ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Network Engineer All Questions

View all questions & answers for the Professional Cloud Network Engineer exam
Go to Exam

Exam Professional Cloud Network Engineer topic 1 question 46 discussion

Actual exam question from Google's Professional Cloud Network Engineer
Question #: 46
Topic #: 1
[All Professional Cloud Network Engineer Questions]

Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.
How should you set up permissions for the networking team?

  • A. Assign members of the networking team the compute.networkUser role.
  • B. Assign members of the networking team the compute.networkAdmin role.
  • C. Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
  • D. Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Jos at June 22, 2020, 4:25 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
terrain
Highly Voted 5 years ago
"B" should be the correct answer https://cloud.google.com/compute/docs/access/iam#compute.networkAdmin "For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group."
upvoted 15 times
...
beebee
Highly Voted 5 years ago
Should be B: https://cloud.google.com/compute/docs/access/iam
upvoted 14 times
...
RKS_2021
Most Recent 6 months, 2 weeks ago
Selected Answer: B
I have verified Network admin give the read permissions to firewall policies.
upvoted 2 times
...
3fd692e
10 months ago
Selected Answer: B
computer.networkAdmin role as outlined in option B is the RIGHT answer. Read more here: https://cloud.google.com/compute/docs/access/iam#compute.networkAdmin
upvoted 2 times
...
thewalker
1 year, 3 months ago
Selected Answer: C
To set up permissions for the networking team so that they can read firewall rules, but cannot create, modify, or delete them, you should assign them a custom role with only the compute.networks.* and the compute.firewalls.list permissions. Here are the steps on how to create a custom role with only the compute.networks.* and the compute.firewalls.list permissions: Go to the IAM page in the GCP Console. Click on the Create role button. Enter a name for the role, such as "Network Viewer". Select the Permissions tab. Search for the compute.networks.* permission and select it. Search for the compute.firewalls.list permission and select it. Click on the Create role button. Once you have created the custom role, you can assign it to members of the networking team.
upvoted 3 times
3fd692e
10 months ago
C is INCORRECT. B is the CORRECT answer. The compute.networkAdmin role does NOT give too much permission. Per the documentation: "Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances" Read for yourself: https://cloud.google.com/compute/docs/access/iam#compute.networkAdmin
upvoted 2 times
...
thewalker
1 year, 3 months ago
The other options are incorrect because: A. Assign members of the networking team the compute.networkUser role. The compute.networkUser role does not have the compute.firewalls.list permission. B. Assign members of the networking team the compute.networkAdmin role. The compute.networkAdmin role has too many permissions. It allows members of the networking team to create, modify, and delete firewall rules. D. Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission. The compute.networkViewer role does not have the compute.firewalls.list permission. The compute.networks.use permission is not necessary for the networking team to read firewall rules. Therefore, the best option is to assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
upvoted 2 times
...
...
maxou
1 year, 3 months ago
if you read the article, then it is B Network user role
upvoted 2 times
...
BenMS
1 year, 7 months ago
Selected Answer: B
This scenario is the specific purpose of the Network Admin role: https://cloud.google.com/compute/docs/access/iam#compute.networkAdmin
upvoted 4 times
...
Kyle1776
1 year, 9 months ago
Selected Answer: C
Assigning the compute.networkAdmin role grants excessive permissions, including the ability to modify, create, or delete firewall rules, which goes against the requirement of restricting such actions for the networking team. Only option C matches the requirements to list Firewall rules and no additional permissions.
upvoted 1 times
...
gcpengineer
1 year, 12 months ago
Selected Answer: B
Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.
upvoted 3 times
...
Jason_Cloud_at
2 years, 1 month ago
Actually , both A & B has the same permission (firewall.get & firewall.list) , by reading some of the documents im going with B
upvoted 1 times
...
aimik
2 years, 3 months ago
Selected Answer: A
the corret answer is A with B you can cerate delete and edit the firewall toles
upvoted 1 times
Jason_Cloud_at
2 years, 1 month ago
No , In B you cant delete and edit firewall rules
upvoted 1 times
...
...
Komal697
2 years, 4 months ago
Selected Answer: A
A. Assign members of the networking team the compute.networkUser role. The compute.networkUser role grants read-only access to networking resources, including firewall rules, without the ability to modify them. This will give the networking team the ability to view the firewall rules they need to see, but not make any changes to them. Option B would grant too many permissions to the networking team, allowing them to create, modify, and delete firewall rules. Option C would grant the networking team read access to all networking resources, including subnets and routes, which they may not need. Option D would grant the networking team the ability to use network resources, but not necessarily to read firewall rules specifically.
upvoted 1 times
gcpengineer
1 year, 12 months ago
its network team they will need subnets n routes
upvoted 1 times
...
...
wellvazdelima
2 years, 4 months ago
The correct answer is B: Link: https://cloud.google.com/compute/docs/access/iam?hl=pt-br#compute.networkAdmin "Permissions to create, modify, and delete network resources except firewall rules and SSL certificates. The Network Administrator role provides read-only access to firewall rules, SSL certificates, and instances to view their temporary IP addresses. This role does not allow the user to create, start, stop or delete instances."
upvoted 1 times
...
emil_d
2 years, 4 months ago
Selected Answer: B
NetworkAdmin has: compute.firewalls.get compute.firewalls.list
upvoted 3 times
...
igeadubi
2 years, 5 months ago
Selected Answer: C
Compute Admin has more than firewall.list in it. There is create, delete, get, move etc. I'll go for C
upvoted 1 times
...
pk349
2 years, 6 months ago
"B" should be the correct answer https://cloud.google.com/compute/docs/access/iam#compute.networkAdmin *** ”For example, if your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, then grant this role to the networking team's group."
upvoted 2 times
...
AzureDP900
2 years, 8 months ago
B is right Compute Network Admin (roles/compute.networkAdmin) Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel