Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service.
Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platformThe scenario described in the question requires a solution that enables central management of Google Cloud Platform (GCP) IAM permissions from an on-premises Active Directory (AD) service, based on group membership. The IAM permissions are used to control access to GCP resources.
Option A suggests setting up Cloud Directory Sync to sync groups and set IAM permissions on the groups. Cloud Directory Sync is a tool that synchronizes data between an on-premises directory and Google Workspace or Cloud Identity. While Cloud Directory Sync can sync AD groups to Cloud Identity groups, it does not support setting IAM permissions on the groups. Therefore, option A is not the correct solution.
Option B suggests setting up SAML 2.0 Single Sign-On (SSO) and assigning IAM permissions to groups. SSO allows users to authenticate to multiple applications and services using a single set of credentials. SSO can be set up with an on-premises identity provider, such as AD, and GCP. Once SSO is set up, it is possible to assign IAM permissions to groups in GCP based on AD group membership. Therefore, option B is a possible solution to meet the requirements described in the question.
Option C suggests using the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory. While the Cloud Identity and Access Management API can be used to manage IAM permissions in GCP, it does not provide a direct way to sync AD groups and IAM permissions. Therefore, option C is not the correct solution.
Option D suggests using the Admin SDK to create groups and assign IAM permissions from Active Directory. The Admin SDK provides a set of APIs that can be used to manage GCP resources, including IAM permissions. However, it does not provide a direct way to sync AD groups and IAM permissions. Therefore, option D is not the correct solution.
In conclusion, option B is the correct solution to meet the requirements described in the question. SAML 2.0 SSO can be set up to allow users to authenticate to GCP using their AD credentials, and IAM permissions can be assigned to groups based on AD group membership.