In policy terms, which constraint explains why an external identity with project-level access cannot access SecOps?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

In policy terms, which constraint explains why an external identity with project-level access cannot access SecOps?

Explanation:
In policy terms, access is controlled by who is allowed to be a member of a resource’s IAM bindings. The constraint constraints/iam.allowedPolicyMemberDomains enforces that only identities from approved domains can be granted roles in a policy. If SecOps is configured so that its IAM bindings only allow members from your company domain, an external identity—no matter what project-level access they have—cannot be added to the SecOps policy. Without being a permitted domain member, they can’t obtain the SecOps role and therefore can’t access SecOps. Other options miss the policy-only angle: syncing external users via GCDS relates to directory replication, blocking sign-ins from outside the primary domain is an authentication control rather than a policy membership restriction, and the Chronicle viewer role doesn’t address the domain-based eligibility constraint for policy bindings.

In policy terms, access is controlled by who is allowed to be a member of a resource’s IAM bindings. The constraint constraints/iam.allowedPolicyMemberDomains enforces that only identities from approved domains can be granted roles in a policy. If SecOps is configured so that its IAM bindings only allow members from your company domain, an external identity—no matter what project-level access they have—cannot be added to the SecOps policy. Without being a permitted domain member, they can’t obtain the SecOps role and therefore can’t access SecOps.

Other options miss the policy-only angle: syncing external users via GCDS relates to directory replication, blocking sign-ins from outside the primary domain is an authentication control rather than a policy membership restriction, and the Chronicle viewer role doesn’t address the domain-based eligibility constraint for policy bindings.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy