PROFESSIONAL-DATA-ENGINEER · Question #322
PROFESSIONAL-DATA-ENGINEER Question #322: Real Exam Question with Answer & Explanation
The correct answer is A: 1. Grant the dataplex.dataOwner role to the data engineer group on the customer data lake.. Option A is correct because Dataplex provides a unified IAM layer that propagates permissions down to underlying BigQuery datasets and Cloud Storage buckets automatically - granting dataplex.dataOwner to data engineers at the lake level gives them full read/write/manage access ac
Question
You are designing a data mesh on Google Cloud by using Dataplex to manage data in BigQuery and Cloud Storage. You want to simplify data asset permissions. You are creating a customer virtual lake with two user groups: - Data engineers, which require full data lake access - Analytic users, which require access to curated data You need to assign access rights to these two groups. What should you do?
Options
- A1. Grant the dataplex.dataOwner role to the data engineer group on the customer data lake.
- B1. Grant the dataplex.dataReader role to the data engineer group on the customer data lake.
- C1. Grant the bigquery.dataOwner role on BigQuery datasets and the storage.objectCreator role on Cloud Storage buckets to data engineers.
- D1. Grant the bigquery.dataViewer role on BigQuery datasets and the storage.objectViewer role on Cloud Storage buckets to data engineers.
Explanation
Option A is correct because Dataplex provides a unified IAM layer that propagates permissions down to underlying BigQuery datasets and Cloud Storage buckets automatically - granting dataplex.dataOwner to data engineers at the lake level gives them full read/write/manage access across all assets without requiring separate per-service role assignments, directly fulfilling the goal of simplifying data asset permissions.
Option B is wrong because dataplex.dataReader is read-only; data engineers need full lake access, not just the ability to query data.
Options C and D are wrong for the same core reason: they bypass Dataplex's unified IAM and assign individual BigQuery and Cloud Storage roles directly, which complicates rather than simplifies permission management - and defeats the purpose of using Dataplex in a data mesh architecture. Additionally, D's roles (dataViewer + objectViewer) are far too restrictive for engineers who need write access.
Memory tip: When a question mentions Dataplex and "simplify permissions," always reach for Dataplex-native roles (dataplex.dataOwner, dataplex.dataReader) rather than service-specific roles. Think: one Dataplex role, many assets covered.
Topics
Community Discussion
No community discussion yet for this question.