Your company has a single Google Cloud Organization. It has just acquired two new lines of business (LoBs). Corporate security administrators must be able to set organization-wide IAM roles and organization policies once and have them apply everywhere. Each LoB, however, must be able to manage IAM roles and policies for its own production and development projects independently, without affecting the other LoB. You want a hierarchy that satisfies these requirements while keeping maintenance overhead as low as possible. Which design should you implement?
Create one top-level folder for each line of business, and inside each folder create separate prod and dev sub-folders for that LoB's projects.
Register a separate Google Cloud Organization for each line of business and create prod and dev projects directly under each Organization.
Place all projects directly under the Organization and use labels for LoB and environment; rely on label-based IAM conditions for access control.
Create two top-level folders named prod and dev under the Organization; place every LoB's projects in the appropriate environment folder.
Creating one folder per line of business directly under the Organization, and then creating prod and dev sub-folders inside each business-unit folder, best meets the requirements.
All resources still inherit the security team's organization-level IAM bindings and Organization Policies.
Delegating Folder Admin on each business-unit folder lets that LoB's administrators control its own resources while remaining isolated from the other LoB.
Separate prod and dev sub-folders inside the LoB folder give each unit a clear boundary for environment-specific policies (for example, stricter constraints in prod) without affecting other units.
The alternatives have drawbacks:
A pair of top-level prod and dev folders would mix multiple LoBs in the same folder, making it impossible to delegate administration per LoB.
Using only project placement with labels provides no policy-inheritance boundary, so LoB admins could not manage shared constraints independently.
Creating a separate Organization for each LoB would work functionally but would require maintaining duplicate organization-level policies and IAM bindings in every Organization, increasing administrative effort.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of folders in the Google Cloud hierarchy?
Open an interactive chat with Bash
How do IAM roles and organization policies inherit across the Google Cloud resource hierarchy?
Open an interactive chat with Bash
What are the benefits of using sub-folders for prod and dev environments?
Open an interactive chat with Bash
What is a Google Cloud Organization and its role in resource management?
Open an interactive chat with Bash
How do folders in the Google Cloud resource hierarchy help with isolation and delegation?
Open an interactive chat with Bash
Why is using labels for access control less effective than folders in Google Cloud?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Setting up a cloud solution environment
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .