> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/gcp/gcp_parent_ou.md).

# GCP\_PARENT\_OU

## Summary

|                            |                              |
| -------------------------- | ---------------------------- |
| **FSProtect ACL Alias**    | GCP\_PARENT\_OU              |
| **GCP Alias**              | Entity Relation (Structural) |
| **Affected Object Types**  | Users, Organizational Units  |
| **Exploitation Certainty** | Certain                      |

## Description

`GCP_PARENT_OU` is a structural edge representing that a Google Workspace user or an organizational unit is **contained within an Organizational Unit (OU)** in the Google Workspace directory. OUs are used to structure the Workspace directory and to apply policies selectively — different OUs can have different password policies, device policies, app access settings, and Context-Aware Access rules.

Policy inheritance in Workspace follows the OU hierarchy: settings applied to a parent OU cascade to all child OUs and their members unless overridden. An attacker who can modify OU membership can move a target user into a less-restricted OU and bypass security controls that apply only to their original OU.

**Key properties:**

* A user belongs to exactly one OU at a time.
* OU-level policies (Context-Aware Access, app access, MDM enforcement) apply to all members.
* Moving a user to an unrestricted OU can bypass controls that were scoped to their original OU.

## Identification

### GCP Console

1. Open **Google Admin Console** (`admin.google.com`) → **Directory** → **Organizational units**.
2. The OU tree shows which users belong to each OU.

### gcloud CLI

```bash
# List all OUs in the organization (Access token should be authorized on scope: https://www.googleapis.com/auth/admin.directory.orgunit.readonly)
ACCESS_TOKEN=$"your-access-token"
curl -s \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  "https://admin.googleapis.com/admin/directory/v1/customer/my_customer/orgunits?type=ALL" \
  | jq '.organizationUnits[] | {name: .name, path: .orgUnitPath, parentPath: .parentOrgUnitPath}'

# Get the OU of a specific user
USER_EMAIL="user@example.com"
curl -s \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  "https://admin.googleapis.com/admin/directory/v1/users/${USER_EMAIL}?projection=full" \
  | jq '.orgUnitPath'
```

## Exploitation

`GCP_PARENT_OU` has no direct exploit — it is a structural edge. Its security significance comes from OU-level policy inheritance:

* **Move a user to an unrestricted OU** to bypass Context-Aware Access policies, app-access restrictions, or stricter MDM requirements that apply only to the original OU. Moving a user requires Super Admin or User Management Admin with OU modification rights.
* **Modify OU-level policies** (if the attacker holds admin rights) to relax security controls affecting all OU members simultaneously.
* **Identify the target user's OU** to understand what security policies apply — whether Google Drive sharing is restricted, whether advanced phishing protection is enforced, or which Context-Aware Access levels are required.

## Mitigation

1. **Restrict OU membership changes** to dedicated directory admins; audit all user moves between OUs.
2. **Keep privileged accounts in hardened OUs** with the most restrictive access policies.
3. **Alert on OU membership changes** for users in sensitive OUs (executives, admins, finance).
4. **Layer security controls** — do not rely solely on OU membership; use group-based policies and Context-Aware Access as additional enforcement layers.

## Detection

| Log Type       | Method                  | Key Fields                                 |
| -------------- | ----------------------- | ------------------------------------------ |
| Admin Activity | `MOVE_USER_TO_ORG_UNIT` | Admin audit log, source and destination OU |

```bash
ACCESS_TOKEN="your-access-token"
curl -s \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  "https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?eventName=MOVE_USER_TO_ORG_UNIT \
  | jq '.items[]? | {actor: .actor.email, time: .id.time, params: .events[].parameters}'
```

Alert on:

* Users moved from a restricted OU to a less-restricted OU.
* OU membership changes for admin or executive accounts.
* Bulk OU moves affecting more than a handful of users at once.

## References

* <https://knowledge.workspace.google.com/admin/users/advanced/add-an-organizational-unit>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/gcp/gcp_parent_ou.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.