What are two best practices when configuring authentication and authorization in Google Cloud?

Using SSO/SAML integration for user authentication and providing granular access with predefined roles represents a robust approach to managing security within Google Cloud. Single Sign-On (SSO) allows users to authenticate through a centralized identity provider, which enhances the security posture by enabling strong authentication measures and streamlining the user experience. This approach minimizes the number of passwords users have to manage and reduces the attack surface associated with password-based logins.

Furthermore, providing granular access with predefined roles ensures that users have the minimum permissions necessary to perform their functions, adhering to the principle of least privilege. This minimizes the risk of accidental or malicious actions that could harm the system or data, as users are restricted to the specific resources and actions relevant to their role. Predefined roles in Google Cloud are designed to simplify the permissions management without overwhelming administrators with overly granular choices.

In contrast, options that advocate for broad roles or limited authentication measures expose organizations to greater security risks. Email/password authentication lacks the security benefits that multi-factor authentication or SSO provide. Similarly, tailoring roles for each user, while seemingly tailored, can lead to management complexity and potential misconfigurations that ultimately weaken security. The best practice of leveraging SSO alongside predefined, granular roles strikes an effective balance between usability and security.