70-466 · Question #128
You need to recommend a solution for the sales department that meets the security requirements. What should you recommend?
The correct answer is C. Create a role for each region. Grant each role read access to its corresponding table. Add a DAA role that reads the current user name and retrieves the user's region.. Implementing dynamic, region-based row-level security for sales data requires per-region roles with a dynamic access mechanism that maps the logged-in user to their region at query time.
Question
Options
- ACreate a one role for all of the sales department users. Add a DAA role that reads the current user name and retrieves the user's region. Create one role for each region.
- BConfigure each role to have read access to a specific region. Add the sales department users to their corresponding role. Create a table to for each region.
- CCreate a role for each region. Grant each role read access to its corresponding table. Add a DAA role that reads the current user name and retrieves the user's region.
- DCreate one role for all of the sales department users. Configure the role to have read access to the sales transactions. Ensure that all of the reports that access the sales transaction data restrict read access to the data from the corresponding sales department region only.
How the community answered
(32 responses)- A6% (2)
- B9% (3)
- C66% (21)
- D19% (6)
Why each option
Implementing dynamic, region-based row-level security for sales data requires per-region roles with a dynamic access mechanism that maps the logged-in user to their region at query time.
Creating one broad role for all sales users and a separate DAA role without per-region access control on the roles does not enforce region-level data isolation correctly.
Manually adding users to region-specific roles without a DAA mechanism requires administrative overhead for every user change and does not dynamically derive the region from the logged-in username.
Creating one role per region and granting each role read access only to its corresponding regional table enforces least-privilege access at the database level. Adding a DAA (Dynamic Account Assignment) role that reads the current username and retrieves the user's region ensures each user automatically sees only their region's data without requiring manual role assignments per user. This separates the data-access policy from user management, making the solution scalable.
Relying solely on reports to restrict regional data access is insecure because it enforces security at the presentation layer rather than at the database level, leaving the underlying data exposed.
Concept tested: Dynamic role-based row-level security for regional data access
Source: https://learn.microsoft.com/en-us/analysis-services/multidimensional-models/roles-and-permissions-analysis-services
Topics
Community Discussion
No community discussion yet for this question.