Identity and Access Management (IAM)

Question 1

IAM

Answer 1

IAM is a sophisticated system built on top of
email-like address names,
job type roles and
granular permissions.
It is a way of identifying who can do what on which resource.
The who can be a person, group or application.
The what refers to specific privileges or actions, and the resource could be any Google Cloud service

Question 2

In IAM, you grant access to principals. Principals can be of the following types:

Answer 2

Principals can be of the following types:
Google Account
Service account
Google group
Google Workspace account
Cloud Identity domain
All authenticated users
All users

Question 3

components within Cloud IAM

Answer 3

organizations, folders, projects, resources, roles, members and service accounts.
????? The four main components of IAM include: Authentication, Authorization, Administration, and Auditing and Reporting.Jun

Question 4

Cloud IAM resource hierarchy.

Answer 4

The organization node is the root node in this hierarchy. The organization resource represents your company.
Cloud IAM roles granted by this level are inherited by all resources under the organization.
The folder resource could represent your department.
Projects represent a trust boundary within your company.
Services within the same project have the same default level of trust.
Resources

Question 5

Organization level nodes

Answer 5

• organization admin provides a user with access to administer all resources belonging to his organization.
• project creator role, which allows a user to create projects within her organization.
• G Suite or Cloud Identity super admins. The organization resource is closely associated with a G Suite or Cloud Identity Account.
  The G Suite or Cloud Identity super administrators and the GCP organization admin are key roles during the setup process and for lifecycle control, for the organization resource. The two roles are generally assigned to different users or groups
• viewer role - view access to all resources within an organization.

Question 6

G Suite or Cloud Identity super administrator responsibilities

Answer 6

assign the organization admin role to some users,
be a point of contact in case of recovery issues,
control the lifecycle of the G Suite or Cloud Identity account and organization resource.

Question 7

The responsibilities of the organization admin role

Answer 7

define IAM policies,
determine the structure of the
resource hierarchy,
delegate responsibility over critical components such as networking, billing, and resource hierarchy, through IAM roles.
Following the principle of least privilege, this role does not include the permission to perform other actions, such as creating folders.
get these permissions, an organization admin must assign additional roles to their account.

Question 8

Folder level nodes

Answer 8

sub organizations within the organization.
Folders provide an additional grouping mechanism and isolation boundary between projects.
Folders can be used to model different legal entities, departments, and teams within a company.
folders -> subfolders….
departments -> teams -> applications

Question 9

folder level roles

Answer 9

admin role that provides full control over folders.
creator role (owner), to browse the hierarchy and create folders, viewer role, to view folders and projects below a resource.

Question 10

project level nodes

Answer 10

there is a creator role that allows a user to create new projects(owner)
project deleter role that grants deletion privileges for projects.