly beneath it (folders and projects without a containing folder) have a `GCP_PARENT_ORGANIZATION` edge.
3. Org-level IAM bindings are set under **IAM & Admin** → **IAM** with the organization selected in the scope picker.

## Exploitation

The organization is the ultimate security boundary in GCP. `GCP_PARENT_ORGANIZATION` exposes how close top-level resources are to the org root — which determines their exposure to org-level IAM bindings:

* **Org-level role blast radius**: Any role binding at org scope (via `GCP_ROLE_SCOPED_TO` → org) affects every resource connected through `GCP_PARENT_ORGANIZATION` and the full `GCP_IN_FOLDER` hierarchy beneath it.
* **Org admin paths**: Roles like `roles/resourcemanager.organizationAdmin` and `roles/iam.securityAdmin` at org scope create `GCP_CAN_SET_ORG_IAMPOLICY` edges targeting the org node. Compromising any identity with these edges gives full control of the entire GCP organization.
* **Org policy scope**: Org-level organization policy constraints (controlled via `GCP_CAN_DISABLE_ORG_POLICY`) apply to all resources connected through this hierarchy.
* **Hierarchy sprawl**: Many top-level projects with `GCP_PARENT_ORGANIZATION` (rather than being organized in folders) indicate poor resource governance, making it harder to apply consistent folder-level controls and access policies.

## Mitigation

1. **Minimize org-level IAM bindings** — use folder- and project-level bindings wherever possible. Org-level bindings cascade to every resource in the organization.
2. **Organize projects into folders** — projects sitting directly under the org without a containing folder are harder to govern with folder-level controls. Move top-level projects into appropriately scoped folders.
3. **Restrict org-level admin roles** (`roles/resourcemanager.organizationAdmin`, `roles/iam.securityAdmin`, `roles/owner`) to break-glass accounts with just-in-time activation workflows.
4. **Review top-level resource sprawl** — a large number of projects or folders directly under the org indicates poor governance and makes it harder to apply consistent security controls.

## Detection

| Log Type       | Method                        | Key Fields                         |
| -------------- | ----------------------------- | ---------------------------------- |
| Admin Activity | `CreateProject` `MoveProject` | Project created directly under org |
| Admin Activity | `CreateFolder` `MoveFolder`   | Folder created directly under org  |
| Admin Activity | `SetIamPolicy`                | Org-level IAM binding changes      |

```bash
ORG_ID=$(gcloud organizations list --format="value(name)" | head -1)
gcloud logging read \
  'protoPayload.methodName="SetIamPolicy" AND resource.type="organization"' \
  --organization=$ORG_ID \
  --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.serviceData.policyDelta)"
```

Alert on:

* New privileged role bindings added at org scope (`SetIamPolicy` on organization resource).
* Projects or folders created or moved to be direct children of the organization.

## References

* <https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#organizations>
* <https://cloud.google.com/iam/docs/overview#cloud-iam-policy>
* <https://cloud.google.com/resource-manager/docs/organization-policy/overview>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/gcp/gcp_parent_organization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.