You are responsible for the Google Cloud environment in your company.
Multiple departments need access to their own projects, and the members within each department will have the same project responsibilities.
You want to structure your Google Cloud environment for minimal maintenance and maximum overview of IAM permissions as each departments projects start and end.
You want to follow Google-recommended practices.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
Option B is the correct answer: Create a Google Group per department and add all department members to their respective groups. Create a folder per department and grant the respective group the required IAM permissions at the folder level. Add the projects under the respective folders.
Explanation:
In this scenario, multiple departments need access to their own projects, and the members within each department will have the same project responsibilities. This means that the access control needs to be managed at the department level, not at the individual level. This is where Google Groups can be very useful.
Option A is not recommended as it would require granting the same permissions to each individual user within a department which can be time-consuming and difficult to manage. It would also be difficult to revoke access when a member of a department leaves the organization.
Option B is a better solution. By creating a Google Group per department, you can add and remove members from a group as needed, which makes it easier to manage access control. Then, by creating a folder per department and granting the respective group the required IAM permissions at the folder level, you can easily manage the IAM permissions for all projects within that department. This is a more scalable solution that will minimize the maintenance required for granting or revoking access.
Option C is not recommended because granting IAM permissions to individual members can be difficult to manage and maintain, especially if members change frequently. Also, if projects are organized at the individual level, it will be difficult to get an overview of the IAM permissions for each department.
Option D is also not recommended because granting IAM permissions to a Google Group at the project level can be difficult to manage and maintain, especially if multiple projects are involved. It would also be difficult to get an overview of the IAM permissions for each department.