I created two new google accounts
-gcpcompany & gcpcompanyuser
gcpcompany is the account where projects will live
gcpcompanyuser is the non privileged user that will operate on projects in the main account as a non privileged user
What I don’t understand is hasn’t the gcpcompanyuser account access to all privileges in it’s own account
isn’t it a root user in it’s own account
it can thus make mistakes, still run up bills, create security flaws etc, all the things that creating the user account was meant to avoid in the main account
I’m glad you’ve asked, Stephen! We dig into this rather more in the "Billing Access Control" lecture in the Security section, later on–and you can feel free to take an advance look at it, now–but the key thing is that the billing account is different from the user accounts and from the project control setup.
We’ve created an admin account (a Google account for identity) which has admin access to the trial billing account and controls only its admin projects.
Our user account (another Google account for identity), though, does not get any billing account of its own. Instead, it has access to use the billing account that is owned by the admin account. Our user account can control the projects it owns, but cannot control the billing account that owned by the admin account.
If this isn’t entirely clear, yet, then maybe work through the course until you have gotten through the Security section. I think that’ll help it make more sense.
All the best!