You want to add a new auditor to a Google Cloud Platform project. The auditor should be allowed to read, but not modify, all project items. How should you configure the auditor's permissions?
A.
Create a custom role with view-only project permissions. Add the user's account to the custom role.
B.
Create a custom role with view-only service permissions. Add the user's account to the custom role.
C.
Select the built-in IAM project Viewer role. Add the user's account to this role.
D.
Select the built-in IAM service Viewer role. Add the user's account to this role.
It should be A.
https://cloud.google.com/iam/docs/faq#when_would_i_use_basic_roles
When would I use basic roles?
You can use basic roles in development and test environments, where it might be appropriate for some principals to have wide-ranging permissions. Avoid basic roles in production environments.
But in this case we're not asked to follow any best practices. Besides, the help article says "In production environments, do not grant basic roles unless there is no alternative.", and in this case there's no alternative since we need to grant access to all resources.
C. Select the built-in IAM project Viewer role. Add the user's account to this role.
Explanation:
IAM Project Viewer Role: The IAM project Viewer role provides read-only access to all resources within a Google Cloud Platform project. This role allows the user to view project items, including resources and configurations, but does not grant permissions to modify them. This aligns with the requirement of allowing the auditor to read, but not modify, all project items.
Built-in Role: The IAM project Viewer role is a built-in role provided by Google Cloud Platform. It is specifically designed for users who need read-only access to project resources.
Least Privilege: Selecting the IAM project Viewer role ensures that the auditor has the necessary permissions to perform their tasks without granting them unnecessary privileges. It follows the principle of least privilege, providing only the permissions required to fulfill their role.
To grant an auditor read-only access to all project items on Google Cloud Platform, you should choose option A:
A. Create a custom role with view-only project permissions. Add the user's account to the custom role.
Explanation:
- Creating a custom role allows you to define specific permissions tailored to your needs, in this case, view-only access to project items.
- By selecting the necessary read-only project permissions for the custom role, you can provide the auditor with the appropriate level of access without allowing modifications.
- Adding the user's account to this custom role will grant them the specified permissions.
Option B refers to "view-only service permissions," which may not provide the desired level of access to all project items.
Options C and D suggest using built-in roles, but they may have more permissions than needed for a read-only auditor role. Custom roles offer a more precise approach for achieving the specified permissions.
Answer is C. Select the built-in IAM project Viewer role. Add the user's account to this role.
The IAM project Viewer role is a built-in role in Google Cloud that provides read-only access to all resources within a project. This role allows users to view project items, configurations, and metadata but does not grant any permission to modify or make changes to the resources.
with principle of leastprivilege should be A
Also, question is asking to set permission on single project. Basic principles grants permissions on all project.
It is option A. I just referred here!
https://cloud.google.com/iam/docs/roles-overview
Caution: Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited predefined roles or custom roles that meet your needs
Go for C.
The debate is between A and C. From auditor accessibility perspective they are the same, but from practical perspective C is the only option. For people who vote for A, you must never work with auditors in an enterprise level project. There are hundred if not thousands of permission you need to set one by one if you create custom role by yourself. And they will come to you and ask for permission every single day. And this is an "there's no alternative" situation where using Basic role is practical.
I would go with C, A and C are equally correct, with principle of leastprivilege should be A, with recomendation of not using custom roles becasue they are not maintained by gcp it should be C, since its not stating its a production env its a little bit ambiguous
To allow the new auditor to read, but not modify, all project items in a Google Cloud Platform project, the best option would be;
C. Select the built-in IAM project Viewer role. Add the user's account to this role.
Google recommends:
Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited predefined roles or custom roles that meet your needs.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
cloudenthu01
Highly Voted 4 years, 2 months agomav3r1ck
2 years agojrisl1991
1 year, 7 months agomav3r1ck
2 years agocreativenets
1 year, 2 months agoglam
Highly Voted 3 years, 10 months agoDWT33004
Most Recent 4 months, 3 weeks agotmwf
6 months, 1 week agothewalker
9 months, 2 weeks agoBAofBK
10 months agoArtistS
10 months, 2 weeks agodrinkwater
10 months, 3 weeks agojayjani66
1 year, 1 month agotrainingexam
1 year, 2 months agoJeevan4433
1 year, 4 months agosabrinakloud
1 year, 4 months agoJelly_Wang
1 year, 4 months agoashtonez
1 year, 5 months agoBuruguduystunstugudunstuy
1 year, 6 months agoxaqanik
1 year, 6 months agoVladimir_Sakhonchik
1 year, 6 months agoxaqanik
1 year, 5 months agoNazz1977
1 year, 7 months ago