Enabling Query Access for Data Science Team in BigQuery Best Practices

D.

The correct answer is D: 1. Create a dedicated Google group in Cloud Identity. 2. Add each data scientist's user account to the group. 3. Assign the BigQuery dataViewer user role to the group.

Explanation:

Google Cloud Platform (GCP) recommends using Google groups in Cloud Identity to manage access control to GCP resources. Google groups allow for centralized management of access to resources across all GCP projects in an organization.

In this scenario, the data science team changes frequently and has few members, so it is recommended to create a dedicated Google group in Cloud Identity for this team. This way, when new members join or current members leave the team, their access to resources can be easily managed through the group.

To allow members of the data science team to perform queries in BigQuery, the BigQuery dataViewer user role should be assigned to the group. This role allows users to query datasets and view metadata, but does not allow them to modify or delete data. This is a more restrictive role than the BigQuery jobUser role, which allows users to submit and cancel queries and jobs, but does not grant access to view metadata.

Therefore, option D is the correct answer as it follows the Google-recommended practice of using a dedicated Google group in Cloud Identity to manage access to resources and assigns the appropriate BigQuery role to the group. Option A assigns the less restrictive BigQuery jobUser role to the group, which could potentially allow users to perform actions they should not be authorized to do. Option B assigns the dataViewer role to individual user accounts instead of a group, which is not recommended for managing access to resources. Option C is similar to option A but assigns the BigQuery jobUser role to the group, which is less restrictive than the dataViewer role and could potentially allow users to perform actions they should not be authorized to do.