In Cloud Identity + SecOps, external Google accounts are added to a group with project-level roles but cannot access SecOps, while internal users can. Which configuration most likely causes this?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

In Cloud Identity + SecOps, external Google accounts are added to a group with project-level roles but cannot access SecOps, while internal users can. Which configuration most likely causes this?

Explanation:
The setting being tested is domain-based access control through an Organization Policy. The constraint constraints/iam.allowedPolicyMemberDomains restricts which domains can be used in IAM policy bindings. When this policy is in effect, only identities from approved domains can be granted IAM roles for resources. In this scenario, internal users from the company domain are allowed and can access SecOps, while external Google accounts—though they can be added to a group with project-level roles—do not belong to an allowed domain for SecOps, so their access is blocked. This explains why external accounts can have project-level roles but cannot reach SecOps, whereas internal users can. The other options don’t fit because they describe provisioning, sign-in blocking, or role applicability that doesn’t hinge on domain-based access restrictions for SecOps.

The setting being tested is domain-based access control through an Organization Policy. The constraint constraints/iam.allowedPolicyMemberDomains restricts which domains can be used in IAM policy bindings. When this policy is in effect, only identities from approved domains can be granted IAM roles for resources. In this scenario, internal users from the company domain are allowed and can access SecOps, while external Google accounts—though they can be added to a group with project-level roles—do not belong to an allowed domain for SecOps, so their access is blocked. This explains why external accounts can have project-level roles but cannot reach SecOps, whereas internal users can. The other options don’t fit because they describe provisioning, sign-in blocking, or role applicability that doesn’t hinge on domain-based access restrictions for SecOps.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy