GCP_PARENT_OU

Summary

FSProtect ACL Alias

GCP_PARENT_OU

GCP Alias

Entity Relation (Structural)

Affected Object Types

Users, Organizational Units

Exploitation Certainty

Certain

Description

GCP_PARENT_OU is a structural edge representing that a Google Workspace user or an organizational unit is contained within an Organizational Unit (OU) in the Google Workspace directory. OUs are used to structure the Workspace directory and to apply policies selectively — different OUs can have different password policies, device policies, app access settings, and Context-Aware Access rules.

Policy inheritance in Workspace follows the OU hierarchy: settings applied to a parent OU cascade to all child OUs and their members unless overridden. An attacker who can modify OU membership can move a target user into a less-restricted OU and bypass security controls that apply only to their original OU.

Key properties:

A user belongs to exactly one OU at a time.
OU-level policies (Context-Aware Access, app access, MDM enforcement) apply to all members.
Moving a user to an unrestricted OU can bypass controls that were scoped to their original OU.

Identification

GCP Console

Open Google Admin Console (admin.google.com) → Directory → Organizational units.
The OU tree shows which users belong to each OU.

gcloud CLI

# List all OUs in the organization (Access token should be authorized on scope: https://www.googleapis.com/auth/admin.directory.orgunit.readonly)
ACCESS_TOKEN=$"your-access-token"
curl -s \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  "https://admin.googleapis.com/admin/directory/v1/customer/my_customer/orgunits?type=ALL" \
  | jq '.organizationUnits[] | {name: .name, path: .orgUnitPath, parentPath: .parentOrgUnitPath}'

# Get the OU of a specific user
USER_EMAIL="[email protected]"
curl -s \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  "https://admin.googleapis.com/admin/directory/v1/users/${USER_EMAIL}?projection=full" \
  | jq '.orgUnitPath'

Exploitation

GCP_PARENT_OU has no direct exploit — it is a structural edge. Its security significance comes from OU-level policy inheritance:

Move a user to an unrestricted OU to bypass Context-Aware Access policies, app-access restrictions, or stricter MDM requirements that apply only to the original OU. Moving a user requires Super Admin or User Management Admin with OU modification rights.
Modify OU-level policies (if the attacker holds admin rights) to relax security controls affecting all OU members simultaneously.
Identify the target user's OU to understand what security policies apply — whether Google Drive sharing is restricted, whether advanced phishing protection is enforced, or which Context-Aware Access levels are required.

Mitigation

Restrict OU membership changes to dedicated directory admins; audit all user moves between OUs.
Keep privileged accounts in hardened OUs with the most restrictive access policies.
Alert on OU membership changes for users in sensitive OUs (executives, admins, finance).
Layer security controls — do not rely solely on OU membership; use group-based policies and Context-Aware Access as additional enforcement layers.

Detection

Log Type

Method

Key Fields

Admin Activity

MOVE_USER_TO_ORG_UNIT

Admin audit log, source and destination OU

ACCESS_TOKEN="your-access-token"
curl -s \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  "https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=MOVE_USER_TO_ORG_UNIT \
  | jq '.items[]? | {actor: .actor.email, time: .id.time, params: .events[].parameters}'

Alert on:

Users moved from a restricted OU to a less-restricted OU.
OU membership changes for admin or executive accounts.
Bulk OU moves affecting more than a handful of users at once.

References

https://knowledge.workspace.google.com/admin/users/advanced/add-an-organizational-unit

PreviousGCP_PARENT_ORGANIZATION NextGCP_ROLE_SCOPED_TO

Last updated 6 days ago

Was this helpful?