Examtopics

コメント(17)

• Answer A > Its the only one that allow you to manage permissions on the projects answer B > dont have any iam set permission so is not correct C > organizationRoleAdmin let you only create custom roles, you cant assign it to anyone ( so with thisone you cant manage permissions just create roles) D> org policyes are for manage the ORG policies constrains , that is not about project permissions, for me the correct is A

  👍 24

  ffdd12342021/01/20

• C. After carefully review this link: https://cloud.google.com/iam/docs/understanding-roles my opinion is based on 'the least privilege' practice, that future domain shall not get granted automatically: A - Too broad permissions. The question asked "The business unit creates a Cloud Identity domain..." does not imply your team should be granted for ALL future domain(s) (domain = folder) permission management. B - Security Reviewer does not have "set*" permission. All this role could do is just looking, not management. C - The best answer so far. Only the domain current created and underneath iam role assignment as well as change. D - Too broad permissions on the organization level. In other words, this role could make policy but future domains admin could hijack the role names / policies to do not desired operations.

  👍 11

  zanhsieh2020/12/20

• C is the answer. Here are the permissions available to organizationRoleAdmin

  iam.roles.create iam.roles.delete iam.roles.undelete iam.roles.get iam.roles.list iam.roles.update resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy

  There are sufficient as per least privilege policy. You can do user management as well as auditing.

  👍 5

  [Removed]2021/03/21