ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 5.1: Managing Identity and Access Management (IAM)Domain 5IAMResource Hierarchy

GCP ACE · Question 44 · Domain 5.1: Managing Identity and Access Management (IAM)

A user is assigned the roles/editor (Project Editor) role at the Folder level. However, at the Project level (for a project inside that folder), the same user is explicitly assigned only the roles/compute.viewer role.

What level of access does this user have to the Compute Engine instances in that project?

Answer options:

A.

They have full Editor access (can modify instances) because IAM permissions are inherited and additive.

B.

They have only Viewer access because the most restrictive policy applies.

C.

They have only Viewer access because project-level policies override folder-level policies.

D.

They have no access because the conflicting roles cause a denial of access.

How to approach this question

Recall the fundamental rule of GCP IAM inheritance: Permissions are inherited downwards and are additive (union). You cannot restrict access at a lower level if it was granted at a higher level.

Full Answer

A.They have full Editor access (can modify instances) because IAM permissions are inherited and additive.✓ Correct
In Google Cloud IAM, permissions are inherited downwards through the resource hierarchy (Org -> Folder -> Project -> Resource). Crucially, IAM policies are additive. If a user is granted Editor at the folder level, they are an Editor for all projects within that folder. Assigning a lesser role (Viewer) at the project level does not revoke or restrict the inherited Editor permissions.

Common mistakes

Applying Active Directory or AWS IAM logic (where explicit denies or most-restrictive rules exist) to GCP IAM. GCP IAM has no 'Deny' rules in standard IAM policies (though Org Policies and Deny Policies exist, standard IAM is purely additive).
43All questions45

Practice the full GCP Associate Cloud Engineer Practice Exam 5

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01You are starting a new initiative and need to create a new Google Cloud project using the command...EasyQ02A developer on your team needs to manage App Engine applications, including deploying new version...MediumQ03You have created a new Google Cloud project. You need to allow a specific group of developers to ...MediumQ04Which statement best describes the relationship between Google Cloud projects and billing accounts?EasyQ05Your company wants to be notified immediately in their Slack channel whenever their monthly Googl...Medium
View all 50 questions →