Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

I disagree with “child policies cannot restrict access granted at a higher level”

If I’m not mistaken documentation here says that we can set or unset policy inheritance. This way we can define totally new policies at a sublevel

Can somebody confirm?


One more thing: I disagree as well with "always additive, never substractive"; in the same link provided, look at example #2 Resource 2 defines a custom policy that sets inheritFromParent to TRUE and denies green circle. Deny values always take precedence during policy reconciliation. The policy from the Organization Node is inherited and merged with the custom policy, and the effective policy evaluates to allow only red square.

1 Answers

I presume the restriction around ‘child policies cannot restrict access granted at a higher level" – was specified for IAM policy in the tutorial. 

The link you referring to is specifying policies on organization hierarchy which is where based on inheritFromParent=True or False, policy inheritance takes effect

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?