Google Associate Google Workspace Administrator Exam Practice Test Instant Access

Question 1

Your organization handles a significant amount of sensitive customer data and must follow strict industry regulations. To meet an upcoming compliance deadline, you need to quickly implement a solution that automatically classifies files stored in Google Drive based on the content of files.

What should you do?

ACreate data loss prevention (DLP) rules for Drive. Configure the rules to apply Drive labels based on content.

BApply Drive labels based on content. Use Google Vault to create retention rules based on Drive labels, ensuring that data is kept for the required duration.

CImplement a third-party data governance tool that integrates with Drive and provides advanced classification capabilities.

DAdd users into organizational units (OUs). Configure default file classification in Drive for the desired OUs.

Answer : A

Data loss prevention (DLP) rules in Google Workspace allow you to automatically classify and label files in Google Drive based on their content, such as identifying sensitive customer data. This ensures compliance by applying the appropriate classification to files as they are stored, allowing you to quickly meet the compliance deadline while automating the classification process based on predefined criteria.

Question 2

Your organization has detected a significant rise in unauthorized access to applications from personal devices. This poses a critical security risk and could lead to data loss. To mitigate this risk, you must immediately restrict user access to these applications. What should you do?

ALimit apps access to company-issued devices by using context-aware access.

BEnable multi-factor authentication for application access.

CEnable data loss prevention rules.

DConfigure apps data access to Limited to only allow access to unrestricted services.

Answer : A

The problem states a 'significant rise in unauthorized access to applications from personal devices,' posing a 'critical security risk' and potential 'data loss.' The immediate goal is to 'immediately restrict user access to these applications' from personal devices.

Context-Aware Access (CAA) is specifically designed to control access to Google Workspace applications based on the 'context' of the user and their device. This includes whether the device is managed (company-issued) or unmanaged (personal), its security posture, IP address, and location. By configuring CAA policies, you can enforce that users can only access specific applications if they are using a company-issued device.

Here's why the other options are less effective or not the primary solution for this immediate restriction:

B . Enable multi-factor authentication for application access. MFA is a crucial security layer, but it authenticates the user, not the device. A disgruntled employee could still use their personal device with MFA enabled to download data if no device-based restriction is in place. It prevents unauthorized users but not authorized users on unauthorized devices.

C . Enable data loss prevention rules. DLP rules are excellent for preventing sensitive data from leaving the organization (e.g., by blocking sharing of files containing credit card numbers). However, they don't restrict access to applications based on the device type. An employee could still access and potentially download non-DLP-sensitive data from a personal device if only DLP is enabled. The immediate risk is access from personal devices, not just content-based data loss.

D . Configure apps data access to Limited to only allow access to unrestricted services. This option typically refers to allowing specific APIs or services to be accessed by third-party apps, or perhaps limiting access within a highly restricted environment. It's not a direct control mechanism for user access from personal vs. company-issued devices to core Google Workspace applications.

Reference from Google Workspace Administrator:

Protect your business with Context-Aware Access: This is the primary documentation for Context-Aware Access, explicitly mentioning its use case for 'Allow access to apps only from company-issued devices.'

About Context-Aware Access: Provides an overview of how CAA works and its capabilities, including controlling access based on device security status (e.g., managed vs. unmanaged).

Question 3

You need to create an automated application or process that includes connectors to external data, leverages Google Sheets data, and is easily shared as a mobile application. What should you do?

ACreate an application by using App Engine. Connect the application to your Workspace environment

BCopy the external data to BigQuery. Use a Connected Sheet to interact with the data.

CCreate an AppSheet application to connect the different data sources. Set up the mobile application.

DCreate an automation process by using Apps Script. Run the process through Google Sheets.

Answer : C

AppSheet is a no-code platform that allows you to easily create mobile applications that can connect to external data sources, including Google Sheets. It is ideal for quickly building automated apps that integrate data from various sources and can be easily shared with others on mobile devices. AppSheet provides an efficient way to create, customize, and deploy mobile applications without the need for extensive development skills.

