• sgg
  • New member
  • Offline

Topic: Google Cloud Architect topic 1 question 85

Your company captures all web traffic data in Google Analytics 360 and stores it in BigQuery. Each country has its own dataset. Each dataset has multiple tables.
You want analysts from each country to be able to see and query only the data for their respective countries.
How should you configure the access rights?

A.
Create a group per country. Add analysts to their respective country-groups. Create a single group 'all_analysts', and add all country-groups as members. Grant the 'all_analysts' group the IAM role of BigQuery jobUser. Share the appropriate dataset with view access with each respective analyst country-group.
B.
Create a group per country. Add analysts to their respective country-groups. Create a single group 'all_analysts', and add all country-groups as members. Grant the 'all_analysts' group the IAM role of BigQuery jobUser. Share the appropriate tables with view access with each respective analyst country-group.
C.
Create a group per country. Add analysts to their respective country-groups. Create a single group 'all_analysts', and add all country-groups as members. Grant the 'all_analysts' group the IAM role of BigQuery dataViewer. Share the appropriate dataset with view access with each respective analyst country- group.
D.
Create a group per country. Add analysts to their respective country-groups. Create a single group 'all_analysts', and add all country-groups as members. Grant the 'all_analysts' group the IAM role of BigQuery dataViewer. Share the appropriate table with view access with each respective analyst country-group.

Re: Google Cloud Architect topic 1 question 85

It should be A. The question requires that user from each country can only view a specific data set, so BQ dataViewer cannot be assigned at project level. Only A could limit the user to query and view the data that they are supposed to be allowed to.

Re: Google Cloud Architect topic 1 question 85

Should be C.

https://cloud.google.com/bigquery/docs/access-control#bigquery.dataViewer

Data viewer role can be applied to a Table and a View.

JobUser can be applied only at a Project level not at a Dataset level

https://cloud.google.com/bigquery/docs/access-control#bigquery.jobUser

Re: Google Cloud Architect topic 1 question 85

incorrect, should be A, BigQuery Job User
(roles/bigquery.jobUser)

Provides permissions to run jobs, including queries, within the project.

Re: Google Cloud Architect topic 1 question 85

A is wrong

6 Reply by wk

  • wk
  • New member
  • Offline

Re: Google Cloud Architect topic 1 question 85

Should be C
https://cloud.google.com/bigquery/docs/access-control#bigquery.dataViewer

When applied to a dataset, dataViewer provides permissions to:

Read the dataset's metadata and to list tables in the dataset.
Read data and metadata from the dataset's tables.
When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Re: Google Cloud Architect topic 1 question 85

Option C grant read permission to all datasets globally, which violated the request "You want analysts from each country
to be able to see and query only the data for their respective countries"

So the correct answer is A.

Re: Google Cloud Architect topic 1 question 85

https://cloud.google.com/bigquery/docs/access-control#bigquery.dataViewer
"When applied to a dataset.." you can apply dataViewer role to a specific dataset.

  • Diwz
  • New member
  • Offline

Re: Google Cloud Architect topic 1 question 85

It is C.
Question says analyst should be  able to see and query only the data for their respective countries. BigQueryDta viewer permission will allow only to read and query the table/view data

Re: Google Cloud Architect topic 1 question 85

Go with a.

Re: Google Cloud Architect topic 1 question 85

C is right, even if DataViwer is granted on Project level but Dataset is shared with view access to only the country group.

Re: Google Cloud Architect topic 1 question 85

A is the correct answer. Tested the two scenarios, with `jobUser` permissions it does not allow the user to see a dataset. Whereas with `dataViewer` it has permissions for all the datasets. Note the difference is in the initial permission across the project and not per dataset.

Re: Google Cloud Architect topic 1 question 85

It's A because in order to query, on needs the jobUser role. dataViewer doesn't grant the ability to actually query the datasets one has been given access to.

https://cloud.google.com/bigquery/docs/running-queries#required_permissions

Re: Google Cloud Architect topic 1 question 85

I'm siding with C on this one.
jobUser role has the bigquery.jobs.create permission, which allow it to load data into BQ, which analyst shouldn't do.
Data Viewer has no permissions to add or edit data (It can create a snapshot of the data, extract it or replicate it at most)

Re: Google Cloud Architect topic 1 question 85

BigQuery Data Viewer
(roles/bigquery.dataViewer)
When applied to a table or view, this role provides permissions to:
Read data and metadata from the table or view.
This role cannot be applied to individual models or routines.
When applied to a dataset, this role provides permissions to:
Read the dataset's metadata and list tables in the dataset.
Read data and metadata from the dataset's tables.
When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.
Lowest-level resources where you can grant this role:
Table and view

BigQuery Job User
(roles/bigquery.jobUser)
Provides permissions to run jobs, including queries, within the project.
Lowest-level resources where you can grant this role:
Project

Analyst must query data --> BigQuery Data Viewer

Re: Google Cloud Architect topic 1 question 85

A: JobUser  to execute queries in general. Data viewer for viewing the country dataset.

Re: Google Cloud Architect topic 1 question 85

Lowest-level resources where you can grant this role:
dataViewer: Table, View
jobUser: Project

You don't want to grant access to the entire project, only the dataset which is divided per country. Definitely C.
https://cloud.google.com/bigquery/docs/access-control#bigquery.dataViewer

  • don_v
  • New member
  • Offline

Re: Google Cloud Architect topic 1 question 85

Correct answer is A.

Note this: "Share the appropriate dataset with *view access* with each respective analyst country-group".

"view access" is the key.

Re: Google Cloud Architect topic 1 question 85

A. Create a group per country. Add analysts to their respective country-groups. Create a single group 'all_analysts', and add all country-groups as members. Grant the 'all_analysts' group the IAM role of BigQuery jobUser. Share the appropriate dataset with view access with each respective analyst country-group.

As all analysts need to execute query, they need JobUser role.
They should be restricted to view all datasets (not tables) of respective country.

Re: Google Cloud Architect topic 1 question 85

It is C for Sure, A give Project level permissions, which defied requirement to have access to the Data set level.

Re: Google Cloud Architect topic 1 question 85

JobUser required to run queries

Re: Google Cloud Architect topic 1 question 85

https://cloud.google.com/bigquery/docs/access-control#bigquery.dataViewer

Data viewer role can be applied to a Table and a View.

JobUser can be applied only at a Project level not at a Dataset level

https://cloud.google.com/bigquery/docs/access-control#bigquery.jobUser

Re: Google Cloud Architect topic 1 question 85

Incorrect - should be A

Re: Google Cloud Architect topic 1 question 85

ChatGPT says C

Re: Google Cloud Architect topic 1 question 85

Job user = Able to create query
Data Viewer = Able to view the data