Free Google Cloud-Digital-Leader Actual Exam Questions - Question 6 Discussion
group.
How is this access control managed in the Google Cloud production project?
Option A makes sense since service accounts can be assigned roles regardless of LDAP syncing.
It’s C. Assuming the LDAP group is synced to a Google Group, assigning the IAM role directly to that Google Group in the project’s IAM policy is the cleanest way to manage access. Options A and B focus on service accounts, which isn’t what the question suggests for user access control. D doesn’t make much sense since folders aren’t named after LDAP groups and don’t handle access that way. The key is that syncing LDAP groups to Google Groups lets you manage access via IAM roles on the group itself, so C fits best here.
Maybe A here. If the LDAP group isn’t synced to Google Groups, you can’t assign roles directly to it. So managing access by assigning roles to a service account in the IAM policy (A) could be the way to handle it. Options B and C rely on that sync existing, which the question doesn’t confirm. D seems irrelevant since folders and project naming don’t control access tied to LDAP groups.
This is tricky since LDAP groups don’t automatically sync with Google IAM. If there’s no syncing, you can’t assign roles directly to the LDAP group, so option A makes more sense for managing service account permissions. A
B imo, because granting roles/iam.serviceAccountUser on the service account lets individual users act as that account, which is more granular than just group role assignment. C assumes the group sync always happens.
C vs A—if LDAP sync isn’t set up, A might be safer since it’s direct role assignment.
It’s C because assigning roles to the Google Group lets you manage access in one place for all users synced from LDAP. A and B focus on service accounts, which isn’t the main point here.
A/B? A is more about service accounts, which isn’t really about managing user access through LDAP groups. B sounds specific to service accounts too, so less likely. C looks cleaner for group-based access.
C/D? Assigning roles directly to the Google Group (C) makes sense for managing access via LDAP groups. Creating a folder with the same name (D) seems unrelated to access control here.