Google Cloud Professional Cloud Security Engineer Practice Exam

Which organization policy constraint affects granting access to the "Apps" folder?

• A. constraints/iam.allowedPolicyMemberDomains
• B. constraints/iam.roleAssignments
• C. constraints/vpc.networkAccess
• D. constraints/resourceUsage

The correct answer is: constraints/iam.allowedPolicyMemberDomains

The correct choice focuses on the policy constraint that governs the domains from which identities can be granted access to resources, such as the "Apps" folder. The constraint `constraints/iam.allowedPolicyMemberDomains` specifically defines which authentication domains can be included in IAM policy bindings. This means that if an organization restricts access to the "Apps" folder based on the domains allowed for member assignments, it directly affects who can gain access to that folder. This policy constraint is significant in organizations where identity management is central to security practices. It allows organizations to limit access to certain folders or resources to users who authenticate with specific domains, enhancing security and ensuring that only authorized personnel have access to sensitive resources. This capability is crucial for maintaining control over how external entities, such as contractors or customers, can interact with organizational assets. In contrast, the other constraints pertain to different aspects of access control or resource management. `constraints/iam.roleAssignments` deals with the assignment of IAM roles but does not specify member domain limitations as the chosen option does. `constraints/vpc.networkAccess` relates to network access configurations and does not affect IAM permissions directly. `constraints/resourceUsage` governs the limitations on the usage of resources instead of access control policies. Thus, the emphasis