Exam Security-Operations-Engineer Topic 1 Question 23 Discussion

Actual exam question for Google's Security-Operations-Engineer exam
Question #: 23
Topic #: 1
Your organization uses Cloud Identity as their identity provider (IdP) and is a Google Security Operations (SecOps) customer. You need to grant a group of users access to the Google SecOps instance with read-only access to all resources, including detection engine rules. How should this be configured?

Suggested Answer: A Vote an answer

Comprehensive and Detailed Explanation
The correct configuration is Option A. This answer addresses two key requirements from the question: the identity mechanism (Cloud Identity) and the required permission level (read-only access including detection rules).
* Identity Mechanism (Google Group vs. Workforce Pool):
The prompt explicitly states the organization uses Cloud Identity as its identity provider (IdP). When Cloud Identity or Google Workspace is the IdP, the standard practice is to manage access using Google Groups.
Users are added to a group, and IAM roles are granted to that group. Workforce identity federation (which uses workforce pools) is the mechanism used when integrating with a third-party IdP, such as Okta or Azure AD. Since the IdP is Cloud Identity, creating a Google Group is the correct approach. This eliminates options C and D.
* Permission Level (roles/chronicle.viewer vs. roles/chronicle.limitedViewer):
The prompt requires "read-only access to all resources, including detection engine rules." The predefined Google SecOps IAM roles are specific about this distinction:
* roles/chronicle.viewer (Chronicle API Viewer): Provides "Read-only access to Google SecOps application and API resources." This role includes permissions to view detection rules and retrohunts.
* roles/chronicle.limitedViewer (Chronicle API Limited Viewer): Provides "Grants read-only access to Google SecOps application and API resources, excluding detection engine rules and retrohunts." Therefore, roles/chronicle.limitedViewer (Option B) is incorrect because it excludes access to detection engine rules, which violates the prompt's requirement. The correct role is roles/chronicle.viewer (Option A), as it grants the necessary comprehensive read-only access.
Exact Extract from Google Security Operations Documents:
On the topic of IAM roles:
Google SecOps predefined roles in IAM
Predefined role in IAM
Title
Description
roles/chronicle.viewer1
Chronicle API Viewer2
Read-only access to Google SecOps application and API resources3
roles/chronicle.limitedViewer4
Chronicle API Limited Viewer5
Grants read-only access to Google SecOps application and API resources, excluding detection engine rules and retro6hunts.
On the topic of Identity Providers:
"You can use Cloud Identity, Google Workspace, or a third-party identity provider (such as Okta or Azure AD) to manage users, groups, and authentication. This page describes how to use Cloud Identity or Google Workspace."7
"8The following example grants the Chronicle API Viewer role to to a specific group:" gcloud projects add-iam-policy-binding PROJECT_ID \
--role roles/chronicle.viewer \
--member "group:GROUP_EMAIL"
References:
Google Cloud Documentation: Google Security Operations > Documentation > Onboard > Configure feature access control using IAM Google Cloud Documentation: Google Security Operations > Documentation > Onboard > Configure a Google Cloud identity provider

by Cara at Nov 17, 2025, 03:41 AM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10