Google Cloud Professional Cloud Security Engineer — Question 158

Your Google Cloud environment has one organization node, one folder named “Apps”, and several projects within that folder. The organizational node enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the terramearth.com organization. The “Apps” folder enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the flowlogistic.com organization. It also has the inheritFromParent: false property.

You attempt to grant access to a project in the “Apps” folder to the user[email protected].

What is the result of your action and why?

Answer options

• A. The action succeeds because members from both organizations, terramearth.com or flowlogistic.com, are allowed on projects in the “Apps” folder.
• B. The action succeeds and the new member is successfully added to the project's Identity and Access Management (IAM) policy because all policies are inherited by underlying folders and projects.
• C. The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must be defined on the current project to deactivate the constraint temporarily.
• D. The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed.

Correct answer: D

Explanation

The correct answer is D because the policy in the 'Apps' folder restricts access to members of the flowlogistic.com organization only, and since the user belongs to a different organization, the access grant fails. Options A and B are incorrect as they misinterpret the policy enforcement and inheritance. Option C is also incorrect because the project does not require an additional policy to deactivate the existing constraint.