Automatically Deprovisioning a Terminated Engineer's Google Account

C.

When a customer terminates an engineer, they should take appropriate steps to ensure that the engineer's access to the customer's resources is terminated as well. In this case, the customer needs to make sure that the engineer's Google account is automatically deprovisioned, which means that the account should be removed or disabled.

Option A suggests using the Cloud SDK with their directory service to remove the engineer's IAM permissions in Cloud Identity. This is not the correct approach as IAM permissions control access to resources and removing them will not necessarily remove the user's account or disable it.

Option B suggests using the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity. While this option could work, it involves manual intervention, which could be time-consuming and prone to errors.

Option C suggests configuring Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity. This option is a better approach as Cloud Directory Sync can automatically synchronize user accounts between the customer's directory service and Cloud Identity. By configuring Cloud Directory Sync, the customer can ensure that any changes made to their directory service are automatically reflected in Cloud Identity.

Option D suggests configuring Cloud Directory Sync with their directory service to remove the engineer's IAM permissions in Cloud Identity. This is not the correct approach, as removing IAM permissions does not necessarily remove the user's account or disable it.

In summary, the correct answer is C - configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity. This option allows the customer to automatically synchronize their directory service with Cloud Identity, ensuring that the engineer's account is automatically deprovisioned when they are terminated.