ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Network Engineer All Questions

View all questions & answers for the Professional Cloud Network Engineer exam
Go to Exam

Exam Professional Cloud Network Engineer topic 1 question 108 discussion

Actual exam question from Google's Professional Cloud Network Engineer
Question #: 108
Topic #: 1
[All Professional Cloud Network Engineer Questions]

You are the Organization Admin for your company. One of your engineers is responsible for setting up multiple host projects across multiple folders and sharing subnets with service projects. You need to enable the engineer's Identity and Access Management (IAM) configuration to complete their task in the fewest number of steps. What should you do?

  • A. Set up the engineer with Compute Shared VPC Admin IAM role at the folder level.
  • B. Set up the engineer with Compute Shared VPC Admin IAM role at the organization level.
  • C. Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level.
  • D. Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the organization level.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by AzureDP900 at Dec. 1, 2022, 4:31 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ccieman2016
Highly Voted 2 years, 2 months ago
Selected Answer: B
I'm not 100% sure for this question. for me, this question is about shared vpc, go to documentation: https://cloud.google.com/vpc/docs/shared-vpc "Implement a security best practice of least privilege for network administration, auditing, and access control. Shared VPC Admins can delegate network administration tasks to Network and Security Admins in the Shared VPC network without allowing Service Project Admins" following this recommendation above, cann't be letter C and D, definitely. So, can be A or B. But question say: "across multiple folders" and "task in the fewest number of steps" If we go to letter A, this configuration cann't be complete with fewest steps, principal if we have 100 folders. In my opinion is letter B, this is a personal opinion.
upvoted 14 times
Loved
1 year, 4 months ago
But with B you give the permission to all the folder of the Org, not only the one on which the engineer has to work..
upvoted 1 times
BenMS
1 year, 1 month ago
The question requires granting access to projects across multiple folders in the fewest steps - therefore you need to apply xpnAdmin at the Org level.
upvoted 1 times
...
...
...
arnodasilva
Highly Voted 1 year, 3 months ago
Selected Answer: D
Correct answer: D "Shared VPC Admins have the Compute Shared VPC Admin (compute.xpnAdmin) and Project IAM Admin (resourcemanager.projectIamAdmin) roles for the organization or one or more folders. They perform various tasks necessary to set up Shared VPC" https://cloud.google.com/vpc/docs/shared-vpc#iam_roles_required_for_shared_vpc
upvoted 8 times
...
waelghaith
Most Recent 7 months ago
Selected Answer: B
I'll go with B since the responsibility is JUST "setting up multiple host projects across multiple folders and sharing subnets with service projects" and no need for Project IAM Admin role
upvoted 1 times
...
ian_gcpca
7 months ago
Selected Answer: B
requirements: 1. setting up multiple host projects across multiple folders and 2. sharing subnets with service projects B, is not enough to provide both requirements (only item 1), would require network admin for 2 but providing IAM admin role (D) would be overkill as it gives too much access to the engineer. Also just giving IAM admin would not resolve the issue since the engineer still needs to grant network admin to self to perform item 2. So if we follow Google Best Practice for least privs. Answer is B
upvoted 1 times
...
dragos_dragos62000
1 year ago
Selected Answer: B
Answer is B, since the Shared VPC Admin referece to both compute.xpnAdmin and resourcemanager.projectIamAdmin.
upvoted 3 times
...
AaronLee
1 year ago
Selected Answer: D
Shared VPC Admins have the "Compute" Shared VPC Admin (compute.xpnAdmin) and Project IAM Admin (resourcemanager.projectIamAdmin) Compute Shared VPC Admin: ...... resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list Project IAM Admin: resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy (which "Compute" Shared VPC Admin doesn't have) So only "Compute" Shared VPC Admin is not enough for this question. I think the answer is D. https://cloud.google.com/vpc/docs/shared-vpc#iam_roles_required_for_shared_vpc
upvoted 1 times
...
guilhermisPT
1 year, 1 month ago
Selected Answer: D
https://cloud.google.com/vpc/docs/shared-vpc#iam_roles_required_for_shared_vp
upvoted 1 times
...
crg63
1 year, 3 months ago
Selected Answer: D
Shared VPC Admins have the Compute Shared VPC Admin (compute.xpnAdmin) and Project IAM Admin (resourcemanager.projectIamAdmin) roles for the organization or one or more folders. Put at org level for least # of steps
upvoted 3 times
...
asharma7
1 year, 11 months ago
It is B because Project IAM admin role is already part of Shared VPC Admin role. https://cloud.google.com/vpc/docs/shared-vpc
upvoted 1 times
...
pk349
2 years ago
• B. Set up the engineer with Compute Shared VPC Admin IAM role at the organization ***** level.
upvoted 1 times
...
pfilourenco
2 years, 1 month ago
Selected Answer: B
correct answer - B, Compute Shared VPC Admin (compute.xpnAdmin) at org level since we need to manage N host projects in diferente folders.
upvoted 5 times
...
jitu028
2 years, 1 month ago
correct answer - B, Compute Shared VPC Admin (compute.xpnAdmin) suffice the requirement
upvoted 1 times
...
Jervv
2 years, 1 month ago
C. Shared VPC Admins have the Compute Shared VPC Admin (compute.xpnAdmin) and Project IAM Admin (resourcemanager.projectIamAdmin) roles for the organization or one or more folders. They perform various tasks necessary to set up Shared VPC, such as enabling host projects, attaching service projects to host projects, and delegating access to some or all of the subnets in Shared VPC networks to Service Project Admins. https://cloud.google.com/vpc/docs/shared-vpc
upvoted 1 times
...
Jervv
2 years, 1 month ago
Selected Answer: C
C. Shared VPC Admins have the Compute Shared VPC Admin (compute.xpnAdmin) and Project IAM Admin (resourcemanager.projectIamAdmin) roles for the organization or one or more folders. They perform various tasks necessary to set up Shared VPC, such as enabling host projects, attaching service projects to host projects, and delegating access to some or all of the subnets in Shared VPC networks to Service Project Admins. https://cloud.google.com/vpc/docs/shared-vpc
upvoted 2 times
...
AzureDP900
2 years, 2 months ago
This is most appropriate role. C. Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level
upvoted 1 times
AzureDP900
2 years, 1 month ago
I will choose B after reading question again and detailed explanations by ccieman2016
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel