Exam Associate Cloud Engineer topic 1 question 52 discussion

C is correct because dataViewer does not allow user to perform queries. jobUser can.

C is correct, doc's said: When applied to a dataset, dataViewer provides permissions to: Read the dataset's metadata and to list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

C is correct! Reference: https://cloud.google.com/bigquery/docs/access-control

Viewer has these access :- bigquery.tables.export bigquery.tables.get bigquery.tables.getData , which are sufficient to read the data , https://cloud.google.com/bigquery/docs/access-control#:~:text=BigQuery%20Data%20Viewer&text=models%20or%20routines.-,When%20applied%20to%20a%20dataset%2C%20this%20role%20provides%20permissions%20to,applicable%20APIs%20and%20in%20queries.

The Google-recommended practice for managing permissions in Google Cloud Platform (GCP) is to use IAM (Identity and Access Management) roles and groups for better organization and control. Option C aligns with this best practice: C. 1. Create a dedicated Google group in Cloud Identity. 2. Add each data scientist's user account to the group. 3. Assign the BigQuery jobUser role to the group. This approach allows for central management of permissions by adding and removing users from the Google group as needed, rather than individually managing permissions for each user. The jobUser role provides the necessary permissions for running queries in BigQuery, allowing the data science team to perform their tasks without granting unnecessary permissions.

This is correct

D is correct as dataViewer role in BigQuery provides read-only access to datasets and allows users to run select queries.

The correct answer is C. Assign the BigQuery jobUser role to individual user accounts, which can be complicated to manage as teams change frequently. The BigQuery dataViewer role only allows viewing data in BigQuery data sets and tables, but does not grant permission to run queries or create jobs.

Per documentation: jobUser: "Provides permissions to run jobs, including queries, within the project." dataViewer can only "view" data, but can't run queries: https://cloud.google.com/bigquery/docs/access-control#bigquery.dataViewer

Answer is D. dataViewer Role: The dataViewer role in BigQuery provides read-only access to datasets. It allows users to run queries on the datasets but does not grant permissions to modify or delete data. This is generally appropriate for data scientists who need to analyze data but not make structural changes to datasets. This approach follows the principle of least privilege by granting the minimum necessary permissions for the data science team to perform their tasks without exposing unnecessary capabilities. Option C could also work, but using the dataViewer role is generally more appropriate for users who only need to query data without making structural changes to datasets.

C As per the documentation, jobuser is required for querying: https://cloud.google.com/bigquery/docs/access-control#bigquery.dataViewer https://cloud.google.com/bigquery/docs/access-control#bigquery.jobUser

C is correct because dataViewer does not allow user to perform queries. jobUser can

C is the corrcect answer as per the , google recommended practise add them into the group then assign the role

C is correct.

UPDATES and INSERTS are queries and can not be performed with dataviewer. So C is correct Answer

C is correct D is incorrect as the dataViewer role provides more access than needed for just performing queries. This role allows users to view data in datasets and tables, which might not be necessary or appropriate for your data science team.

dataViewer only allows vieweing. Pretty obvious!