Exam Professional Cloud Architect topic 1 question 57 discussion

Both A & C are correct but using the principle of least privileges C is the most appropriate. BigQuery User: (roles/bigquery.user) When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. <b>Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role(roles/bigquery.dataOwner) on these new datasets.</b> Lowest-level resources where you can grant this role: Dataset BigQuery Job User: (roles/bigquery.jobUser) Provides permissions to run jobs, including queries, within the project. Lowest-level resources where you can grant this role: Project Source: https://cloud.google.com/bigquery/docs/access-control

C is the correct Answer , A is wrong because bq User Permission will allow you to edit the dataset, which is something that we don't want in this scenario. B and D is wrong because "You want to make sure that no query costs are incurred on the projects that contain the data" so you don't want users to fire quires on the Project that contains the dataset , hence the "dataViewer" permission https://cloud.google.com/bigquery/docs/access-control

BigQuery jobUser on the billing project and BigQuery dataViewer on the projects that contain the data.

I will go for C.

The link to refer here: https://cloud.google.com/bigquery/docs/access-control

The "roles/bigquery.jobUser" role provides the permission to run jobs, including querying, exporting and copying data, and creating views and materialized views. This role does not provide permissions to create, update, or delete BigQuery resources, such as datasets, tables, and models. Users with this role can only interact with BigQuery through jobs. The "roles/bigquery.User" role, on the other hand, provides the permission to create, update, and delete BigQuery resources, as well as run jobs. This role includes all the permissions of the "roles/bigquery.jobUser" role, and in addition allows users to manage BigQuery resources, such as creating datasets, tables, and models, and modifying their schema and access controls.

A is wrong because https://cloud.google.com/bigquery/docs/access-control#bigquery.user C is correct because https://cloud.google.com/bigquery/docs/access-control#bigquery.jobUser

Important statements from the prompt 1. All queries need to be billed to a single project - one project that queries data stored on other projects. Let's call this our billing project. a. jobUser is the best role to satisfy this need, because it provides permission to run jobs and queries within a project. 2. Other projects is where the data resides. These projects don't need much access besides the ability to be viewed (not edited). a. The dataViewer role provide permission to read all datasets in the project.

The correct answer is A: Add all users to a group. Grant the group the role of BigQuery user on the billing project and BigQuery dataViewer on the projects that contain the data. To make sure that no query costs are incurred on the projects that contain the data and allow users to query the datasets but not edit them, you should follow these steps: Add all users to a group. Grant the group the role of BigQuery user on the billing project. This will allow the group to run queries on BigQuery and incur costs on the billing project. Grant the group the role of BigQuery dataViewer on the projects that contain the data. This will allow the group to view the datasets and run queries on them, but not edit them.

C is right Add all users to a group. Grant the group the roles of BigQuery jobUser on the billing project and BigQuery dataViewer on the projects that contain the data.

C. Add all users to a group. Grant the group the roles of BigQuery jobUser on the billing project and BigQuery dataViewer on the projects that contain the data.

D is the answer: Cloud BigQuery Roles Cloud BigQuery IAM Roles BigQuery Admin - bigquery.* BigQuery Data Owner - bigquery.datasets.*, bigquery.models.*, bigquery.routines.*, bigquery.tables.* (Does NOT have access to Jobs!) BigQuery Data Editor - bigquery.tables.(create/delete/export/get/getData/getIamPolicy/ list/update/updateData/updateTag), bigquery.models.*, bigquery.routines.*, bigquery.datasets.(create/get/getIamPolicy/updateTag) BigQuery Data Viewer - get/list bigquery.(datasets/models/routines/tables) BigQuery Job User - bigquery.jobs.create BigQuery User - BigQuery Data Viewer + get/list (jobs, capacityCommitments, reservations etc) To see data, you need either BigQuery User or BigQuery Data Viewer roles You CANNOT see data with BigQuery Job User roles BigQuery Data Owner or Data Viewer roles do NOT have access to jobs!

C is the correct Answer , A is wrong because bq User Permission will allow you to edit the dataset, which is something that we don't want in this scenario. B and D is wrong because "You want to make sure that no query costs are incurred on the projects that contain the data" so you don't want users to fire quires on the Project that contains the dataset , hence the "dataViewer" permission https://cloud.google.com/bigquery/docs/access-control

C. Add all users to a group. Grant the group the roles of BigQuery jobUser on the billing project and BigQuery dataViewer on the projects that contain the data.

C looks to be the correct answer

JobUser is the correct terminology for bq. Only read access to data sources is required.

bq is using jobs - so "user" isn't specific enough, jobuser is.