Question 4

Your company operates several primary care clinics where employees routinely work with protected health information (PHI). You are in the process of transitioning the organization to Google Workspace from a legacy communication and collaboration system. After you sign the Business Associate Agreement (BAA), you need to ensure that data is handled in compliance with regulations when using Google Workspace. What should you do?

AImplement a third-party backup service that is also compliant with Google Workspace core services.

BCreate a label for Google Drive content to help employees identify sensitive data.

CInstruct the staff to not store any PHI in Google Workspace core services, including Google Drive. Docs. Sheets, and Keep.

DDisable integrations with third-party apps and turn off non-core Google services.

Answer : B

To ensure compliance with regulations when handling protected health information (PHI) in Google Workspace, creating labels for sensitive data, such as PHI, helps employees identify and manage this information properly. Labels can be used to mark files that contain sensitive data, providing an additional layer of organization and protection. This approach aligns with regulatory requirements by ensuring that employees can easily distinguish PHI from other data and apply the necessary policies and security measures.

Question 5

Your organization's users are reporting that a large volume of legitimate emails are being misidentified as spam in Gmail. You want to troubleshoot this problem while following Google-recommended practices. What should you do?

AAdjust the organization's mail content compliance settings in the Admin console.

BAdvise users to individually allowlist senders.

CDisable spam filtering for all users.

DContact Google Workspace support and report a suspected system-wide spam filter malfunction.

Answer : D

If legitimate emails are being misidentified as spam across the organization, it suggests that there may be a broader issue with the spam filtering system. Contacting Google Workspace support to investigate and resolve the problem is the recommended approach. Disabling spam filtering or adjusting individual settings may not resolve the root cause and could potentially lead to further issues.

Question 6

Your company has just started using Search Ads 360. You need to limit access to Additional Google services for your entire organization by using the Admin console. Only the marketing team and a specific group of users from the web design team should have access. What should you do?

AEnable Search Ads 360 for both the marketing and web design team organizational units (OUs). Create a group to explicitly deny access to Search Ads 360. Assign the group to the web design users who should not have access.

BEnable Search Ads 360 at the top level of your organizational structure.

CEnable Search Ads 360 for the marketing organizational unit (OU). Create a sub-OU under the marketing OU. and move the web design team users who need access into this sub-OU.

DEnable Search Ads 360 for the marketing organizational unit (OU). Create a new group in the Admin console that includes the web design team users who need access. Enable Search Ads 360 for that group.
This approach leverages both organizational units and groups for access control. By enabling Search Ads 360 for the marketing OU, you grant access to all users within that department. Then, by creating a separate group containing the specific web design users who require access and enabling Search Ads 360 for that group, you provide them with the necessary permissions without granting access to the entire web design OU. This method allows for targeted access based on both departmental affiliation and specific user needs, aligning with the principle of least privilege.
Associate Google Workspace Administrator topics guides or documents reference: The Google Workspace Admin Help documentation on 'Turn services on or off for users' explains how to control access to Google services at both the organizational unit and group levels. It highlights the flexibility of using a combination of OUs and groups to achieve granular access control. Enabling a service for an OU applies it to all members of that OU, while enabling it for a group applies it only to the members of that specific group, regardless of their OU.
A . Enable Search Ads 360 for both the marketing and web design team organizational units (OUs). Create a group to explicitly deny access to Search Ads 360. Assign the group to the web design users who should not have access.
While you can deny service access using groups, it's generally more straightforward and less prone to errors to explicitly grant access only to those who need it. Enabling the service for the entire web design OU and then trying to revoke access for some users within it adds unnecessary complexity and potential for misconfiguration. Deny rules can also sometimes interact in unexpected ways with allow rules.
Associate Google Workspace Administrator topics guides or documents reference: While the Admin console allows for denying service access through groups, the documentation often emphasizes granting access to specific OUs or groups that require it as a more manageable and transparent approach.
B . Enable Search Ads 360 at the top level of your organizational structure.
Enabling Search Ads 360 at the top level would grant access to the service to every user in your organization. This directly contradicts the requirement to limit access to only the marketing team and a specific group within the web design team. This option provides the least control and violates the principle of least privilege.
Associate Google Workspace Administrator topics guides or documents reference: Google's best practices for service control emphasize granting access only to those who need it, typically by applying settings at the OU or group level, not organization-wide unless the service is intended for everyone.
C . Enable Search Ads 360 for the marketing organizational unit (OU). Create a sub-OU under the marketing OU. and move the web design team users who need access into this sub-OU.
Creating a sub-OU under the marketing OU for users from the web design team who need access is a less logical organizational structure. It mixes users from different departments within the same branch of the OU hierarchy, which can complicate future policy management and reporting. It's generally better to keep users within their respective departmental OUs and use groups for cross-departmental service access.
Associate Google Workspace Administrator topics guides or documents reference: Google's guidance on OU structure recommends organizing users based on their functional role or department within the organization for logical policy management and reporting. Creating sub-OUs based on service access needs rather than organizational structure is not a typical recommendation.
Therefore, the most appropriate and manageable solution is to enable Search Ads 360 for the marketing OU and create a separate group containing the specific web design users who need access, then enable the service for that group as well.

