You want to add a new auditor to a Google Cloud Platform project.
The auditor should be allowed to read, but not modify, all project items.
How should you configure the auditor's permissions?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
https://cloud.google.com/resource-manager/docs/access-control-projThe best way to add a new auditor to a Google Cloud Platform project while ensuring that they can only view project items and not modify them is by assigning a custom role with view-only permissions.
Option A is the correct answer. To implement this solution, you should follow these steps:
Create a Custom Role: You should create a custom role that includes the necessary permissions for viewing project items. In this case, the role should have the "resourcemanager.projects.get" permission to view project details and "resourcemanager.projects.list" permission to view the list of projects.
Assign the Custom Role: After creating the custom role, you should add the new auditor's account to the role by granting the "Role Viewer" permission. This will allow the auditor to view all project items but not modify them.
Verify the Permission: Finally, you should verify that the new auditor can only view the project items and does not have the ability to modify them.
Option B is incorrect as it suggests creating a custom role with view-only service permissions, which would not provide access to all project items.
Option C and D are incorrect as they suggest using the built-in IAM Viewer roles. The IAM Project Viewer role allows users to view all resources in a project but also grants permission to edit project-level metadata, such as labels, which could lead to accidental changes. The IAM Service Viewer role allows users to view all resources in a service but not project-level metadata. However, it does not provide access to all project items, which is a requirement in this case.