Explanation:
The correct answer is D because it aligns with Google's recommended practice for service accounts to access user data without storing user credentials. Domain-wide delegation allows a service account to impersonate users within the G Suite domain, enabling the application to access each user's Google Drive on their behalf securely. This method avoids the security risks of handling user credentials directly. Options A and B are incorrect as they grant users the ability to impersonate the service account, which is the reverse of the requirement. Option C is unsuitable because using a dedicated G Suite Admin account does not provide user-specific access and violates the principle of least privilege. Although one comment questions domain-wide delegation, the consensus and official documentation support it as the appropriate solution for this scenario.
Ultimate access to all questions.
You are developing an internal App Engine application that requires access to a user's Google Drive without relying on the user's credentials. Your organization wants to adhere to Google's recommended practices. What should you do?
A
Create a new Service account, and give all application users the role of Service Account User.
B
Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User.
C
Use a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials.
D
Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
No comments yet.