Exam Professional Cloud Architect topic 1 question 49 discussion

The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its parent.https://cloud.google.com/iam/docs/resource-hierarchy-access-control

You can set IAM policies at the level of the node, in addition to policies inherited from its parent. Hence, it is a union.

Here's how IAM policies work in GCP's hierarchical structure: 1. Hierarchy: GCP resources are organized in a hierarchy: - Organization: The root node representing your company. - Folders: Used to organize projects within the organization. - Projects: Containers for your resources (VMs, databases, etc.). 2. Inheritance: IAM policies are inherited down the hierarchy. This means a policy set at the Organization level applies to all folders and projects within it. 3. Union of Policies: When you have policies at different levels, the effective policy at a particular node (e.g., a project) is the combination (union) of: - The policy set directly at that node. - All the policies inherited from its parent folder and the organization. Example: If a user has "Viewer" access at the Organization level and "Editor" access at the Project level, their effective permission on that project is "Editor" (the higher permission).

From google doc: Google Cloud resources are organized hierarchically, where the organization node is the root node in the hierarchy, the projects are the children of the organization, and the other resources are descendants of projects. You can set allow policies at different levels of the resource hierarchy. Resources inherit the allow policies of the parent resource. The effective allow policy for a resource is the union of the allow policy set at that resource and the allow policy inherited from its parent.

The effective policy at a particular node in the resource hierarchy in GCP is determined by the intersection of the policy set at the node and policies inherited from its ancestors, as described in option D Cloud IAM policies in GCP are hierarchical, meaning that policies set at higher levels of the resource hierarchy can be inherited by lower levels. When a user or service account attempts to access a resource, the effective policy at that resource is determined by evaluating the policies set at the resource itself and all of its ancestors in the hierarchy. If any of the policies deny access, the user or service account will be denied access. For example, consider the following resource hierarchy: Organization => Folder => Project => Compute Engine instance If an IAM policy is set at the organization level that allows read access to all Compute Engine instances, and a policy is set at the project level that denies read access to a specific Compute Engine instance, the effective policy for that instance will be the intersection of the two policies, which will be to deny read access to the instance.

C. Is a skewed wording question. Cannot be comprehended right away.

ok for C

C is correct answer

English as a second language will struggle here. Good luck to us

A: Would mean polcies set at the project or higher meant nothing, this is obviously wrong B: would mean you could not grant a permissions to a single VM, it would need to be at project or above (you restrict by not giving the permission) C : The permission is the sum of all the permissions you are given through the hierarchy, this is correct, you cannot restrict once it is given at a higher level. D: Would mean you would need the permission set at ancestor and the node, this would mean to get access to a single VM you would need to be given access to all VMs at the project level.

C is correct answer as it inheritance is the basic model of IAM

C is correct

C Google Cloud resources are organized hierarchically, where the organization node is the root node in the hierarchy, the projects are the children of the organization, and the other resources are descendants of projects. You can set Identity and Access Management (IAM) policies at different levels of the resource hierarchy. Resources inherit the policies of the parent resource. The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its parent.

C is the correct answer

Go for C.

Answer is C

C. The effective policy is the union of the policy set at the node and policies inherited from its ancestors