In this video, learn how to identify your GCP authorization domain using Google Workspace or Cloud Identity.
- [Instructor] When you're getting started working with GCP as an enterprise, the first thing you need to think about is how to set up your account properly. Now, if you're just trying out Services you might use a free tier account but that's not usually the case in the enterprise. The preferred way for studying is to have a sandboxed location within your enterprise account. And you need to understand the object hierarchy in order to do this for studying and also ultimately to set up your account correctly. So the first thing you need to think about is how will the access control be handled in your account. And this is for authentication and authorization. Typically enterprises use some sort of directory service, for example, Active Directory or a third-party directory service. Now with GCP, you have several choices. You have the ability to integrate with G Suite domains. You can use third-party Directory Federation with Cloud identity. And announced last week at GCP Next, you can use Managed Active Directory. So first let's take a look at this picture from the documentation so we understand the concept. The idea here is for your GCP services shown on the right and these could be your service instances, your virtual machines, your cloud buckets, so on and so forth. You need to set up the appropriate level of access so that you have predictability around all the abilities that we talked about earlier in this course. So availability, cost, performance, so on and so forth. And you can use Cloud Identity Service to integrate with a third-party directory. So it's important that you figure out which directory you're going to integrate with. Further you need to think about in terms of Cloud Identity if you're going to use the free edition or the premium edition, and on this page, it discusses the feature differences between the free edition and the premium edition. Most of my enterprise customers do use the premium edition because they want the enterprise security, application management, device management, which includes user provisioning, app white listing and rules for automating mobile device management. But there is a cost for that. Now if you are going to federate with Active Directory, you're going to want to follow the direction given on this particular page. And as you can see on the right side here there are a number of steps that you need to do to make sure that you're set up for this type of Federation and to then set it up and verify it. Ultimately you can use single sign-on and using single sign-on with Active Directory is a type of authentication mechanism that the majority of my customers tend to prefer. So I wanted to show you where that information here is made available. Now, in this course, we're going to use the simpler provider G Suite because I didn't go to the time and trouble of setting up an Activity Directory. Now, speaking of Active Directory, announced last week at the Annual GCP Next is a new service, no, it's an alpha at the time of this recording but highly requested by customers which is a Managed Service from Microsoft Active Directory. So the idea here is rather than Federating, you can actually run Active Directory on GCP. This got a big round of applause at the conference because this is the preferred way for most of my enterprise customers to handle authentication. This is something also that the competitive public cloud providers have had for many years. So it's a nice addition coming with GCP. So at this point, if you're interested in that, you just click the blue express interest and then you can participate in the alpha. As I said previously, however, although the service has been announced, I wouldn't put it into production until it moved into general availability. Now if we take a look at the console where we see these features are under the IAM section and we currently are working with a project GCP essentials. And if we go into the IAM section and we select identity and organization, you'll see that I cannot see this when I'm in a project. I have to go to the level of the organization. So if I click select then I can see how this has been set up. So it's important to understand that when you're working in the console with the IAM section, depending on whether you're working at the level of an organization which is higher up in the object hierarchy or at the level of a project these various menu options, it will change availability. So for example, if I click on organizational policies because I'm not the person who initially created this organization, the permissions have not been changed that I can set organizational level policies. I can set project level policies, but not organizational. So you can see that I could request permission and I can see how I'm logged in over here. And you can see that this account is managed by training XYZ. Now, where is this G Suite account available for administration? That's over here on the admin console. And you can see that inside of here, If I go to the account setting, I'm on the company profile and you could personalize the information here so think of this is a lightweight directory. And then if I drill into the admin roles you can see that for the purposes of this course, I have been added to what's called the super admins from the original person, James, who set up this account. And then I could then work with different levels of administration. Now, as with any directory, the amount of people that you have in super admin should be very, very restricted. This is the domain admin. It's called organizational admin and you should assign administrative privileges at the least practical level which is usually at the level of a project. So we'll talk more about this when we get into the object hierarchy which is coming up in a subsequent movie.
- Enterprise concerns
- Enterprise scenarios
- Setting up your organization’s account
- Managing billing
- Enterprise compute services
- Enterprise storage and database services
- Enterprise data pipelines
- GCP developer and DevOps tools