Exam Professional Cloud Security Engineer topic 1 question 14 discussion

Answer A > Its the only one that allow you to manage permissions on the projects answer B > dont have any iam set permission so is not correct C > organizationRoleAdmin let you only create custom roles, you cant assign it to anyone ( so with thisone you cant manage permissions just create roles) D> org policyes are for manage the ORG policies constrains , that is not about project permissions, for me the correct is A

C. After carefully review this link: https://cloud.google.com/iam/docs/understanding-roles my opinion is based on 'the least privilege' practice, that future domain shall not get granted automatically: A - Too broad permissions. The question asked "The business unit creates a Cloud Identity domain..." does not imply your team should be granted for ALL future domain(s) (domain = folder) permission management. B - Security Reviewer does not have "set*" permission. All this role could do is just looking, not management. C - The best answer so far. Only the domain current created and underneath iam role assignment as well as change. D - Too broad permissions on the organization level. In other words, this role could make policy but future domains admin could hijack the role names / policies to do not desired operations.

as mentioned by ffdd1234's answer

A. Organization Administrato

gpt says both A. and C can be used. I don't know, too many similar answers, cant say for certain which one is correct answer anymore. How can one pass the exam like this????

A. Organization Administrator Here's why: Organization Administrator: This role provides full control over all resources and policies within the organization, including permissions and auditing. It allows your team to manage permissions, policies, and configurations at the organizational level, making it the most appropriate choice when you need comprehensive control. Security Reviewer: This role focuses on reviewing and assessing security configurations but doesn't grant the level of control needed for managing permissions and auditing at the organizational level. Organization Role Administrator: This role allows management of IAM roles at the organization level but doesn't provide control over policies and auditing. Organization Policy Administrator: This role allows for the management of organization policies, but it doesn't cover permissions and auditing.

A is the only role that gives you management permissions and not just viewing / role editing.

i would go with A. Audit of all domain resources might have a very broad scope and C might not have those permissions. Because it is audit , i believe its a responsible job so A can be afforded

The correct answer is C

Answer is A, among the 4, it is the only role able de manage permissions

The answer must be A - check out the example that allows the CTO to setup permissions for the security team: https://cloud.google.com/iam/docs/job-functions/auditing#scenario_operational_monitoring

Its A. They are looking for Domain Resources Management i.e. Projects, Folders, Permissions. and only Organization Administrator is the only option allows it. Moreover, Organization Administrator is the only option that falls under "Used IN: Resource Manager" roles/resourcemanager.organizationAdmin

C is the answer. Here are the permissions available to organizationRoleAdmin iam.roles.create iam.roles.delete iam.roles.undelete iam.roles.get iam.roles.list iam.roles.update resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy There are sufficient as per least privilege policy. You can do user management as well as auditing.

Ans : D. As it's related to Resources, so definitely policy comes into picture.

Correct is D https://cloud.google.com/resource-manager/docs/organization-policy/overview

Role Permissions roles/iam.organizationRoleAdmin iam.roles.create iam.roles.delete iam.roles.undelete iam.roles.get iam.roles.list iam.roles.update resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy

The confusion here, in my opinion, is that the question is asking for the ability to manage roles & audit _DOMAIN_ resources. Domain resources in the GCP hierarchy are folders & projects, because those are the only things that can be directly under an Organization (aka Domain). The Organization Role Admin is the option that gives you the ability to manage custom roles & list folders & projects.