A company wants to grant a support team member the ability to view the IAM policy of a project (who has which roles) without being able to modify it. What is the least privileged predefined role that provides this access?
Includes resourcemanager.projects.getIamPolicy and other read permissions for IAM.
Why this answer
The roles/iam.securityReviewer role grants read-only access to IAM policies and permissions across the project, including the ability to view who has which roles, without allowing modifications. This is the least privileged predefined role that provides exactly this access, as it is scoped to security-related read operations only.
Exam trap
Google Cloud often tests the distinction between viewing role definitions (roles/iam.roleViewer) and viewing actual IAM policy bindings (roles/iam.securityReviewer), causing candidates to confuse the two.
How to eliminate wrong answers
Option A is wrong because roles/viewer provides broad read access to all resources in the project, which is more permissive than necessary and includes many permissions beyond IAM policy viewing. Option B is wrong because roles/iam.securityAdmin grants full administrative control over IAM policies, including the ability to modify roles and permissions, which exceeds the requirement of read-only access. Option C is wrong because roles/iam.roleViewer only allows viewing predefined and custom role definitions, not the actual IAM policy bindings (who has which roles) on a project.