Organization Policy API

Name: Organization Policy API API
Brand: Organization Policy API
Availability: InStock

✓ Official Vendor SpecSecurityComplianceoauth29 EndpointsREST

For Agents

Apply and inspect Google Cloud organisation policies — boolean, list, and custom constraints — that govern what resource configurations are allowed across the hierarchy.

Quickstart

Get started with Organization Policy API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"apply a google cloud organisation policy"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Organization Policy API API.

List the built-in constraints available on a folder, project, or organisation

Apply policies that enforce or restrict specific resource configurations

Author custom constraints for resource fields not covered by built-ins

Read the effective policy for a resource after hierarchy inheritance

GET STARTED

Start building with Organization Policy API API

Explore with Jentic

View OpenAPI Document

Use for: List all available constraints on a Google Cloud project, Apply a policy that restricts VM creation to specific regions, Get the effective organisation policy for a project, Create a custom constraint for a Compute Engine instance label

Not supported: Does not grant IAM permissions, evaluate runtime requests, or manage hierarchy nodes — use for declaring and inspecting organisation policy resources only.

The Organization Policy API configures governance constraints across the Google Cloud resource hierarchy — organisations, folders, and projects. It exposes built-in constraints (boolean, list, custom) and lets administrators author and apply policies that allow or deny specific resource configurations, such as restricting which regions VMs can run in or which service accounts can be created. The API also supports custom constraints for resource fields not covered by built-ins. The spec exposes 9 endpoints.

Use Cases

Patterns agents use Organization Policy API API for, with concrete tasks.

★ Region restriction for data residency

Apply the gcp.resourceLocations boolean/list constraint to a folder or organisation so that all VMs, GKE clusters, and storage buckets in scope can only be created in approved regions. The Organization Policy API lets compliance teams roll this constraint out hierarchy-wide and read back the effective policy from any project to verify enforcement. Suitable for organisations with data residency obligations.

Apply a policy to folder folders/123456 that sets the gcp.resourceLocations constraint to allow only europe-west1 and europe-west4, then read the effective policy on a child project to confirm.

Custom constraints for label compliance

Author a custom constraint that requires every Compute Engine instance to carry a specific label such as cost-center or owner. Custom constraints declare a CEL condition over the resource and apply it at create or update time. This catches misconfigurations at admission instead of relying on after-the-fact remediation.

Create a custom constraint that requires every compute.googleapis.com/Instance to carry a labels.cost-center value, attach it to organisation 7777777, and verify creation by listing custom constraints.

Audit drift across the hierarchy

Walk the resource hierarchy and read the effective policy on each project to detect drift between intended governance and what is actually enforced. The API's getEffectivePolicy endpoint returns the inherited result, so an audit script can flag projects where a child policy overrides a tighter parent. Helpful before security reviews or audits.

For every project under organisation 7777777, GET /v2/{+name}:getEffectivePolicy for constraint constraints/iam.allowedPolicyMemberDomains and write any project whose effective policy disagrees with the org policy to a drift report.

Agent-driven governance changes via Jentic

A governance agent reacting to a security incident — for example, a sudden deployment in an unapproved region — can use Jentic to find and apply the right Organization Policy operation. Credentials stay in the Jentic vault, so the agent acts under scoped Org Admin tokens with full audit trail. Useful for guardrail bots that close governance gaps automatically.

Use Jentic to find the create-policy operation, load its schema, and apply a constraint that denies compute.googleapis.com/Instance creation outside europe-west1 to folder folders/123456.

Key Endpoints

9 endpoints — the organization policy api configures governance constraints across the google cloud resource hierarchy — organisations, folders, and projects.

METHOD

PATH

DESCRIPTION

POST

/v2/{+parent}/policies

Create an organisation policy

GET

/v2/{+parent}/policies

List policies on a node

PATCH

/v2/{+name}

Update a policy

DELETE

/v2/{+name}

Delete a policy

GET

/v2/{+name}:getEffectivePolicy

Get the effective policy after inheritance

GET

/v2/{+parent}/constraints

List built-in constraints

POST

/v2/{+parent}/customConstraints

Create a custom constraint

POST

/v2/{+parent}/policies

Create an organisation policy

GET

/v2/{+parent}/policies

List policies on a node

PATCH

/v2/{+name}

Update a policy

DELETE

/v2/{+name}

Delete a policy

GET

/v2/{+name}:getEffectivePolicy

Get the effective policy after inheritance

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google OAuth 2.0 tokens are minted from a service account stored in the Jentic vault (MAXsystem). Agents act under scoped, short-lived tokens — the service-account key never enters their context.

Intent-based discovery

Agents search Jentic with intents like apply region restriction policy and Jentic returns the matching Organization Policy operation, its required scopes, and its input schema.

Time to first call

Direct integration: 1 day to wire OAuth, hierarchy resolution, and policy evaluation. Through Jentic: under 30 minutes — search, load, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Cloud Resource Manager API

Cloud Resource Manager owns the hierarchy nodes that org policies attach to

Use Cloud Resource Manager when the agent needs to create or move a project/folder; use Organization Policy to bind constraints to those nodes.

Alternative

Identity and Access Management API

IAM controls who can do what; Organization Policy controls what configurations are allowed

Use IAM when the agent needs to grant a permission to a principal; use Organization Policy when the goal is to restrict resource configurations regardless of caller.

Complementary

Security Command Center API

Security Command Center surfaces findings that often drive new org policies

Use Security Command Center to discover misconfigurations; use Organization Policy to enforce a constraint that prevents the misconfiguration recurring.

FAQs

Specific to using Organization Policy API API through Jentic.

What authentication does the Organization Policy API use?

The API uses Google OAuth 2.0 with the cloud-platform scope and requires the orgpolicy.policyAdmin role on the target node. Through Jentic, tokens are minted from a service account stored in the Jentic vault.

Can I write custom constraints with this API?

Yes. POST to /v2/{+parent}/customConstraints with a CEL condition over the target resource type. The constraint then becomes available to bind via a policy on any node beneath the parent organisation.

What are the rate limits for the Organization Policy API?

Google Cloud applies a per-project quota for policy mutations. Effective-policy reads are cheap; bulk audits should still batch and back off if 429s appear, rather than fan out.

How do I apply a region restriction policy through Jentic?

Search Jentic for create organisation policy, load the schema for POST /v2/{+parent}/policies, and execute it with the gcp.resourceLocations constraint and your allowed list. Jentic returns the policy resource so you can confirm the apply.

Does this API enforce policies at runtime?

No — the API stores policy definitions. Enforcement happens inside the underlying services (Compute, GKE, Cloud Storage) when they evaluate the constraint at create or update time.

How do I read the effective policy on a project?

Call GET /v2/{+name}:getEffectivePolicy with the constraint name appended to the project resource path; the response returns the inherited policy after walking the hierarchy.