Topic: Google Database Engineer topic 1 question 11

Your organization operates in a highly regulated industry. Separation of concerns (SoC) and security principle of least privilege (PoLP) are critical. The operations team consists of:
Person A is a database administrator.
Person B is an analyst who generates metric reports.
Application C is responsible for automatic backups.
You need to assign roles to team members for Cloud Spanner. Which roles should you assign?

A.
roles/spanner.databaseAdmin for Person Aroles/spanner.databaseReader for Person Broles/spanner.backupWriter for Application C
B.
roles/spanner.databaseAdmin for Person Aroles/spanner.databaseReader for Person Broles/spanner.backupAdmin for Application C
C.
roles/spanner.databaseAdmin for Person Aroles/spanner.databaseUser for Person Broles/spanner databaseReader for Application C
D.
roles/spanner.databaseAdmin for Person Aroles/spanner.databaseUser for Person Broles/spanner.backupWriter for Application C

Re: Google Database Engineer topic 1 question 11

A.
C is wrong because databaseUser (Person B) would allow database writes and the question says generate metric reports, which would be read access only. databaseReader (Application C) doesn't allow backups.
D is wrong because databaseUser (Person B) would allow database writes. That leaves A and B. Based upon Google's own documentation, it must be A. B would work, but backupAdmin for Application C would allow backup deletion as well as creation. backupWriter is described in the docs as "is intended to be used by scripts that automate backup creation".
https://cloud.google.com/spanner/docs/iam

Re: Google Database Engineer topic 1 question 11

We need an Admin for A, A reader for B and a Writer for C. Therefore A is the correct answer.

Re: Google Database Engineer topic 1 question 11

A is the one.
You don't need the backupAdmin.

Re: Google Database Engineer topic 1 question 11

Answer is A.

Re: Google Database Engineer topic 1 question 11

It should be A as per the documentation.
https://cloud.google.com/spanner/docs/iam#spanner.backupWriter

  • Nirca
  • New member
  • Offline

Re: Google Database Engineer topic 1 question 11

A is the best answer

  • pk349
  • New member
  • Offline

Re: Google Database Engineer topic 1 question 11

A: roles/spanner.databaseAdmin for Person A
roles/spanner.databaseReader for Person B
roles/spanner.backupWriter for Application C

Re: Google Database Engineer topic 1 question 11

B and C are obviously wrong because application only needs backupWriter permissions.
D is wrong because roles/spanner.databaseUser contains write permissions, and we don't need that.

  • GCP72
  • New member
  • Offline

Re: Google Database Engineer topic 1 question 11

A is the correct answer.
Cloud Spanner Backup Writer
This role is intended to be used by scripts that automate backup creation. A principal with this role can create backups, but cannot update or delete them. Lowest-level resource

Re: Google Database Engineer topic 1 question 11

Correct answer - A

Re: Google Database Engineer topic 1 question 11

D is wrong because databaseUser (Person B) would allow database writes.

That leaves A and B. Based upon Google's own documentation, it must be A. B would work, but backupAdmin for Application C would allow backup deletion as well as creation. backupWriter is described in the docs as "is intended to be used by scripts that automate backup creation".

https://cloud.google.com/spanner/docs/iam