GCP Professional Cloud Security Engineer Practice Question
Your organization's security team created an Organization-level IAM policy that grants the Security Admins group the roles/accesscontextmanager.policyAdmin role. A project owner later attempts to remove this role from the group at the project level, claiming it is not needed for their workloads. What will be the effective result of this change, and why?
The removal will succeed; project-level bindings override any broader scope bindings, so the group will lose the role in that project.
The removal will fail; bindings inherited from a parent resource cannot be modified lower in the hierarchy, and the group will retain the role.
The removal will succeed, but the group will keep the role because inherited deny rules have higher priority than allow rules.
The removal will succeed, and the group will retain the role until the Organization-level policy is explicitly updated to reflect the change.
The removal will succeed, but the group will keep the role because inherited deny rules have higher priority than allow rules.
The removal will succeed; project-level bindings override any broader scope bindings, so the group will lose the role in that project.
The removal will fail; bindings inherited from a parent resource cannot be modified lower in the hierarchy, and the group will retain the role.
The removal will succeed, and the group will retain the role until the Organization-level policy is explicitly updated to reflect the change.
IAM policies in Google Cloud are inherited downward through the resource hierarchy: a role granted at the Organization is automatically effective for all folders, projects, and resources beneath it. Lower-level resources can add additional role bindings, but they cannot revoke or override permissions that were allowed at a higher level. Therefore, when the project owner attempts to remove the roles/accesscontextmanager.policyAdmin binding for the Security Admins group at the project level, the change is rejected; the project cannot modify or nullify an inherited binding. Consequently, the group continues to have the role in that project. Options that claim the removal overrides or partly cancels the inherited permission are incorrect, and there is no interaction with deny policies in this scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Google Cloud IAM hierarchy?
Open an interactive chat with Bash
What does the roles/accesscontextmanager.policyAdmin role do?
Open an interactive chat with Bash
How does inheritance affect IAM policies in Google Cloud?
Open an interactive chat with Bash
What is IAM (Identity and Access Management) in Google Cloud?
Open an interactive chat with Bash
What does 'roles/accesscontextmanager.policyAdmin' allow a user to do?
Open an interactive chat with Bash
How does resource hierarchy affect IAM policies in Google Cloud?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .