• Streamlined GCP Organization Onboarding with Prisma Cloud DSPM
• Effortlessly onboard your GCP organization and safeguard data across associated projects using Prisma Cloud DSPM.
• Prisma Cloud DSPM offers seamless integration by enabling the automatic onboarding of your entire GCP organization along with its associated projects. This eliminates the need for manual onboarding of each project, saving time and resources.
• Furthermore, any new projects initiated within the organization are automatically integrated into Prisma Cloud DSPM. Similarly, when a GCP project is removed, it is promptly deleted from Prisma Cloud DSPM, reducing ongoing operational overheads.
• Additionally, Prisma Cloud DSPM provides the flexibility to selectively onboard specific folders from your organization, ensuring comprehensive data protection tailored to your needs.

GCP Organization Overview

Understanding GCP Organization Structure

The GCP organization resource represents an organization, such as a company, serving as the foundational node within the Google Cloud resource hierarchy. It stands as the hierarchical precursor to both folder and project resources.

The IAM access control policies set at the organization level apply to all associated resources, ensuring consistent security measures and governance. Additionally, onboarding the organization facilitates auto-provisioning, covering everything comprehensively, including new projects. While not mandatory, having an organization resource unlocks the full potential of Google Cloud's Resource Manager, and some features may remain inaccessible without it.

Prerequisites

Before starting the onboarding process for a GCP organization with Prisma Cloud DSPM, ensure the following prerequisites have been fulfilled.

Updated Orchestrator Project

The GCP organization projects should use a GCP project that has previously been onboarded as the Prisma Cloud DSPM Orchestrator project. The orchestrator project must be part of the organization you plan to onboard.

Make sure an orchestrator project is onboarded, monitored, and updated:

• In the Prisma Cloud DSPM side bar menu, click the Settings icon to access the Settings page.
• Under the Cloud Platforms category, navigate to the Google Cloud thumbnail and click Configure.
• Locate the orchestrator project for your organization. If the project does not exist, onboard a new project. Refer to the GCP project onboarding guide for details.
• Ensure the project installation is up-to-date. If Update Required is displayed next to the project name, an update is needed. Click Update Required and follow the instructions.
• Verify that the project is monitored correctly. In the Monitoring column, ensure the toggle is set to Enabled. In the Discovery, Detections, and Scanning columns, make sure the status is shown as Active.

Organization-Level Permissions

• Ensure that you, or the person performing the GCP organization onboarding, have elevated permissions at the organization level. These permissions are necessary to create roles, log sinks, and role bindings.
• For a comprehensive list of required permissions, contact Prisma Cloud DSPM Customer Success.

Onboarding Flow

Perform the following steps to onboard a GCP organization to the Prisma Cloud DSPM solution.

1. Go to the Settings page on the left side menu of the Prisma Cloud DSPM console.
2. Under the Cloud Platforms category, navigate to the Google Cloud thumbnail and click Configure. The Google Cloud page opens.
3. From the Add New drop-down menu, select Add Organization. If this option is unavailable refer to the Prerequisites section.
   
4. Sign in to the GCP organization you intend to onboard. To onboard specific folders, ensure that you are logged into the organization that owns the folders you intend to onboard.
5. In the Select Scope area, choose to onboard either an entire organization or onboard specific folders:
   1. Organization: To onboard an entire organization, enter your GCP Organization ID. If you are unsure how to obtain your GCP Organization ID, refer to the section How do I retrieve my GCP Organization ID.
      
   2. Specific Folders: To onboard specific folders, click Select Folders, and in the right-side pane enter the IDs of the folders you intend to onboard. If you are unsure how to obtain your GCP Folders ID, refer to the section How do I retrieve my GCP Folder IDs.
      
6. Choose the location of the GCP project that has previously been onboarded as the Prisma Cloud DSPM Orchestrator project. This orchestrator will be used for the entirety of the onboarding scope.
7. After choosing the location, click Get CloudShell Command.
8. In the Add GCP Organization pop-up, do the following:
   1. Click Copy to copy the script.
   2. Click Open CloudShell.
      
9. In a separate browser window, sign in to the Google Cloud console, and click Activate Cloud Shell.
   
   A Cloud Shell session opens inside a new frame at the bottom of the Google Cloud console and displays a command-line prompt. It may take a few seconds for the session to be initialized.
10. In the Cloud Shell terminal, paste the script copied in step 8, and press the Return key on your keyboard.
    
