ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 5.1: Managing Identity and Access Management (IAM)IAMInheritancePolicy Evaluation

GCP ACE · Question 42 · Domain 5.1: Managing Identity and Access Management (IAM)

A user named Alice belongs to the 'Developers' Google Group. The 'Developers' group is granted the 'Compute Viewer' role at the Folder level. Alice is also individually granted the 'Compute Admin' role at the Project level (which is inside the Folder).

Which TWO statements are true regarding Alice's permissions on instances in the Project? (Select TWO)

Answer options:

A.

Alice only has 'Compute Viewer' rights because Folder-level permissions override Project-level permissions.

B.

Alice can delete Compute Engine instances in the project.

C.

IAM policies are a union of those granted at the resource level and those inherited from higher levels.

D.

Alice's individual role assignment is invalid because she is already in a group with a role on the same resource tree.

E.

Alice must use a Service Account to exercise her 'Compute Admin' rights.

How to approach this question

Understand IAM inheritance and that permissions are additive (a union).

Full Answer

Alice can delete Compute Engine instances in the project., IAM policies are a union of those granted at the resource level and those inherited from higher levels.
GCP IAM policies are inherited downwards (Organization -> Folder -> Project -> Resource) and are additive. The effective policy is the union of all roles granted. Alice inherits 'Viewer' from the Folder, but is explicitly granted 'Admin' at the Project. Therefore, she has 'Admin' rights on the project.

Common mistakes

Thinking that a restrictive policy at a higher level (Folder) overrides a permissive policy at a lower level (Project).
41All questions43

Practice the full GCP Associate Cloud Engineer Practice Exam 2

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Your company is migrating to Google Cloud and needs to establish a resource hierarchy. You have t...EasyQ02You are managing access to a GCP project. You need to grant 15 developers the ability to view Com...MediumQ03You have created a new GCP project using the Cloud Console. You want to deploy a Cloud Function u...EasyQ04Your startup has a strict monthly cloud budget of $500. You want to be notified immediately if yo...EasyQ05Your finance team wants to perform complex SQL analysis on your GCP billing data to understand co...Medium
View all 50 questions →