Google Cloud Platform: Configuring Access for Department Projects

Configuring Access for Department Projects

Question

A company allows every employee to use Google Cloud Platform.

Each department has a Google Group, with all department members as group members.

If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources.

Members of any other department should not have access to the project.

You need to configure this behavior.

What should you do to meet these requirements?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

To meet the requirement of allowing all members of a department read-only access to new projects created by department members, while preventing members of other departments from accessing those projects, a folder or project-based access control model can be used. The correct option for this scenario is option A: Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.

Explanation:

Option A is the correct answer because it provides the necessary level of access for department members, while restricting access for members of other departments.

By creating a folder per department under the organization, you can group projects by department and apply access controls at the folder level. This approach allows you to easily manage permissions for multiple projects within a department, and grants access to all resources created in any new projects within that folder.

Assigning the Project Viewer role to the Google Group related to that department ensures that members of the group have read-only access to the projects within the folder. This role grants access to view all resources within a project, including Compute Engine instances, storage buckets, and other resources.

In contrast, the Project Browser role (option B) only grants read-only access to the Cloud Console UI, but not to project resources. The Project Browser role can only view information about the project, but cannot view the actual resources or perform any actions on them. Therefore, it is not sufficient to meet the requirement of granting read-only access to project resources for department members.

Creating a project per department (options C and D) can be an option, but this approach is not as scalable as creating a folder per department. In addition, it can lead to a proliferation of projects that are difficult to manage, and it may be more difficult to enforce access controls across multiple projects.

In summary, option A is the best solution for meeting the requirement of allowing all members of a department read-only access to new projects created by department members, while preventing members of other departments from accessing those projects. By creating a folder per department and assigning the Project Viewer role to the related Google Group, you can provide granular access controls and manage permissions more efficiently.