GCP users are often confused that having Owner role in their GCP org grants them full access to the org while it only grants access to org's projects and in fact Security Admin role is required to perform steps listed in the CMP setup guide [1].
I suggest to either explicitly state in the [1] guide that Security Admin role is required to suggest to run the one-liner as I conjured below (there is no way to test permissions with gcloud):
curl -s -XPOST -H "Content-Type: application/json; charset=utf-8" -H "Authorization: Bearer $(gcloud auth print-access-token)" https://cloudresourcemanager.googleapis.com/v1/organizations/$ORG:testIamPermissions -d '{ "permissions": [ "resourcemanager.organizations.setIamPolicy" ]}' |grep -v '{}' >/dev/null || ( echo -e "\nError: Please make sure your user has Security Admin role in your GCP Organization\n"; exit 1 ) && echo 'All good'
[1] https://help.doit-intl.com/google-cloud/connect-google-cloud-service-account