Associate Cloud Engineer

We recommend collecting users with the same responsibilities into groups and assigning IAM roles to the groups rather than to individual users. For example, you can create a "data scientist" group and assign appropriate roles to enable interaction with BigQuery and Cloud Storage. When a new data scientist joins your team, you can simply add them to the group and they will inherit the defined permissions. You can create and manage groups through the Admin Console.

C is correct - https://cloud.google.com/compute/docs/instances/managing-instance-access

Send private key to users is not safe, i think it's C

Selected Answer: C
C is the answer Thanks to P A S S 4 S U R E H U B

Selected Answer: C
Best Choice: C

Option C is the best approach because it uses Google Cloud IAM roles to control access, integrates with Google accounts learns-google.blogspot.com for individual credential management, and supports efficient auditing and access tracking. Each user will have their own SSH key, and their actions can be traced through IAM logs, providing both security and accountability.

Selected Answer: C
c is correct because you should never give your private keys

Selected Answer: C
I have taken GCP ACE exam today morning and also cleared exam.
Below are my suggestions and observations.
1. Almost 75-80% questions were from these exams (ExamTopics).
2. You will get same options as like this forum.
3. If your concepts are clear and if you have done good practice on these questions, you will be able to clear exam.
4. Please read question and options carefully, lot of questions are having almost same answer with some twist.
5. so what is required from question, and what options are available? eliminate groups on the basis of logic and words and try to get correct answer on the basis of your functional knowledge.

Best luck

. Which Kubernetes component would you use to ensure traffic is correctly routed to pods running your application?
A. Pod router
B. Deployment
C. Service
D. PersistentIPClaim

Cloud anyone please tell me the answer?

Selected Answer: C
Option C is correct because asking each member of the team to generate a new SSH key pair and to add the public key to their Google account allows the security team to manage the deployment of credentials efficiently. 

It also allows the security team to determine who accessed a given instance because the public key is associated with the Google account of the user. 

Granting the "compute.osAdminLogin" role to the Google group corresponding to this team ensures that all members of the team have administrative access to the servers.

Selected Answer: C
C is correct
In this scenario, granting the "compute.osAdminLogin" role to a Google group corresponding to the operational team would be the best option. This role would provide each team member with administrative access to instances, and by adding their public key to their Google account, they can use it to authenticate their access to instances without the need for a separate key management system. Additionally, the security team's requirement for auditing access can be met by using Cloud Audit Logging to log all access to the instances.

Selected Answer: C
Avoiding the other options:

Distributing a single private key to multiple members is not a best practice as it doesn't provide individual accountability.
Manually deploying public keys on each instance using a configuration management tool can be cumbersome and doesn't provide the flexibility and integration that Google's IAM provides.
By following the recommended approach, the organization can maintain a secure, traceable, and efficient method for managing access to Compute Engine instances.

Selected Answer: C
C is the most appropriate. In this option, each team member generates their own SSH key pair and adds the public key to their Google account. By granting the `compute.osAdminLogin` role to the corresponding Google group for this team, security is enhanced, and operational efficiency is improved. This setup also allows precise tracking of which member accessed which instance.

Best Choice: C

Option C is the best approach because it uses Google Cloud IAM roles to control access, integrates with Google accounts for individual credential management, and supports efficient auditing and access tracking. Each user will have their own SSH key, and their actions can be traced through IAM logs, providing both security and accountability.

There is something which you must know. NEVER SHARE PRIVATE KEY.

Why in the world would I give the private key to each member of my team. The answer is C

D https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys

Every employee of your company has a Google account. Your operational team needs to manage a large number of instances on Compute Engine. Each member of this team needs only administrative access to the servers. Your security team wants to ensure that the deployment of credentials is operationally efficient and must be able to determine who accessed a given instance. What should you do?