Answer : D, D

To limit access to Search Ads 360 to only the marketing team and a specific group of users from the web design team, the most effective and Google-recommended approach is to enable the service for the marketing organizational unit (OU) and then create a separate group containing the specific web design users who need access, enabling the service for that group as well. This allows for granular control and avoids granting access to the entire web design OU.

Here's why option D is the correct solution and why the others are less ideal:

Question 7

The human resources department notified you of a legal investigation that was started for an employee in the finance department. You need to ensure that this employee's Google Drive data is preserved for at least one year and does not get deleted by the user or by other means. The Google Vault default retention rules for Drive are set for five years. What should you do?

AChange the Vault default retention rule to one year instead of five.

BPlace the employee into a separate organizational unit (OU). Create a custom one-year retention rule for this OU.

CCreate a hold in Vault for the employee's Drive.

DConfirm that the Vault default retention rule is set for five years.

Answer : C

When there's a legal investigation, the priority is to ensure that relevant data is preserved and not deleted, regardless of retention policies or user actions. A 'hold' (also known as a litigation hold or legal hold) in Google Vault is specifically designed for this purpose. It overrides all retention rules (both default and custom) and prevents any data covered by the hold from being purged, even if a user attempts to delete it.

Here's why the other options are not the correct or best solution:

A . Change the Vault default retention rule to one year instead of five. Changing the default retention rule would affect all Drive data in your organization, not just this specific employee's. It's a broad change and not suitable for a targeted legal hold. Moreover, it wouldn't guarantee preservation against user deletions.

B . Place the employee into a separate organizational unit (OU). Create a custom one-year retention rule for this OU. While creating custom retention rules for OUs is possible, it's not the primary mechanism for a legal hold. Retention rules define when data can be deleted, but a hold prevents deletion irrespective of the retention period. If the employee deletes the data, a retention rule won't stop it from moving to trash (and eventually being purged) unless a hold is in place. Furthermore, a one-year retention rule isn't the goal; the goal is to preserve for 'at least one year' (meaning indefinitely until the hold is released). The default five-year rule is already longer than one year, but doesn't override user deletion.

D . Confirm that the Vault default retention rule is set for five years. The question states that the default retention rule for Drive is already set for five years. While this is good for general data retention, it does not prevent a user from deleting their own files from Drive, nor does it specifically address the need for a legal hold where data must be absolutely preserved. A default retention rule does not override user deletion or ensure data preservation for legal purposes.

Reference from Google Workspace Administrator:

Holds in Google Vault: This is the core concept. Holds prevent data from being purged from Google systems, regardless of retention rules or user actions, until the hold is released. They are specifically used for legal discovery or investigation purposes.

Retention rules in Google Vault: While relevant to data management, retention rules define when data can be deleted if no hold applies. They do not prevent users from deleting data or ensure preservation for legal holds.