nerdexam
Google

CLOUD-DIGITAL-LEADER · Question #183

Several departments in an organization are working together on a project. The organization wants to customize access to resources for each department. What is the quickest and most efficient way to ac

The correct answer is A. By mapping IAM roles to job functions for each department. Mapping IAM roles to job functions lets an organization efficiently assign consistent, appropriate permissions to entire departments rather than managing access individually.

Cloud Governance and Access Management

Question

Several departments in an organization are working together on a project. The organization wants to customize access to resources for each department. What is the quickest and most efficient way to achieve this?

Options

  • ABy mapping IAM roles to job functions for each department
  • BBy assigning IAM primitive roles to each employee
  • CBy applying least-privilege to roles for each employee
  • DBy creating a single shared service account for all departments

How the community answered

(49 responses)
  • A
    80% (39)
  • B
    6% (3)
  • C
    2% (1)
  • D
    12% (6)

Why each option

Mapping IAM roles to job functions lets an organization efficiently assign consistent, appropriate permissions to entire departments rather than managing access individually.

ABy mapping IAM roles to job functions for each departmentCorrect

IAM predefined roles are designed to align with specific job functions, so mapping them to departments grants all members the correct permission set in a single step. This approach follows the principle of role-based access control (RBAC), which is the recommended pattern for managing permissions at scale. It is faster than per-user assignment and more precise than broad primitive roles.

BBy assigning IAM primitive roles to each employee

Primitive roles (Owner, Editor, Viewer) are overly broad and provide no per-department customization, violating least-privilege principles.

CBy applying least-privilege to roles for each employee

Applying least-privilege per individual employee requires configuring each person separately, making it the least efficient option for multiple departments.

DBy creating a single shared service account for all departments

A single shared service account eliminates individual accountability, prevents customized access per department, and is a security anti-pattern.

Concept tested: IAM role-based access control for departments

Source: https://cloud.google.com/iam/docs/understanding-roles

Topics

#IAM#Access Control#Organizational Best Practices#Cloud Governance

Community Discussion

No community discussion yet for this question.

Full CLOUD-DIGITAL-LEADER Practice