Exam Professional Cloud Security Engineer topic 1 question 129 discussion

The question is that is necessary to add identities from another Domain to cloud identity. The only way to do that is by adding the Customer Ids as exception. The procedure does not support adding groups, etc... The groups and the corresponding users can be added later on with Cloud Identity once that the domain of their organization is allowed: The allowed_values are Google Workspace customer IDs, such as C03xgje4y. Only identities belonging to a Google Workspace domain from the list of allowed_values will be allowed on IAM policies once this organization policy has been applied. Google Workspace human users and groups must be part of that Google Workspace domain, and IAM service accounts must be children of an organization resource associated with the given Google Workspace domain

Policy should be turned on at the end. Adding the whole group as an exception is far more reasonable than adding all identities.

Why D is Correct: Custom Exceptions for Partner Domains: By setting the policy to "Custom," you can explicitly list the external partner's Cloud Identity or Google Workspace customer ID as an exception. This allows resources to be shared with the specified external domain while maintaining domain restriction for all other domains. Enforcing Best Practices: Turning the policy back on ensures that the domain restricted sharing remains enforced across your organization. Granular Control: Using customer IDs ensures that only the intended partner domain is granted access. This approach avoids unnecessary exposure to other domains.

To make an exception for your partner’s domain while following the stated best practices, you can add each external partner’s Cloud Identity or Google Workspace customer ID as an exception under the organization policy. To do this, you need to turn off the domain restricted sharing organization policy and set the policy value to “Custom” . You can then add each external partner’s Cloud Identity or Google Workspace customer ID as an exception under the organization policy and turn the policy back on . Alternatively, you can add each partner’s Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on . This approach is useful when you have multiple external partners that need access to your resources .

D. Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

D is the answer. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy The domain restriction constraint is a type of list constraint. Google Workspace customer IDs can be added and removed from the allowed_values list of a domain restriction constraint. The domain restriction constraint does not support denying values, and an organization policy can't be saved with IDs in the denied_values list. All domains associated with a Google Workspace account listed in the allowed_values will be allowed by the organization policy. All other domains will be denied by the organization policy.

https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy

The right answer is D. Because we add the "Customer ID" as exception and not Google group. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy