Setting up groups and roles correctly on Google Cloud Platform IAM

I have recently been reviewing our roles and IAM on our very small (but set up a long time ago) organization on GCP and realized that we don't have any Essential Contacts defined (https://console.cloud.google.com/iam-admin/essential-contacts). I didn't have access to view this.

I went back and completed the foundational set up (https://console.cloud.google.com/cloud-setup - I don't think this existed when I originally signed up) to make sure I had the right groups set up with the right roles/permissions (and that I was a member of them).

But when I go to Essential Contacts and try to click "add Contact", I get a message that I don't have the permissions required.

So I can go and add this permission to myself individually or some group (that's not my question).

My question is:

1. Have I actually set up the fundamental groups correctly? (if not, how)
2. (Assuming I have set them up correctly) why is this permission left out of the roles assigned to the organization admins group ("gcp-organization-admins@DOMAIN" given that "Organisation administrators have access to administer all resources belonging to the organisation"). In other words, shouldn't an organizational admin already have this permission?

PS I am the owner of this (small) GCP organization.

Seems you're using the default role with your created project, It's not recommended to use it. Even if you're the owner of the project and you're unable to create Essential Contacts, it means you are not setting up the fundamental groups correctly.

If you're unable to create Essential Contacts, that means you require Essential Contacts Admin role, recommend you to have at least one additional user with the Security admin role, with permissions to get and set any IAM policy. This role helps the user to grant any one owner or with any other role in the project. The owner role is a legacy role and has a wide range of permissions.

Please refer to the official GCP doc for more information.

Edit :

1. First please check whether you are using the correct Organization & Project.

2. Check If you have set up your foundation & admin role properly, you can get the result as shown in below image

If not set properly you will get the result as shown in the below image.

3. You can check your roles : Login to the console >>Click on IAM & Admin>>Select IAM >>click on permissions then you can view VIEW BY ROLES & VIEW BY PRINCIPALS

Check whether you have Essential contacts admin roles in VIEW BY PRINCIPALS, if not available, you are unable to add/view contacts. By default the owner also doesn’t have that permission so add it as below.

You can grant access to the Essential contacts admin role as shown in the below image, so that you can get permission to add contacts.