Your team has set up a Shared VPC with co-vpc-prod as the host project, where firewall rules, subnets, and a VPN gateway are configured. To allow Engineering Group A to attach a Compute Engine instance exclusively to the 10.1.1.0/24 subnet, what specific permission should your team grant to the group?