Exam Associate Cloud Engineer topic 1 question 102 discussion

I believe the key part is the "following Google Best Practices" phrase. A - Works, but doesn't follow GCP best practices B - Doesn't work as the role grants permission to delete datasets C - Works, but is more complicated than A and doesn't follow Google best practices D - Correct, more complicated than A, but it follows Google Best Practices.

Correct Answer is (D): The proper answer regarding to bigquery roles is the listed in the options, the proper rol that resolve this requirement is: roles/bigquery.dataViewer https://cloud.google.com/bigquery/docs/access-control#custom_roles on the other hand, the question explicitly is asking to use the GCP best practices on IAM : GCP Best Practices explain clearly these rules: Policy management ❑ Set organization-level IAM policies to grant access to all projects in your organization. ❑ Grant roles to a Google group instead of individual users when possible. It is easier to add members to and remove members from a Google group instead of updating an IAM policy to add or remove users. ❑ If you need to grant multiple roles to allow a particular task, create a Google group, grant the roles to that group, and then add users to that group. https://cloud.google.com/iam/docs/using-iam-securely#policy_management

A is correct because the key point is.. users can query the dataset but not delete. For querying, jobs create role required which comes under bigquery user role

D. follows Google Best Practice. Others do not or are flat out wrong.

GCP Best Practices is to create a group of Users and assign it a custom role with the required permissions (least privilege).

A IS THE ANWER

D is solves the problem and follow best practices. With A you will be able to delete data sets you create.

You can create a custom role at the project or organization level. Since users are added to role, it should be A. https://cloud.google.com/iam/docs/creating-custom-roles

I think the right answer is A due to a predefine valid role. I mean that biqguery.user role is valid so it's not needed to create a custom role. bigquery.user role can't delete datasets created by anyone. https://cloud.google.com/iam/docs/understanding-roles#bigquery.user bigquery.datasets.delete bigquery.datasets.deleteTagBinding

I think the right answer is A due to a predefine valid role. I mean that biqguery.user role is valid so it's not needed to create a custom role. bigquery.user role can't delete datasets. https://cloud.google.com/iam/docs/understanding-roles#bigquery.user

I think it's A for a couple of reasons. 1. you don't need to create a custom role if there is already one there, an it's Google best practice to ALWAYS use their roles, not create new ones unless absolutely necessary, which is very few cases and I'd be surprised if they'd put a Q in there that would actually . 2. the "roles/bigquery.user" role already allows for bigquery.datasets.create, bigquery.datasets.get, bigquery.datasets.getIamPolicy, which this Q is asking for.

I have no idea, but I think it's D as you add users to group first, then to a role, which is google best practice, but not sure about custom role in the first place.

I gonna with A and not D as best practices is to use predefined roles.

The correct answer is C. Create a custom role by removing delete permissions, and add users to that role only. This is the recommended approach by Google, as it provides a granular level of control over user permissions. By creating a custom role that only allows users to query datasets, you can ensure that they do not have the ability to accidentally delete them.

The correct answer is D

I will go with A and not D as best practices is to use predefined roles. If the question had "least previledge" then answer would have been D.

A. Add users to roles/bigquery user role only, instead of roles/bigquery dataOwner.