ExpertEasy1 markMultiple Choice
GCP ACE · Question 40 · Domain 5.1: Managing Identity and Access Management (IAM)
A new team member needs to be able to view all resources in a project, but should not be able to modify them. You want to follow the principle of least privilege.
Which IAM role should you assign?
A new team member needs to be able to view all resources in a project, but should not be able to modify them. You want to follow the principle of least privilege.
Which IAM role should you assign?
Answer options:
A.
The primitive 'Viewer' role.
B.
The predefined 'roles/viewer' role.
C.
The predefined 'roles/browser' role.
D.
A custom role with 'get' and 'list' permissions for every service.
How to approach this question
Distinguish between primitive roles, predefined roles, and custom roles.
Full Answer
B.The predefined 'roles/viewer' role.✓ Correct
The predefined `roles/viewer` role grants read-only access to resources within a project. It is preferred over the legacy primitive `Viewer` role. The `roles/browser` role is too restrictive (only sees the project name), and a custom role is too difficult to maintain for general read access.
Common mistakes
Choosing the primitive Viewer role. GCP best practices strongly recommend using predefined roles (which start with `roles/`) over primitive roles.
Practice the full GCP Associate Cloud Engineer Practice Exam 2
50 questions · hints · full answers · grading
More questions from this exam
Q01Your company is migrating to Google Cloud and needs to establish a resource hierarchy. You have t...EasyQ02You are managing access to a GCP project. You need to grant 15 developers the ability to view Com...MediumQ03You have created a new GCP project using the Cloud Console. You want to deploy a Cloud Function u...EasyQ04Your startup has a strict monthly cloud budget of $500. You want to be notified immediately if yo...EasyQ05Your finance team wants to perform complex SQL analysis on your GCP billing data to understand co...Medium