Domain 5.1: Managing Identity and Access Management (IAM) — GCP ACE Practice Question 43

How to approach this question

Understand how IAM policy inheritance and evaluation work in the GCP resource hierarchy.

Full Answer

B.The user has 'Compute Admin' access because IAM policies are a union of all granted roles.✓ Correct

The user has 'Compute Admin' access because IAM policies are a union of all granted roles.

Google Cloud IAM policies are inherited downwards (Organization -> Folder -> Project -> Resource). The effective policy for a resource is the union of the policy set at that resource and the policies inherited from its ancestors. Because it is a union (additive), if you are granted Viewer at the folder and Admin at the project, you have Admin access at the project.

Common mistakes

Thinking that IAM works like Active Directory Group Policies where lower levels can 'deny' or override higher levels. In GCP IAM, there are no 'Deny' rules in standard IAM policies (though IAM Deny policies are a separate, advanced feature, standard role bindings are purely additive).

A user is granted the 'Compute Viewer' role at the Folder level. However, at the Project level (which is inside that Folder), the user is explicitly granted the 'Compute Admin' role.

What level of access does the user have to Compute Engine resources in that project?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 7

More questions from this exam

A user is granted the 'Compute Viewer' role at the Folder level. However, at the Project level (which is inside that Folder), the user is explicitly granted the 'Compute Admin' role. What level of access does the user have to Compute Engine resources in that project?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 7

More questions from this exam

A user is granted the 'Compute Viewer' role at the Folder level. However, at the Project level (which is inside that Folder), the user is explicitly granted the 'Compute Admin' role.

What level of access does the user have to Compute Engine resources in that project?