Answer: Create an organization-level tag. Attach the tag to relevant folders. Use an IAM condition to restrict the organization policy administrator role to resources with that tag.

Option C is the correct answer because it uses organization-level tags with IAM conditions to restrict the organization policy administrator role to specific folders, providing granular control while minimizing administrative overhead. This approach aligns with Google's principle of least privilege by ensuring teams can only modify policies for folders with the designated tag. Option A is incorrect because custom IAM roles cannot include folder-based restrictions in their definition; they only accept permissions, not resource-level conditions. Option B violates security best practices by sharing service account credentials, which should be avoided. Option D grants excessive permissions at the organization level, violating the principle of least privilege. The community discussion supports C, noting that A's claim of limiting modifications via custom role definition is not feasible, and C provides efficient, secure control through tags and IAM conditions.

Author: LeetQuiz Editorial Team