nerdexam
Microsoft

70-466 · Question #128

You need to recommend a solution for the sales department that meets the security requirements. What should you recommend?

The correct answer is C. Create a role for each region. Grant each role read access to its corresponding table. Add a DAA role that reads the current user name and retrieves the user's region.. Implementing dynamic, region-based row-level security for sales data requires per-region roles with a dynamic access mechanism that maps the logged-in user to their region at query time.

Configure and maintain an analysis services database

Question

You need to recommend a solution for the sales department that meets the security requirements. What should you recommend?

Options

  • ACreate a one role for all of the sales department users. Add a DAA role that reads the current user name and retrieves the user's region. Create one role for each region.
  • BConfigure each role to have read access to a specific region. Add the sales department users to their corresponding role. Create a table to for each region.
  • CCreate a role for each region. Grant each role read access to its corresponding table. Add a DAA role that reads the current user name and retrieves the user's region.
  • DCreate one role for all of the sales department users. Configure the role to have read access to the sales transactions. Ensure that all of the reports that access the sales transaction data restrict read access to the data from the corresponding sales department region only.

How the community answered

(32 responses)
  • A
    6% (2)
  • B
    9% (3)
  • C
    66% (21)
  • D
    19% (6)

Why each option

Implementing dynamic, region-based row-level security for sales data requires per-region roles with a dynamic access mechanism that maps the logged-in user to their region at query time.

ACreate a one role for all of the sales department users. Add a DAA role that reads the current user name and retrieves the user's region. Create one role for each region.

Creating one broad role for all sales users and a separate DAA role without per-region access control on the roles does not enforce region-level data isolation correctly.

BConfigure each role to have read access to a specific region. Add the sales department users to their corresponding role. Create a table to for each region.

Manually adding users to region-specific roles without a DAA mechanism requires administrative overhead for every user change and does not dynamically derive the region from the logged-in username.

CCreate a role for each region. Grant each role read access to its corresponding table. Add a DAA role that reads the current user name and retrieves the user's region.Correct

Creating one role per region and granting each role read access only to its corresponding regional table enforces least-privilege access at the database level. Adding a DAA (Dynamic Account Assignment) role that reads the current username and retrieves the user's region ensures each user automatically sees only their region's data without requiring manual role assignments per user. This separates the data-access policy from user management, making the solution scalable.

DCreate one role for all of the sales department users. Configure the role to have read access to the sales transactions. Ensure that all of the reports that access the sales transaction data restrict read access to the data from the corresponding sales department region only.

Relying solely on reports to restrict regional data access is insecure because it enforces security at the presentation layer rather than at the database level, leaving the underlying data exposed.

Concept tested: Dynamic role-based row-level security for regional data access

Source: https://learn.microsoft.com/en-us/analysis-services/multidimensional-models/roles-and-permissions-analysis-services

Topics

#SSAS role design#region-based security#dynamic access#row-level security

Community Discussion

No community discussion yet for this question.

Full 70-466 Practice