Google Cloud Professional Data Engineer — Question 107

As your organization expands its usage of GCP, many teams have started to create their own projects. Projects are further multiplied to accommodate different stages of deployments and target audiences. Each project requires unique access control configurations. The central IT team needs to have access to all projects.
Furthermore, data from Cloud Storage buckets and BigQuery datasets must be shared for use in other projects in an ad hoc way. You want to simplify access control management by minimizing the number of policies. Which two steps should you take? (Choose two.)

Answer options

• A. Use Cloud Deployment Manager to automate access provision.
• B. Introduce resource hierarchy to leverage access control policy inheritance.
• C. Create distinct groups for various teams, and specify groups in Cloud IAM policies.
• D. Only use service accounts when sharing data for Cloud Storage buckets and BigQuery datasets.
• E. For each Cloud Storage bucket or BigQuery dataset, decide which projects need access. Find all the active members who have access to these projects, and create a Cloud IAM policy to grant access to all these users.

Correct answer: B, C

Explanation

The correct steps are B and C because introducing a resource hierarchy allows for streamlined access control through policy inheritance, reducing the need for multiple policies. Creating distinct groups for teams simplifies management within Cloud IAM. Options A, D, and E do not address the requirement to minimize the number of policies effectively.