Google Cloud Professional Cloud Security Engineer — Question 212

You are managing a set of Google Cloud projects that are contained in a folder named Data Warehouse. A new data analysis team has been approved to perform data analysis for all BigQuery data in the projects within the Data Warehouse folder. They should only be able to read the data and not have permissions to modify or delete the data. You want to reduce the operational overhead of provisioning access while adhering to the principle of least privilege. What should you do?

Answer options

• A. Grant the BigQuery Data Viewer role at the project level for each project within the Data Warehouse folder.
• B. Grant the BigQuery Data Viewer role at the Data Warehouse folder.
• C. Grant the BigQuery Data Viewer role at the dataset level for each BigQuery dataset within each project in the Data Warehouse folder.
• D. Grant the BigQuery Metadata Viewer role at the Data Warehouse folder.

Correct answer: B

Explanation

The correct answer is B because granting the BigQuery Data Viewer role at the Data Warehouse folder level provides access to all projects within that folder, ensuring the team can read data without managing permissions for each individual project. Option A requires managing permissions for each project separately, which increases operational overhead. Option C would involve additional complexity by requiring permissions per dataset, while option D would not provide the necessary read access to the data itself.