GCP Professional Cloud Architect Practice Question
Your organization stores several hundred BigQuery datasets in a single production project. All datasets whose IDs begin with "public_" contain de-identified data that any member of the analytics Google group may query. Datasets with other IDs must remain restricted. You want to grant the analytics group view access only to the public_* datasets and automatically include any future datasets that match this naming pattern, while following the principle of least privilege. What should you do?
Create a separate project, publish authorized views of each public_* dataset there, and grant the analytics group Viewer access to that new project.
Individually grant the analytics group the roles/bigquery.dataViewer role on every dataset whose ID starts with public_, updating the IAM policy whenever new datasets are created.
Grant the analytics group the roles/bigquery.dataViewer role on the entire project that contains all datasets.
Create a project-level IAM binding that grants the analytics group the roles/bigquery.dataViewer role only when resource.name.startsWith("projects/_/datasets/public_") evaluates to true.
An IAM condition lets you attach an expression to an IAM policy binding so that the permissions are effective only when the condition evaluates to true. For BigQuery, the resource.name attribute can be used in conditions, and wildcards such as startsWith() let you match dataset IDs that follow a naming convention. Granting the predefined roles/bigquery.dataViewer role to the analytics group at the project level together with a condition like resource.name.startsWith("projects/_/datasets/public_") allows read access to any existing or newly created dataset whose ID starts with public_, while denying access to all other datasets. Other options are less appropriate: granting the role on the entire project is overly permissive; assigning dataset-level roles requires ongoing manual updates each time a dataset is added; using authorized views in another project would achieve data isolation but needs continuous creation of views and additional project administration, making it more complex than a single conditional IAM binding.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an IAM condition in Google Cloud?
Open an interactive chat with Bash
Can IAM conditions be used for other Google Cloud resources besides BigQuery?
Open an interactive chat with Bash
What is the principle of least privilege?
Open an interactive chat with Bash
What is IAM and how does it relate to managing access in GCP?
Open an interactive chat with Bash
How do IAM conditions work in GCP?
Open an interactive chat with Bash
Why is roles/bigquery.dataViewer appropriate for this use case?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .