Q: 15
GlobalTech's data science team needs to read data from a specific BigQuery
dataset (project_ds.customer_analytics) but must not be able to modify or delete
any data. What is the most restrictive and appropriate IAM role to assign to the data
science group?
Options
Discussion
Pretty sure it's C. Had something like this in a mock, and Data Viewer is the most restrictive for read-only access. It doesn't let them edit or delete anything, which fits exactly. Agree?
C/D? I don't think A is right for App Engine since instance groups are more for Compute Engine, not App Engine. Option C using LB and VPC sounds doable, but it feels a bit extra for just testing. D maybe, since new app instances could isolate changes. Not totally sure though, those load balancer answers seem like they might be traps.
Not B, A. I think using Instance Group Updater works for partial rollouts, but not 100% sure here. Anyone else pick this?
Its C, official docs and practice tests mention Data Viewer for this exact use case.
Probably C, since Data Viewer gives just read access, no edit or delete rights. That lines up with least privilege and keeps the team from making changes. Makes sense for this scenario unless I missed something.
C vs D. Seen similar traffic-splitting questions on official practice, and both these options use load balancing for gradual rollout, which matches what you'd want for testing updates in production.
I’m pretty sure it’s B. App Engine has built-in versioning and you can split traffic for canary tests, so no need for load balancers or new VPCs. Anyone disagree?
Be respectful. No spam.
