Question 1

A user is assigned the roles/editor (Project Editor) role at the Folder level. However, at the Project level (for a project inside that folder), the same user is explicitly assigned only the roles/compute.viewer role.

What level of access does this user have to the Compute Engine instances in that project?

Accepted Answer

Recall the fundamental rule of GCP IAM inheritance: Permissions are inherited downwards and are additive (union). You cannot restrict access at a lower level if it was granted at a higher level.

Question 2

What mistakes do candidates make on this GCP ACE question?

Accepted Answer

Applying Active Directory or AWS IAM logic (where explicit denies or most-restrictive rules exist) to GCP IAM. GCP IAM has no 'Deny' rules in standard IAM policies (though Org Policies and Deny Policies exist, standard IAM is purely additive).

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 5

More questions from this exam