Your management has asked an external auditor to review all the resources in a specific project. The security team has enabled the Organization Policy called
Domain Restricted Sharing on the organization node by specifying only your Cloud Identity domain. You want the auditor to only be able to view, but not modify, the resources in that project. What should you do?
When the organization has the Domain Restricted Sharing policy enabled, sharing resources with accounts outside the Cloud Identity domain is not allowed. Therefore, creating a temporary account for the auditor in Cloud Identity ensures compliance with this policy. Assigning the Viewer role to this temporary account allows the auditor to view all resources without any modification privileges.
C - https://cloud.google.com/iam/docs/roles-audit-logging#scenario_external_auditors
This guy is right!
Correct Answer is (C): roles/viewer Read access to all resources. Get and list access for all resources. Using primitive roles The following table lists the primitive roles that you can grant to access a project, the description of what the role does, and the permissions bundled within that role. Avoid using primitive roles except when absolutely necessary. These roles are very powerful, and include a large number of permissions across all Google Cloud services. For more details on when you should use primitive roles, see the Identity and Access Management FAQ. IAM predefined roles are much more granular, and allow you to carefully manage the set of permissions that your users have access to. See Understanding Roles for a list of roles that can be granted at the project level. Creating custom roles can further increase the control you have over user permissions. https://cloud.google.com/resource-manager/docs/access-control-proj#using_primitive_roles
It could be A, But C is more practical and you don't have to give the auditor extra 3 seconds of work, and yourself for deleting him after he finishes
Domain Restricted Sharing: Since your organization has the Domain Restricted Sharing policy enabled, sharing resources with accounts outside your Cloud Identity domain isn't allowed. Therefore, options A and B, which involve using the auditor's Google account, aren't feasible.
From: https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors "The organization creates a Google group for these external auditors and adds the current auditor to the group. This group is monitored and is typically granted access to the dashboard application. During normal access, the auditors' Google group is only granted access to view the historic logs stored in BigQuery. If any anomalies are discovered, the group is granted permission to view the actual Cloud Logging Admin Activity logs via the dashboard's elevated access mode. At the end of each audit period, the group's access is then revoked."
D As per the documentation, Security Reviewer is more narrow role than the basic Viewer role: https://cloud.google.com/iam/docs/understanding-roles#iam.securityReviewer https://cloud.google.com/iam/docs/understanding-roles#viewer
Correct answer is C. A is not correct. You can not ask someone to create a personal google account. He/she has no obligation to do so
i believe it is C
Answer is definitely C Please review this as it seems to be looked over in the other comments https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains (a google account that isn't part of the domain will not work unless you specifically allow exceptions at the project level and that was not defined in the answers)
Correct Answer is (C): Answer A is wrong because we can't use the the auditor Google account, security team has enabled the Organization Policy specifying only one Cloud Identity domain.
Correct Answer is (C):
C is more correct
The Resource Manager provides a domain restriction constraint that can be used in organization policies to limit resource sharing based on domain or organization resource. This constraint allows you to restrict the set of identities that are allowed to be used in Identity and Access Management policies. Organization policies can use this constraint to limit resource sharing to identities that belong to a particular organization resource. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains
The correct answer is C
C, without doubt
CORRECT ANSWER IS C
the key word is "organisation Policy called Domain Restricted sharing." his external google account wont work