Selected Answer: A
A could be possible if we were talking about organization in the question, But here, it's clearly specified "*project*"
"You have a development project with appropriate IAM roles defined. You are creating a production project and want to have the same IAM roles on the new project, using the fewest possible steps."
from google doc: https://cloud.google.com/sdk/gcloud/reference/iam/roles/copy

EXAMPLES
To create a copy of an existing role spanner.databaseAdmin into an organization with 1234567, run:

gcloud iam roles copy --source="roles/spanner.databaseAdmin" --destination=CustomViewer --dest-organization=1234567
To create a copy of an existing role spanner.databaseAdmin into a project with PROJECT_ID, run:


gcloud iam roles copy --source="roles/spanner.databaseAdmin" --destination=CustomSpannerDbAdmin --dest-project=PROJECT_ID

Selected Answer: A
The correct answer is Option A.

To create the same IAM roles in a production project as in a development project, using the fewest possible steps, you can use the gcloud iam roles copy command and specify the production project as the destination project.

The `gcloud iam roles copy` command allows you to copy IAM roles between projects or organizations. By specifying the production project as the destination project, you can copy the IAM roles from the development project to the production project.

Option B is incorrect because specifying your organization as the destination organization will copy the IAM roles to all projects within the organization, which is not what you want.

Selected Answer: A
The correct answer is A. Use gcloud iam roles copy and specify the production project as the destination project.

The gcloud iam roles copy command copies a role from one project to another. To use this command, you will need to know the name of the role that you want to copy and the name of the destination project.

For example, to copy the role roles/compute.instanceAdmin from the project my-dev-project to the project my-prod-project, you would run the following command:

gcloud iam roles copy roles/compute.instanceAdmin my-dev-project my-prod-project

This command will copy the role roles/compute.instanceAdmin to the project my-prod-project. The role will have the same permissions in the production project as it does in the development project.

Selected Answer: A
A is right. B will propagate for all projects, not desired as per case description

the exact same link shows A as right one. If you set dest org for it, it will inherint for all other projects.

Correct Answer: B
Reference:
https://cloud.google.com/sdk/gcloud/reference/iam/roles/copy

Selected Answer: A
A
As per, https://cloud.google.com/sdk/gcloud/reference/iam/roles/copy

Selected Answer: A
Because the roles to be copied to a new project in the same organization

You have a development project with appropriate IAM roles defined. You are creating a production project and want to have the same IAM roles on the new project, using the fewest possible steps. What should you do?

D. Add your SREs to a group and then add this group to roles/accessapproval approver role.
-Google recommendation.

how was your exam? is this website qts useful?

This was there in exam, go with community answers.

Selected Answer: D
Grant the Access Approval Approver (roles/accessapproval.approver) IAM role on the project, folder, or organization to the principal who you want to be able to perform approvals. You can grant the Access Approval Approver IAM role to either an individual user, a service account, or a Google group.
https://cloud.google.com/assured-workloads/access-approval/docs/approve-requests

Selected Answer: D
Answers C and D are correct, but it doesn't say if the SRE already has a group and as it is Google's recommendation to make a group to add users and privileges to the group, the right one is D

It mentioned more than one SRE, so adding the user to group is most suitable approach, Answer is D.

Passed my exams today. Not because just because of the questions I practiced here, but because of you guys, your knowledge and experience and breakdown of questions. Too bad this site can't go legit. It such an wholesome resource.

Some final words... KEEP MOVING FORWARD UNTIL ALL THE QUESTIONS ARE DESTROYED TATAKAE!!!!!!

I've seen about 5 questions which are like this, always asking how to grant access and "follow Google best practice", and every time it's just making sure you know to use a group to control access to resources for users, and not adding users directly to objects. 

Remember that keyword, "Google best practice" means "make sure you use a group"

D. Add your SREs to a group and then add this group to roles/accessapproval approver role.

D. Add your SREs to a group and then add this group to roles/accessapproval.approver role.

D is correct option as per google recommended practice

D , google recommends assigning roles to groups than assigning to individual users

Yes, but with groups is more easy to manage.

B AND D are right but i think GCP recommends to use groups all the time

D is correct. Add your SREs to a group and then add this group to roles/accessapproval approver role.

D - Grant whoever will be performing approvals for the project (either a service account or a human user) the IAM role Access Approval Approver on the project folder, or organization that you would like the person to have the role for.

Definitely D. Google recommended practices lead us to use groups rather than granting each individual SRE permissions

D - Add your SREs to a group and then add this group to roles/accessapproval approver role.

• D. Add your SREs to a group and then add this group to roles/accessapproval approver role.

D - https://cloud.google.com/iam/docs/understanding-roles#access-approval-roles

https://cloud.google.com/access-approval/docs/quickstart#email

"Therefore, this roles is NOT granted to a group." 
where you found this information !??

does that mean that we cannot have Humans in a Group?

B is correct.
Grant the IAM role Access Approvals Approver on the project, folder, or organization to the principal (either a service account or a human) who will perform approvals.
Therefore, this roles is NOT granted to a group.
https://cloud.google.com/access-approval/docs/approve-requests#configuring_access_approvers_in_your_organization

I think i best practice to work with Groups, so D

Your organization has strict requirements to control access to Google Cloud projects. You need to enable your Site Reliability Engineers (SREs) to approve requests from the Google Cloud support team when an SRE opens a support case. You want to follow Google-recommended practices. What should you do?

Correct Answer is (D):

Preventing Accidental VM Deletion
This document describes how to protect specific VM instances from deletion by setting the deletionProtection property on an Instance resource. To learn more about VM instances, read the Instances documentation.

As part of your workload, there might be certain VM instances that are critical to running your application or services, such as an instance running a SQL server, a server used as a license manager, and so on. These VM instances might need to stay running indefinitely so you need a way to protect these VMs from being deleted.

By setting the deletionProtection flag, a VM instance can be protected from accidental deletion. If a user attempts to delete a VM instance for which you have set the deletionProtection flag, the request fails. Only a user that has been granted a role with compute.instances.create permission can reset the flag to allow the resource to be deleted.

https://cloud.google.com/compute/docs/instances/preventing-accidental-vm-deletion

Agree with D

You can enabale Termination protection

Selected Answer: C
It does't say that someone can delete it and we should prevent deletion.

Selected Answer: D
The correct answer is D.

Selected Answer: C
C. Question says accidental downtime - this could be caused by many other reasons other than just straight deleting things.
 "Use a sole-tenant node" allows you to have dedicated hardware for your VM instances, providing isolation from other workloads. This isolation can help prevent other teams' actions from impacting your application's availability.

Selected Answer: D
(Use a sole-tenant node) is a method to ensure that your VMs run on a physical host dedicated to your project (related to licences etc), but it doesn't specifically prevent accidental downtime caused by other teams in a shared environment.

To prevent accidental deletion of a Compute Engine instance, you can enable deletion protection on the instance. This feature prevents the instance from being deleted by any user until deletion protection is disabled.

So, the correct answer is: D. Enable deletion protection on the instance.

Selected Answer: D
ANS is D:
By setting the deletionProtection flag, a VM instance can be protected from accidental deletion. If a user attempts to delete a VM instance for which you have set the deletion 
Protection flag, the request fails. Only a user that has been granted a role with compute.

Selected Answer: D
C is incorrect as sole-tenant is project-based. The other users in the same project can still cause accidentally deletion of the VM even if using a sole-tenant node.

Selected Answer: D
I will go with Enable deletion protection on the instance as it prevents accidental deletion.
Shielded VMs protects from malicious attack in the software on the VM.
Sole Tenant - it isolates the resources from others, but does not protect from accidental deletion. Also this needs all together a setup from scratch and cannot be just setup on fly easily.

A. Use a Shielded VM.

Explanation:

 Shielded VMs provide additional security features to help protect against rootkits and bootkits, ensuring the integrity of the operating system and your applications.
 Shielded VMs can help prevent accidental or malicious modifications to the VM that could lead to downtime or security risks.

Option B (Use a Preemptible VM) is not suitable for preventing accidental downtime as preemptible VMs are designed to be temporary and can be terminated at any time.

Option C (Use a sole-tenant node) is a method to ensure that your VMs run on a physical host dedicated to your project, but it doesn't specifically prevent accidental downtime caused by other teams in a shared environment.

Option D (Enable deletion protection on the instance) helps prevent accidental deletion of the instance, but it does not prevent other types of accidental modifications or downtime caused by other teams.

D. Enable deletion protection on the instance.

Selected Answer: C
C. "Use a sole-tenant node" allows you to have dedicated hardware for your VM instances, providing isolation from other workloads. This isolation can help prevent other teams' actions from impacting your application's availability.

Selected Answer: C
option c is correct becuase, it givrs you islotation from other projects, where option d is only prevent if from delete only

You need to host an application on a Compute Engine instance in a project shared with other teams. You want to prevent the other teams from accidentally causing downtime on that application. Which feature should you use?

But it means you will have to add the users one by one which doesn't follow Google best practices...

Read description carefully "prevent from accidentally deleting the datasets". Not tables, datasets! option B does not allow to delete datesets either.
Check dateset permissions in the roles/bigquery.dataEditor:
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.updateTag
You CANNOT delete dataset with option "B"

bigquery.datasets.create allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets so he can delete these created datasets

I think A is the Answer and it follow GCP best practices.
https://cloud.google.com/iam/docs/understanding-roles#bigquery-roles
We do have the role - BigQuery User which does the below permissions
When applied to a project, this role also provides the ability to run jobs, including queries, within the project. 
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy

See the question carefully "accidentally deleting the datasets" it is saying not to delete "the" datasets which means original dataset which existed before his creation .So answer is A.

A bigquery.user will get a "data owner" role on the datasets he creates. That means he can delete those data sets he created. In that sense A fails to that extent.

I don't think A works properly.
roles/bigquery.user has bigquery.datasets.create. And the documentation states:

> Additional, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

If bigquery.user creates a new dataset, it's likely that bigquery.user will get permission to delete that dataset. This means that bigquery.user may have permission to delete data.
https://cloud.google.com/bigquery/docs/access-control

I believe the key part is the "following Google Best Practices" phrase.
A - Works, but doesn't follow GCP best practices
B - Doesn't work as the role grants permission to delete datasets
C - Works, but is more complicated than A and doesn't follow Google best practices
D - Correct, more complicated than A, but it follows Google Best Practices.

I correct myself: https://cloud.google.com/iam/docs/understanding-custom-roles
Key Point: Custom roles enable you to enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions.

Other best practice is use predefine roles over custom roles. Maybe A is correct

you can create data set with bigquery.user role because it has bigquery.datasets.create permissions. And if a user has bigquery.datasets.create permissions, when that user creates a dataset, they are granted bigquery.dataOwner access to it. So A is NOT a choice

Answer is A: roles/bigquery.user is a BigQuery User role which when applied to a project provides the ability to run jobs, including queries, within the project. A member with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project.

Ref: https://cloud.google.com/iam/docs/understanding-roles#bigquery-roles

Correct Answer is (D):

The proper answer regarding to bigquery roles is the listed in the options, the proper rol that resolve this requirement is: roles/bigquery.dataViewer
https://cloud.google.com/bigquery/docs/access-control#custom_roles

on the other hand, the question explicitly is asking to use the GCP best practices on IAM :
GCP Best Practices explain clearly these rules:
Policy management
❑ Set organization-level IAM policies to grant access to all projects in your organization.
❑ Grant roles to a Google group instead of individual users when possible. It is easier to add members to and remove members from a Google group instead of updating an IAM policy to add or remove users.
❑ If you need to grant multiple roles to allow a particular task, create a Google group, grant the roles to that group, and then add users to that group.
https://cloud.google.com/iam/docs/using-iam-securely#policy_management

A is correct because the key point is.. users can query the dataset but not delete. For querying, jobs create role required which comes under bigquery user role

Selected Answer: D
D. follows Google Best Practice. Others do not or are flat out wrong.

Selected Answer: D
GCP Best Practices is to create a group of Users and assign it a custom role with the required permissions (least privilege).

Selected Answer: D
D is solves the problem and follow best practices. With A you will be able to delete data sets you create.

Selected Answer: A
You can create a custom role at the project or organization level. Since users are added to role, it should be A. https://cloud.google.com/iam/docs/creating-custom-roles

Selected Answer: A
I think the right answer is A due to a predefine valid role. I mean that biqguery.user role is valid so it's not needed to create a custom role. bigquery.user role can't delete datasets created by anyone. 

https://cloud.google.com/iam/docs/understanding-roles#bigquery.user

bigquery.datasets.delete
bigquery.datasets.deleteTagBinding

I think the right answer is A due to a predefine valid role. I mean that biqguery.user role is valid so it's not needed to create a custom role. bigquery.user role can't delete datasets.
https://cloud.google.com/iam/docs/understanding-roles#bigquery.user

Selected Answer: A
I think it's A for a couple of reasons.
1. you don't need to create a custom role if there is already one there, an it's Google best practice to ALWAYS use their roles, not create new ones unless absolutely necessary, which is very few cases and I'd be surprised if they'd put a Q in there that would actually .
2. the "roles/bigquery.user" role already allows for bigquery.datasets.create, bigquery.datasets.get, bigquery.datasets.getIamPolicy, which this Q is asking for.

I have no idea, but I think it's D as you add users to group first, then to a role, which is google best practice, but not sure about custom role in the first place.

Selected Answer: A
I gonna with A and not D as best practices is to use predefined roles.

Selected Answer: C
The correct answer is C. Create a custom role by removing delete permissions, and add users to that role only.

This is the recommended approach by Google, as it provides a granular level of control over user permissions. By creating a custom role that only allows users to query datasets, you can ensure that they do not have the ability to accidentally delete them.

Selected Answer: A
I will go with A and not D as best practices is to use predefined roles. 
If the question had "least previledge" then answer would have been D.

A. Add users to roles/bigquery user role only, instead of roles/bigquery dataOwner.

Selected Answer: A
GCP Best Practices are to use pre-defined roles and the default permissions for the BigQuery.User role are sufficient...
https://cloud.google.com/iam/docs/understanding-roles#bigquery.user

Selected Answer: D
D is more correrct as per the google recommned pratices

D. Create a custom role by removing delete permissions. Add users to the group, and then add the group to the custom role.

Selected Answer: D
Correct answer is D. User Role will grant them permission to CREATE new datasets and the datasets created by the role will make the user OWNER of those datasets thereby giving them permission to delete. 
If we want to follow google's best practices, correct answer is D.

https://cloud.google.com/bigquery/docs/access-control

however "the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets." so they have delete permissions > i think D is correct

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.jobs.create

bigquery.jobs.list

bigquery.models.list

 bigquery.readsessions.*

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.routines.list

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.list

bigquery.transfers.get

bigquerymigration.translation.translate

resourcemanager.projects.get

resourcemanager.projects.list

Selected Answer: A
I believe it's A:
"When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project."

but bigquery.datasets.create allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets so he can delete these created datasets.
D seems correct

https://cloud.google.com/bigquery/docs/access-control#bigquery.user
A is correct , user has bigquery.jobs.create,bigquery.jobs.list. bigquery.jobs.create - Run jobs (including queries) within the project.

Selected Answer: A
A. Look up the IAM definition for the role.
bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

chatgpt is biased towards using predefined role

i added this question to CHATGPT,, answer is B. 
The recommended practice to prevent accidental deletion of datasets in BigQuery is to add users to the roles/bigquery.dataEditor role only, instead of the roles/bigquery.dataOwner role. The roles/bigquery.dataEditor role provides users with the ability to query datasets, but does not allow them to modify or delete datasets. This helps to ensure that your data remains protected, even if users make accidental changes or deletions.

Alternatively, you could also create a custom role by removing delete permissions and add users to that role, but it is easier and recommended to simply use the roles/bigquery.dataEditor role for this purpose.

Selected Answer: D
Your organization needs to grant users access to query datasets in BigQuery but prevent them from accidentally deleting the datasets.
How about edit options?
So I think D is the best anwser, since the users need read and edit .

Selected Answer: D
D seems to me like the best option. Following the least privilege best practice, we can remove anything that's not required to query datasets. They don't need to create new datasets, so option A would give them more access than necessary perform the task.

Selected Answer: D
Sole-tenancy means that VM just runs on isolated hardware, nothing to do with permissions and access

Selected Answer: D
Big Query User - When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.
Hence answer is D as group is best practice

Selected Answer: A
BigQuery Data Owner 
(roles/bigquery.dataOwner)

When applied to a table or view, this role provides permissions to:

Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.
This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

Read, update, and delete the dataset.
Create, update, get, and delete the dataset's tables.
When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

Table
View

Selected Answer: D
D - Correct, more complicated than A, but it follows Google Best Practices.

I have checked in my project and bigquery user role has dateset create permission but not delete, however A is not correct option according to GCP best practices hence D is correct has it is granular.

Selected Answer: A
Since roles/bigquery user role doesn't have delete permission, as per the GCP best practice, if we do not have pre-defined roles to perform an action, then go for custom role.

Selected Answer: D
Each of the following predefined IAM roles includes the permissions that you need in order to create/delete a dataset:

roles/bigquery.dataEditor
roles/bigquery.dataOwner
roles/bigquery.user
roles/bigquery.admin

Therefore, we cannot use A and B and also there is no prediefined roles for this particular task. 
Hence we need to create custom roles, in which Option D is as per Google recommended practise.

Selected Answer: D
D is more complete than A

Selected Answer: B
I went back to read the description of IAM for BQ pertaining to datasets:
role/data editor has bigquery.datasets.create, bigquery.datasets.get,bigquery.datasets.getIamPolicy, bigquery.datasets.updateTag
But NO delete for datasets (the role can delete tables in datasets)
role/data owner can "When applied to a dataset, this role provides permissions to: Read, update, and delete the dataset."

Very confusing but B is correct in this case.

Selected Answer: D
As per Link: https://cloud.google.com/bigquery/docs/access-control#bigquery.dataEditor Correct answer is D
A - Works, but doesn't follow GCP best practices
B - Doesn't work as the role grants permission to delete datasets
C - Works, but is more complicated than A and doesn't follow Google best practices
D - Correct, more complicated than A, but it follows Google Best Practices

Selected Answer: D
if your company has 10.000 employees that need to have a specific action for BigQuery, good luck adding the role manually to each of them. OBVIOUSLY adding them to a group and then adding the group to the respective custom role is a common sense solution here. And a GCP good practice.

Thoughts according to docs (https://cloud.google.com/bigquery/docs/access-control) which list out all permissions:

Definitely not B) As (roles/bigquery.dataEditor) role has access to bigquery.tables.delete
Not C) Not best practice
Not D) This is a possibility but no need to go to extra effort of creating a custom role (not best practice) when A, according to the docs, not not have access to the permission of deleting a table. 

Tutorial Dojo has a similar question and they also say a custom role could also add deletion permissions in an update and this is a problem. 

So the answer should be A) for simplicity.

Best pratices when we talk about IAM / rôles is:
Create group => asign role to the group => add users
ANSWER D

From Google - 'Controlling access to datasets' 

"Note: For a user to be able to query the tables in a dataset, it is not sufficient for the user to have access to the dataset. A user must also have permission to run a query job in a project. If you want to give a user permission to run a query from your project, give the user the bigquery.jobs.create permission for the project. You can do this by assigning the user the roles/bigquery.jobUser role for your project. For more information, see Access control examples."

The q is saying about dataset not dataset table so answer will be B

D is correct, group need to add it to role

Go for D
Best practice is create a group and then assign role to that group .

Correct answer is D. Best practice is to use Google groups to manage multiple people and organizations. A does not do this, so A cannot be correct. Thus, D is the best option out of the remaining choices.

Selected Answer: D
Ans: D
Google Best Practices = Users -> Group -> IAM Role

D is correct. Best practice is to use groups rather then assigning the role directly.

Selected Answer: A
A is the correct answer.

Its not talking about datasets table its only talking about datasets

D is the correct answer. A does not work because BigQuery Data Editor
(roles/bigquery.dataEditor) When applied to a table or view, this role provides permissions to:

Read and update data and metadata for the table or view.
Delete the table or view.
https://cloud.google.com/bigquery/docs/access-control#bigquery.dataEditor

C is the correct answer. A is incorrect because BigQuery Data Editor
(roles/bigquery.dataEditor) When applied to a table or view, this role provides permissions to:

Read and update data and metadata for the table or view.
Delete the table or view.

https://cloud.google.com/bigquery/docs/access-control#bigquery.dataEditor

Selected Answer: D
A - allows to view metadata, but won't allow to run queries
B - allows to run queries, but also to delete
C - doesn't follow GCP best practices since Google recommends assigning roles to groups, and groups to users
D - correct combination of permissions and Google's best practices

Selected Answer: A
Question is "...access to query datasets in BigQuery but prevent them from accidentally deleting the DATASETS..." roles/bigquery.user DON'T HAVE permission: bigquery.datasets.delete
A - Correct

A is the answer.
Refer: https://cloud.google.com/bigquery/docs/access-control

Ans: B, says not roles/bigquery.dataOwner so that removes the option of deleting datasets.

two tasks here: 1. query - bigquery.tables.get; 2. delete - bigquery.datasets.delete; so B suits it well. while A cannot query data, and D is too complicated, if the roles provided suits then we don't create custom.

Selected Answer: D
ANSWER IS D as Google best practice

D. Create a custom role by removing delete permissions. Add users to the group, and then add the group to the custom role

How is A or B are the answers?
User and DataEditor both have bigquery.datasets.create permission. And in docs it says that " the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets. " 
Google recommends to use groups so, I'll go with D.

https://cloud.google.com/bigquery/docs/access-control#permissions_and_predefined_roles

A because 
BigQuery User
(roles/bigquery.user)

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

Lowest-level resources where you can grant this role:

Dataset

I think A is the answer.
The following two reasons
1. roles/bigquery.user does not have any delete permissions. So create a custom role by removing delete permissions = roles/bigquery.user
2. Best practice is use predefine roles over custom roles.

Selected Answer: A
well i am bit confused with Option A and D.
following the principle of least privilages , i appears that granting BigQuery User
(roles/bigquery.user) will do the trick.

however Google recommended way is by creating groups and adding users to the group. 
also conflict here is both the recommended way is to use predefined roles over custom so roles. A or D ???

D is correct 
BigQuery User role has below permission. 
bigquery.bireservations.get
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.config.get
bigquery.datasets.create
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.jobs.list
bigquery.models.list
bigquery.readsessions.*
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search
bigquery.reservations.get
bigquery.reservations.list
bigquery.routines.list
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.tables.list
bigquery.transfers.get
resourcemanager.projects.get
resourcemanager.projects.list
However the question is to provide access to datasets. if you provide the user role, this will give additional access to the users. It is not best practice as per GCP.

I'm sorry guys the answer is A 
User role does not have access to delete datasets or tables but you can create tables and over the new tables you have created you have access to delete

D
BigQuery User
(roles/bigquery.user)

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

BigQuery Data Owner
(roles/bigquery.dataOwner)

When applied to a table or view, this role provides permissions to:

Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.

so not B

To query we need bigquery.job.create permission and to delete datasets we need bigquery.datasets.delete permission

A- gives the first permission but not the second one - so it’s the answer 

Google does not recommend creating unnecessary custom roles

I agree with D being the correct answer. 
The predefined role for answer A grants the user to delete any dataset they create, as they are assigned the owner. That alone seems to remove A from consideration. 
B. Would work as well and may be fine if it's a single user, however, it makes sense to create the custom role in case you need to add additional users to the role. 

from https://cloud.google.com/bigquery/docs/access-control

Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

Dear people, please relax and think!
When you are creating a custom role, why will you even add more permissions and then delete them!? Does that even make any sense?? 

I'm going with A

ill go with A, use predefined roles over custom roles:

Creation
Before you decide to create a custom role, check whether the service has a predefined role—or a combination of multiple predefined roles—that meets your needs. For a complete list of predefined roles, as well as the permissions that are included in each predefined role, see the predefined roles reference.

If there is no predefined role—or combination of predefined roles—that meets your needs, you can create a custom role that includes only the permissions you need to grant. For details, see Creating and managing custom roles.

https://cloud.google.com/iam/docs/understanding-custom-roles

Answer should be D, A can be an option but I have not found any such rule as roles/bigquery user in IAM roles.

D is correct...BigQuery User implicitly grants DataOwner role as well

As google has highlighted, in https://cloud.google.com/bigquery/docs/access-control, both A and B are likely to allow users to delete datasets. D provides the ability to remove permissions of deletion all together..... I vote D.

Personally think that the correct answer is D.
the reason:
Option A [BigQuery User] has such a description in the description text.
-------------------------------------------------- --------------------------------------------------
When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A member with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.
-------------------------------------------------- --------------------------------------------------
Therefore, the [BigQuery User] role has the ability to delete datasets.

Its A. dataEditor role Can delete both Tables and Datasets:
https://cloud.google.com/bigquery/docs/access-control#bigquery

Definitely A, I know people say Google recommend secrets but if you have a rule that allows read/query only why would you create a new one? So have to maintain it or people get confuse and assign role to both groups the custom one and the google, A

https://cloud.google.com/datastore/docs/tools/datastore-emulator
D

A is correct. Add users to roles/bigquery user role only, instead of roles/bigquery dataOwner.

answer is D. see the question carefully, it says google recommended practise which is adding users to groups and assigning permission to that group

you're correct , but the question is tricky . what did they mean by "accidentally deleting the datasets" . the new datasets created by these users , or existing datasets ?

No, because User : "allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets."
So if the User creates new datasets and tables, they can delete them.

actually just tested this and it looks like User can delete datasets.... I feel like custom roles are never recommended but for this tricky one I would pick D

Based on least priv i think the answer is B as per below

when the user creates a dataset, they are granted bigquery.dataOwner access to it. bigquery.dataOwner access gives the user the ability to delete datasets and tables they create.

Answer is A
proof: https://cloud.google.com/bigquery/docs/access-control

A is probably correct since this role bigquery user doesn't have delete option in the permission

D - Create a custom role by removing delete permissions. Add users to the group, and then add the group to the custom role.

A should be the answer
Reason is because it follows google recommended practice of least priviledge.
But D cannot achieve this even though it mentions grouping users. If you create a custom role by removing only the delete permissions, what about other permissions?

bigquery user role allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets. So these new datasets can be deleted by users who created them. But the question wants to prevent accidental deletion of any dataset. D is the right choice.

custom roles are not googles best practice. Anytime use pre defined roles unless there is no predefined role that suffices .A suffices so A is the answer.

Tricky one B is correct - Add users to roles/bigquery dataEditor role only, instead of roles/bigquery dataOwner.

Read description carefully "prevent from accidentally deleting the datasets". Not tables, datasets! option B does not allow to delete datesets either.

vote for A, list and view permissions, option B has delete permission
https://cloud.google.com/bigquery/docs/access-control#bigquery

It should be A. It can't be B since the roles/bigquery.dataEditor role has the permissions to:
Create, update, get, and delete the dataset's tables. 
And the questions says the user should not accidentally delete dataset.

It is D
dataeditor gives table delete privilege also which is not desired and out of options D suits best.

Some people say here Answer A is correct - I must them to focus on this sentence "Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets." 
Now you read the roles/bigquery.dataOwner where clearly mentioned that DELETE the Table and I questions clearly mentioned TO PREVENT THEM from Accidently DELETING... So A is totally wrong answer.

Your organization needs to grant users access to query datasets in BigQuery but prevent them from accidentally deleting the datasets. You want a solution that follows Google-recommended practices. What should you do?

ExamPrepper

Exam
Prepper