CERTIFIED-DATA-ENGINEER-PROFESSIONAL · Question #90
The data engineer team has been tasked with configured connections to an external database that does not have a supported native connector with Databricks. The external database already has data secur
The correct answer is C. "Read" permissions should be set on a secret scope containing only those credentials that will be. Databricks Secret ACLs are managed at the secret scope level, not the individual key level. To apply the principle of least privilege, you create one secret scope per group containing only that group's credentials, then grant 'Read' permission on that scope to the corresponding D
Question
The data engineer team has been tasked with configured connections to an external database that does not have a supported native connector with Databricks. The external database already has data security configured by group membership. These groups map directly to user group already created in Databricks that represent various teams within the company. A new login credential has been created for each group in the external database. The Databricks Utilities Secrets module will be used to make these credentials available to Databricks users. Assuming that all the credentials are configured correctly on the external database and group membership is properly configured on Databricks, which statement describes how teams can be granted the minimum necessary access to using these credentials?
Options
- A"Read'' permissions should be set on a secret key mapped to those credentials that will be used
- BNo additional configuration is necessary as long as all users are configured as administrators in
- C"Read" permissions should be set on a secret scope containing only those credentials that will be
- D"Manage" permission should be set on a secret scope containing only those credentials that will
How the community answered
(18 responses)- C94% (17)
- D6% (1)
Explanation
Databricks Secret ACLs are managed at the secret scope level, not the individual key level. To apply the principle of least privilege, you create one secret scope per group containing only that group's credentials, then grant 'Read' permission on that scope to the corresponding Databricks group. 'Read' allows users to retrieve secrets but not manage or list them. 'Manage' (option D) would grant excessive permissions including the ability to alter ACLs. Granting access at the key level (option A) is not how Databricks Secret ACLs are designed to work. Making all users administrators (option B) would violate least privilege entirely.
Topics
Community Discussion
No community discussion yet for this question.