Answer-first summary for fast verification
Answer: The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed.
The action fails because the 'Apps' folder has the constraints/iam.allowedPolicyMemberDomains organization policy set to allow only members from the flowlogistic.com domain, and the inheritFromParent property is set to false. This means the folder does not inherit the organization-level policy (which allows terramearth.com members) and instead enforces its own restrictive policy. Since testuser@terramearth.com is not from the flowlogistic.com domain, the access grant is denied. Option D correctly identifies this outcome and reason. Option A is incorrect because the folder policy restricts access to flowlogistic.com only. Option B is wrong as IAM policies do not override organization policy constraints. Option C is incorrect because the constraint is already defined and enforced at the folder level, and no temporary deactivation is possible or required.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A Google Cloud organization has a single organization node with a folder named "Apps" containing multiple projects. The organization policy constraints/iam.allowedPolicyMemberDomains is set at the organization level, allowing only members from the terramearth.com domain. The "Apps" folder enforces the same organization policy but allows only members from the flowlogistic.com domain, and this policy has the inheritFromParent property set to false.
You attempt to grant access to a project within the "Apps" folder to the user testuser@terramearth.com.
What is the result of this action and why?
A
The action succeeds because members from both organizations, terramearth.com or flowlogistic.com, are allowed on projects in the “Apps” folder.
B
The action succeeds and the new member is successfully added to the project's Identity and Access Management (IAM) policy because all policies are inherited by underlying folders and projects.
C
The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must be defined on the current project to deactivate the constraint temporarily.
D
The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed.