Group B requires access to all data except the 'restricted' namespace. Which data access scope design would satisfy this?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

Group B requires access to all data except the 'restricted' namespace. Which data access scope design would satisfy this?

Explanation:
Fine-grained access control with data scopes lets you grant broad access while explicitly excluding certain areas. The best design here is to create a data access scope that permits all data but excludes the restricted namespace, then assign that scope to Group B in IAM. This directly gives Group B access to everything except the restricted namespace, satisfying the requirement. Why this works: it combines an inclusive scope (all data) with a clear exclusion (the restricted namespace), enforcing the exact limitation through IAM. Creating a scope that includes restricted data would violate the constraint. A scope that excludes a namespace without tying it to the specific restricted one could be ambiguous, and a global scope with no exclusions would grant access to the restricted data as well. Attaching the scope in IAM ensures consistent enforcement across resources for the group.

Fine-grained access control with data scopes lets you grant broad access while explicitly excluding certain areas. The best design here is to create a data access scope that permits all data but excludes the restricted namespace, then assign that scope to Group B in IAM. This directly gives Group B access to everything except the restricted namespace, satisfying the requirement.

Why this works: it combines an inclusive scope (all data) with a clear exclusion (the restricted namespace), enforcing the exact limitation through IAM. Creating a scope that includes restricted data would violate the constraint. A scope that excludes a namespace without tying it to the specific restricted one could be ambiguous, and a global scope with no exclusions would grant access to the restricted data as well. Attaching the scope in IAM ensures consistent enforcement across resources for the group.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy