Exam Professional Cloud Architect topic 1 question 85 discussion

It should be A. The question requires that user from each country can only view a specific data set, so BQ dataViewer cannot be assigned at project level. Only A could limit the user to query and view the data that they are supposed to be allowed to.

Should be C https://cloud.google.com/bigquery/docs/access-control#bigquery.dataViewer When applied to a dataset, dataViewer provides permissions to: Read the dataset's metadata and to list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Answer should be C. As the lowest possible level to grant jobUser role is project, all the analyst will get access to all the datasets in the project. Whereas the lowest possible level to dataViewer is Table/View, hence the required restriction can be setup by this approach only.

All provided options seem to be bad practice. If you grant a group of job user on the project level (The lowest level allowed), you essentially grant them the ability to query all counties datasets. However, you can allow data viewer at the resource level which is what makes the most sense. But specifically for this question, Job user on the project level is less bad than Data viewer on the project level since both let you run queries but data viewer also allows you to view the dataset. Hence , A

in answr 'A' theis sentence "Share the appropriate dataset with view access with each respective analyst country-group" is very cryptic. I assume this means assign "data viewer" role for the respective analyst groups for the country specific datasets

Should be A. DataViewer: "When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs." https://cloud.google.com/bigquery/docs/access-control

C. Explanation: Each country should have its own group to manage access efficiently. This allows you to easily add or remove analysts from their respective groups. By adding analysts to their specific country groups, you can manage permissions in a way that aligns with their data access needs. This group will include all country groups. It simplifies the management of roles for all analysts collectively. The dataViewer role provides permission to view datasets and tables. This role allows analysts to read data without the ability to modify it, which is appropriate for your use case. Granting view access to the respective datasets for each country group ensures that analysts can only access data relevant to their country. This is crucial for maintaining data privacy and compliance. Why Other Options Are Less Suitable: Using BigQuery jobUser Role: The BigQuery jobUser role allows users to run jobs (like queries) but does not inherently grant access to view datasets or tables. This option would not effectively limit visibility to data by country.

It is C. Question says analyst should be able to see and query only the data for their respective countries. BigQueryDta viewer permission will allow only to read and query the table/view data

Go with a.

C is right, even if DataViwer is granted on Project level but Dataset is shared with view access to only the country group.

A is the correct answer. Tested the two scenarios, with `jobUser` permissions it does not allow the user to see a dataset. Whereas with `dataViewer` it has permissions for all the datasets. Note the difference is in the initial permission across the project and not per dataset.

It's A because in order to query, on needs the jobUser role. dataViewer doesn't grant the ability to actually query the datasets one has been given access to. https://cloud.google.com/bigquery/docs/running-queries#required_permissions

I'm siding with C on this one. jobUser role has the bigquery.jobs.create permission, which allow it to load data into BQ, which analyst shouldn't do. Data Viewer has no permissions to add or edit data (It can create a snapshot of the data, extract it or replicate it at most)

BigQuery Data Viewer (roles/bigquery.dataViewer) When applied to a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be applied to individual models or routines. When applied to a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Table and view BigQuery Job User (roles/bigquery.jobUser) Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role: Project Analyst must query data --> BigQuery Data Viewer

A: JobUser to execute queries in general. Data viewer for viewing the country dataset.

Lowest-level resources where you can grant this role: dataViewer: Table, View jobUser: Project You don't want to grant access to the entire project, only the dataset which is divided per country. Definitely C. https://cloud.google.com/bigquery/docs/access-control#bigquery.dataViewer

A. Create a group per country. Add analysts to their respective country-groups. Create a single group 'all_analysts', and add all country-groups as members. Grant the 'all_analysts' group the IAM role of BigQuery jobUser. Share the appropriate dataset with view access with each respective analyst country-group. As all analysts need to execute query, they need JobUser role. They should be restricted to view all datasets (not tables) of respective country.