You have set a folder-level IAM policy that grants a user the roles/storage.admin role. You then set a project-level IAM policy that denies the user the roles/storage.admin role. What is the effective IAM role for that user in that project?
Choose an answer
Tap an option to check your answer.
Correct answer: Deny always wins..
Why this is the answer
*Explanation:* In this scenario, the effective IAM role for the user in that project is **Deny always wins (option E)**. In IAM, explicit deny at a lower-level scope always takes precedence over a grant at a higher-level scope. The policy is valid, but the deny action wins, resulting in the user having no role for the specified permission.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed