Organization roles
Organization roles define permissions for managing various features at the organization level, including resources, users, billing, and IAM settings.
Types of organization roles
Organization roles are classified into Organization Owner, Organization Admin, and Organization Reader.
These roles provide fundamental permissions to manage organization-wide users, projects, and groups.
Some service resources such as IAM and Billing can be controlled with finer granularity through their dedicated service roles.
| Role | Permissions | Included sub-roles |
|---|---|---|
| Organization Owner | Automatically granted when creating an organization. - Includes Organization Admin and Billing Admin roles by default. - Can create or request deletion of an organization. - Ownership can be transferred to another user. | Organization Admin, Billing Admin |
| Organization Admin | Manages organizations and projects (excluding project resources). - Add/remove users, create/delete groups and projects. - Can update the status or type of Helpdesk general inquiries. | Organization Reader |
| Organization Reader | View users and IAM roles within the organization and its projects. | – |
Organization role permission matrix
The table below compares the key permissions of Organization Owner, Organization Admin, and Organization Reader.
| Function / Role | Organization Owner | Organization Admin | Organization Reader |
|---|---|---|---|
| Create organization | ✓ | ||
| Delete organization | ✓ | ||
| Modify organization settings (name, policy, etc.) | ✓ | ||
| Transfer ownership | ✓ | ||
| Add/remove users | ✓ | ✓ | |
| Create/delete groups | ✓ | ✓ | |
| Create/delete projects | ✓ | ✓ | |
| View project list | ✓ | ✓ | ✓ |
| View user details | ✓ | ✓ | ✓ |
| View IAM role information | ✓ | ✓ | ✓ |
| Change login/security settings | ✓ | ✓ | |
| View login/security settings | ✓ | ✓ | ✓ |
| Manage Helpdesk settings | ✓ | ✓ | |
| Manage billing and payments | ✓ |
💡 Billing-related functions require separate assignment of the Billing Admin or subordinate billing roles.
The above roles represent organization-level administrative privileges.
If you only need to manage IAM resources—such as users, groups, roles, and service accounts—within the organization, you can assign IAM-specific roles (e.g., IAM Organization Admin, IAM Organization Viewer).
Role combinations
According to the principle of least privilege, grant only the roles necessary to perform required tasks.
Since higher-level roles already include subordinate permissions, avoid redundant role assignments.
Assign multiple roles only when each role’s scope or responsibility is clearly separated.
Organization-level roles can be combined to meet various operational, security, and audit needs.
The following table outlines common role combinations and their permission scopes.
| Role combination | Description |
|---|---|
| Organization Admin | Grants full control of users and projects across the organization. – Suitable for administrators responsible for overall organizational operations. |
| Organization Admin + IAM Organization Admin ❌ | ⚠️ Duplicate assignment: The Organization Admin already includes most organization and IAM control permissions. → Additional IAM-specific roles are unnecessary; assign Organization Admin only. |
| Organization Reader + Billing Admin | Enables viewing of users/projects and managing billing and payment settings. – Suitable for accounting personnel reviewing billing details alongside IAM information. |
| Organization Reader + Alert Center Organization Viewer | Allows viewing of organization-level alert policies and delivery logs. – Suitable for monitoring or customer support accounts. |
| IAM Organization Admin + Cloud Trail Trail Viewer | Enables IAM configuration management and audit tracking of IAM changes. – Useful for accounts that oversee IAM activity monitoring or automation. |