Have a Organization Policy to restrict users under a Organization to change the Billing account [180943239]

Assigned

Feature Request

Status Update

No update yet.

Description

si...@google.com

created issue #1

Feb 22, 2021 09:04PM

Issue Description:

We could not find a way that a user managed by our Cloud Identity could be restricted to deny receiving permissions from external sources on a billing account. If they receive such permission and they have the role Project Creator then they can create projects against that external billing account we do not own and cannot control/generate a bill. We need a solution to prevent such use cases.

What you would like to accomplish

An external Billing account can receive Billing User permission at its resource level for our user. If a user is a Billing User of an external billing account then he can use it to create a project linked to it. The problem is that User has permission on the folder/org resource to create the project, he has permission to use an external billing account provided by out of our sight. That situation could end up a project on our side having our Foundation services but we are not able to charge as utilization would be against not our billing account. That is the use case.

Theoretical example:

user: john.doe@ourdomain.com

project id: customer1-project

Folder: customer-folder

our billing account: customer-subbilling

John Doe also has its own GCP account: john.doe@customer.com

Its own billing account: john-doe-billing

Imagine that user john.doe@customer.com assigns Billing User permission on user john.doe@ourdomain.com

john.doe@ourdomain.com suppose to use our subdomain when creating project but he chooses billing account john-doe-billing

The project utilizing our Foundation services therefore is not assigned to our billing account what we would like to prevent.

How this might work:

What we need is an Organization Policy which restricts all the projects under our resource to be assigned to billing (sub)accounts belonging to us.

If applicable, reasons why alternative solutions are not sufficient:

The only official workaround to this problem is to avoid the following roles for the users below the organization:

Billing Account Administrator
Owner
Project Billing manager

And create a custom role that may be similar to OWNER but without the permissions listed here [1], this can be really painful and effortful for an organization/billing admin.

[1] https://cloud.google.com/billing/docs/how-to/modify-project#change_the_billing_account_for_a_project

Comments

si...@google.com <si...@google.com> #2Feb 23, 2021 02:57PM

Hello,

Thank you for reaching out. I'm going to create an internal feature request. Please keep in mind that this feature request has to be analyzed and considered by the product team and I can't provide you ETA for it to be delivered. However, you can keep track of the status by following this thread.

Issue 180943239

Description

Issue summary

Comments

si...@google.com <si...@google.com> #2Feb 23, 2021 02:57PM

Add comment

Issue metadata