MongoDB

The Organization Admin role provides extensive visibility and control over all resources within a GCP organization.

Folders in GCP allow resource organization and delegation of administrative rights, such as ownership, to specific departments or teams.

The principle of least privilege states that users should only be granted the minimum permissions necessary to perform their tasks.

For certain managed or cross-project service accounts, the account itself may be retained while its access bindings to the deleted project are revoked.

It is a best practice to assign roles to Google Groups rather than individual users. This simplifies access management as users can be added or removed from groups without needing to update IAM policies.

If a project has only one owner and their account is compromised, disabled, or deleted, the project could be orphaned or accidentally deleted. Having multiple owners ensures continuity of access and management.

Implementing a consistent naming convention and descriptive display names for service accounts makes it easier to track their purpose, ownership, and permissions across a Google Cloud environment.

In Google Cloud, IAM policies are inherited downwards through the resource hierarchy. Roles granted at the Organization level apply to all folders, projects, and resources within that organization. The original answer 'Only to projects directly under the organization' is incorrect.

The roles/iam.serviceAccountUser role allows a user to impersonate and run operations as a service account, effectively utilizing it for resources like Compute Engine instances.

Access scopes are used to specify the API access for a Compute Engine instance. The corresponding API must be enabled in the project for the access scope to function properly.