Topic 1 Question 129

Professional Cloud Security Engineer

Topic 1 Question 129
You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?
- Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."
- Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.
- Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.
- Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.
ユーザの投票
コメント(6)
- 正解だと思う選択肢: D
  The question is that is necessary to add identities from another Domain to cloud identity. The only way to do that is by adding the Customer Ids as exception. The procedure does not support adding groups, etc... The groups and the corresponding users can be added later on with Cloud Identity once that the domain of their organization is allowed: The allowed_values are Google Workspace customer IDs, such as C03xgje4y. Only identities belonging to a Google Workspace domain from the list of allowed_values will be allowed on IAM policies once this organization policy has been applied. Google Workspace human users and groups must be part of that Google Workspace domain, and IAM service accounts must be children of an organization resource associated with the given Google Workspace domain
  
  👍 10
  mikesp2022/06/03
- 正解だと思う選択肢: C
  Policy should be turned on at the end. Adding the whole group as an exception is far more reasonable than adding all identities.
  
  👍 4
  bartlomiejwaw2022/05/10
- 正解だと思う選択肢: D
  https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy
  
  👍 3
  sumundada2022/07/19
シャッフルモード

ユーザの投票

コメント(6)