Google Cloud Professional Cloud Security Engineer Practice Exam

What is the best practice to access a user's Google Drive on their behalf in an App Engine application?

• A. Use OAuth2 with the current user's credentials
• B. Share the application with the user for access
• C. Create a new service account with G Suite domain-wide delegation
• D. Analyze user behavior for access pattern permissions

The correct answer is: Create a new service account with G Suite domain-wide delegation

Using OAuth2 with domain-wide delegation through a service account is indeed a best practice for accessing a user's Google Drive on their behalf within an App Engine application, especially in an enterprise environment using G Suite. This approach allows the service account to impersonate users in the domain, granting it the ability to perform actions on behalf of those users without requiring them to manually authenticate each time. This is particularly valuable for applications that need to access user data programmatically and efficiently, enabling seamless user experiences while maintaining security and compliance with organizational policies. Domain-wide delegation is set up by granting permissions to the service account to access specific APIs and perform actions for users in the G Suite domain. This ensures that the application can act on behalf of users based on the privileges assigned, which enhances both usability and security. This method is often preferable to using a user's credentials directly through OAuth2, as that would typically involve more complex user interactions, potentially requiring repetitive authorizations, which can lead to a frustrating user experience and increased risk of security breaches. Additionally, options that involve sharing applications or analyzing user behavior are generally not suitable for managing access to user-specific resources such as Google Drive, as they do not provide the level of direct control and streamlined access that domain-wide delegation does.