    The process typically completes within a few minutes, and the projects within the selected scope should soon become visible in the Prisma Cloud DSPM platform.

Frequently Asked Questions

• How do I retrieve my GCP Organization ID?
• How do I retrieve my GCP Folder IDs?
• What roles are deployed at the organization level?
• How does auto provisioning work?

How do I retrieve my GCP Organization ID?

There are two methods for retrieving your GCP Organization ID:

• Use Google Cloud console to retrieve your GCP Organization ID
• Use GCP cloud shell to retrieve your GCP Organization ID

Use Google Cloud console to retrieve your GCP Organization ID

1. Open the Google Cloud console.
2. In the project picker drop-down menu, select your organization resource. The Select a resource pop-up opens.
   
3. In the Select a resource pop-up, click the ellipsis and choose Settings.
   
   The Settings page opens and displays your Organization ID.
   

Use GCP cloud shell to retrieve your GCP Organization ID

1. Open the Google Cloud console.
2. Click Activate Cloud Shell.
   
3. When the Cloud Shell opens, use the following command to retrieve your GCP Organization ID: gcloud organizations list
4. After executing the command, a list of organizations associated with your account is displayed, along with their corresponding IDs. Locate the organization you are interested in and note its ID.

How do I retrieve my GCP Folder IDs?

There are two methods for retrieving your GCP Folder IDs:

• Use Google Cloud console to retrieve your GCP Folder IDs
• Use GCP cloud shell to retrieve your GCP Folder IDs

Use Google Cloud console to retrieve your GCP Folder IDs

Prerequisite: You must have the Organization Viewer and Folder Viewer roles.

1. In Google Cloud console, navigate to the Manage resources page.
2. In the project picker drop-down menu, select your organization resource. The Select a resource pop-up opens. Note that folders must be created before they appear in this list.
   
   NOTE: The project picker can display up to 4000 resources. If you cannot find a resource that should be listed, go to the Manage resources page and use the filtering option to locate it by name.
3. Select any row in the tree to perform folder- or project-specific operations.
   NOTE: The options menu (indicated by a vertical ellipsis) in the right column provides access to supported operations.
   To find a specific project or folder, enter its name or ID in the search field to filter the list.

Use GCP cloud shell to retrieve your GCP Folder IDs

1. Open the Google Cloud console.
2. Click Activate Cloud Shell.
   
3. When the Cloud Shell opens do the following:
   • Use the following command to retrieve your GCP Organization ID:
     gcloud resource-manager folders list--organization=[YOUR_ORGANIZATION_ID]
     Replace [YOUR_ORGANIZATION_ID] with the ID of your GCP organization. This command lists all folders within your organization along with their corresponding IDs.
   • Use the following command to lists folders under folder:
     gcloud resource-manager folders list--folder=[YOUR_ORGANIZATION_ID]
     Replace [YOUR_ORGANIZATION_ID] with the ID of your GCP organization.
     This command list of folders associated with your organization, along with their respective IDs.

For more information refer to the gcloud resource-manager folders list.

What roles are deployed at the organization level?

When choosing to onboard an organization, Prisma Cloud DSPM creates and assigns the following roles at the organization level:

• Organization Role Viewer (built-in role): Utilized for evaluating existing roles.
• Role Browser: Used for assessing roles in complex organizational structures.
• Logging Admin (built-in role): Employed for directing logs for DDR (Data Disposal Request).
• role_dig_<env>_collector: Assigned for BigQuery and BigTable classification.
• role_dig_<env>_scanner (3 roles): Utilized for scanning purposes.
• role_dig_<env>_readonly: Utilized for discovery purposes.

When opting to onboard specific folders, Prisma Cloud DSPM creates and assigns the following roles at the organization level:

• Organization Role Viewer (built-in role): Utilized for evaluating existing roles.

How does auto provisioning work?

Auto-provisioning operates as follows:

Project Creation: Whenever a new project is created and falls within an onboarded scope (organization or folder), Prisma Cloud DSPM binds the requisite roles and commences automatic monitoring.

Role Binding: Upon project creation, the necessary roles are promptly assigned by Prisma Cloud DSPM.

Automatic Monitoring: Prisma Cloud DSPM initiates monitoring of the newly created project without requiring manual intervention.

Delay in UI Visibility: Due to limitations in cloud IAM, there is a delay of a few hours from project creation until it appears within the Prisma Cloud DSPM user interface (UI).