Best Practices for Assigning Minimum Permissions to View Google Cloud Organizational Structure
Question
Your company set up a complex organizational structure on Google Cloud.
The structure includes hundreds of folders and projects.
Only a few team members should be able to view the hierarchical structure.
You need to assign minimum permissions to these team members, and you want to follow Google-recommended practices.
What should you do?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.C.
To restrict access to the hierarchical structure on Google Cloud to a few team members while following Google-recommended practices, you should add the users to a group and then assign that group the roles/iam.roleViewer role. This is the best practice recommended by Google.
Option A, adding the users to the roles/browser role, would give the users permission to view the resource hierarchy in the Google Cloud Console, but it would also give them permission to view all the resources within the hierarchy. This is not the minimum permission required to view the hierarchical structure.
Option B, adding the users to the roles/iam.roleViewer role, is the recommended approach. This role grants read-only access to all IAM policies within the resource hierarchy. This allows the users to view the resource hierarchy, but not access any of the resources within it.
Option C, adding the users to a group and then adding that group to the roles/browser role, suffers from the same issue as option A. It gives the users permission to view all the resources within the hierarchy, which is more than the minimum permission required.
Therefore, the best answer is option D, which combines the use of groups and the roles/iam.roleViewer role, which is the recommended approach by Google.
