By default, Forseti is designed to be installed with complete organization access, and run with the organization as the root node in the resource hierarchy.
But, you also have the option to run Forseti on a subset of resources:
Inventory, Data Model, and Scanner will be supported for use on these subset of resources, but Explain will not be supported.
Run the Forseti Installer.
By default, the installer will try to assign org-level roles. If you are not an Org Admin, there will be errors, but you can safely disregard, as you will manually assign the correct roles later.
forseti_conf_server.yaml and point the
to the target folder:
If Forseti was installed with Org Admin credentials, then the org-level roles will be inherited on the folder-level.
If Foresti was not installed with Org Admin credentails, then you need to grant the Forseti server service account to have the same roles on the target folder, as was originally granted on the organization.
forseti_conf_server.yamlto GCS bucket.
forseti_conf_server.yamlfile from GCS bucket to
root_resource_idpointed to the organization that the Installer inferred from the environment.
When you run Forseti again, all the resources from the target root will be collected in Inventory and audited.