Google Cloud Professional Cloud Security Engineer — Question 74

You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

Answer options

• A. Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."
• B. Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.
• C. Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.
• D. Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

Correct answer: D

Explanation

The correct answer is D because it allows you to maintain the domain restricted sharing policy while making specific exceptions for external partners. Options A and B completely remove the domain restrictions, which goes against best practices. Option C does not allow for the flexibility of setting a custom policy value, which is necessary to include exceptions for specific domains.