ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 5.1: Managing Identity and Access Management (IAM)IAMResource HierarchyInheritance

GCP ACE · Question 43 · Domain 5.1: Managing Identity and Access Management (IAM)

A user is granted the 'Compute Viewer' role at the Folder level. However, at the Project level (which is inside that Folder), the user is explicitly granted the 'Compute Admin' role.

What level of access does the user have to Compute Engine resources in that project?

Answer options:

A.

The user has 'Compute Viewer' access because higher-level policies override lower-level policies.

B.

The user has 'Compute Admin' access because IAM policies are a union of all granted roles.

C.

The user has no access because the conflicting policies cancel each other out.

D.

The user has 'Compute Viewer' access because the least privilege principle is automatically enforced by IAM.

How to approach this question

Understand how IAM policy inheritance and evaluation work in the GCP resource hierarchy.

Full Answer

B.The user has 'Compute Admin' access because IAM policies are a union of all granted roles.✓ Correct
Google Cloud IAM policies are inherited downwards (Organization -> Folder -> Project -> Resource). The effective policy for a resource is the union of the policy set at that resource and the policies inherited from its ancestors. Because it is a union (additive), if you are granted Viewer at the folder and Admin at the project, you have Admin access at the project.

Common mistakes

Thinking that IAM works like Active Directory Group Policies where lower levels can 'deny' or override higher levels. In GCP IAM, there are no 'Deny' rules in standard IAM policies (though IAM Deny policies are a separate, advanced feature, standard role bindings are purely additive).
42All questions44

Practice the full GCP Associate Cloud Engineer Practice Exam 7

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01You are starting a new initiative and need to create a new Google Cloud project using the Cloud S...EasyQ02Your company is migrating to Google Cloud and wants to manage user identities centrally. They cur...MediumQ03You have just created a new Google Cloud project and want to deploy a containerized application u...MediumQ04Your finance team wants to perform complex SQL queries on your Google Cloud billing data to analy...MediumQ05You are managing a development project in Google Cloud. You want to ensure that you are notified ...Easy
View all 50 questions →