You need to delegate IAM management for Google Cloud projects to individual business units within a large organization. The solution must meet these requirements:

Each business unit manages IAM roles and permissions for their own projects.

Each business unit can manage permissions at scale.

Business units cannot access each other's projects.

Access is automatically revoked when users move between business units or leave the company.

User identities and group memberships are managed through an on-premises directory service.

What should you do? (Choose two.)

Exam-Like

Use VPC Service Controls to create perimeters around each business unit's project.

Organize projects in folders, and assign permissions to Google groups at the folder level.

Group business units based on Organization Units (OUs) and manage permissions based on OUs

Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.

Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.

Google Professional Cloud Security Engineer