A Google Cloud organization has a single organization node with a folder named "Apps" containing multiple projects. The organization policy `constraints/iam.allowedPolicyMemberDomains` is set at the organization level, allowing only members from the `terramearth.com` domain. The "Apps" folder enforces the same organization policy but allows only members from the `flowlogistic.com` domain, and this policy has the `inheritFromParent` property set to `false`.

You attempt to grant access to a project within the "Apps" folder to the user `testuser@terramearth.com`.

What is the result of this action and why?

Exam-Like

The action succeeds because members from both organizations, terramearth.com or flowlogistic.com, are allowed on projects in the “Apps” folder.

The action succeeds and the new member is successfully added to the project's Identity and Access Management (IAM) policy because all policies are inherited by underlying folders and projects.

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must be defined on the current project to deactivate the constraint temporarily.

The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed.

Google Professional Cloud Security Engineer

Comments

Get started today