Examice

Exam AZ-104 All QuestionsBrowse all questions from this exam

Go to Exam

Question 133

HOTSPOT

You have an Azure subscription named Sub1 that contains the blob containers shown in the following table.

Sub1 contains two users named User1 and User2. Both users are assigned the Reader role at the Sub1 scope.

You have a condition named Condition1 as shown in the following exhibit.

You have a condition named Condition2 as shown in the following exhibit.

You assign roles to User1 and User2 as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Correct Answer:

Discussion

sugarbubbles

Answer is NNY The conditions are difficult to read, but they mean (according to reference 1): a. If the user performs a reading operation, then he may only read from “cont1” b. If the user performs a writing operation, then he may only write to blobs like “*2*” Given that, then: 1- User 1 can read Blob2 - No, because he is reading, then the condition a. applies, and he is not reading cont1 2- User 1 can read Blob3 - No, because he is reading, then the condition a. applies, and he is not reading cont1 3- User 2 can read blob 1 - Yes. He is not writing, so the condition b. does not apply. He has permissions granted by the role on the scope he is reading - Storage Blob Data Owner on storage1, which contains blob1 References: 1. https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-format 2. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

[Removed]

ANSWER IS NNY condition1 - read action cannot perform since it encloses a parenthesis and exclamation point which indicate not. It also include OR which if the resource name string is equal to "cont1" then it cannot read it, again because it all enclose to a !(condition). so, USER1 CAN READ BLOB2? No. because it falls to a condition that it cannot not read. USER1 CAN READ BLOB2? No. Again because it falls to a condition that it cannot not read. USER2 CAN READ BLOB1? Yes. condition2 says that it cannot write or if it contains string like "2" (wild card search with * asterisk). it all surpasses all the condition into false. note: user1 has a reader role but it also has a condition1 which prevent it to read. user2 is the owner so it has read and write permission, but it also has a condition2 which prevent it to write. but it can read.

Aniruddha_dravyakar

I agree Joshua thanks

Batiste2023

Please consult the syntax reference on this topic: Exclamation marks just introduce the ACTION section of a condition - they do not imply a negation (although that's what I, too, first thought...). To summarize the syntax: each condition includes - an ACTION part that determines which action is to be limited by the condition and - an EXPRESSION part that says under which circumstances the action is allowed (expression evaluates to TRUE) or not (evaluates to FALSE). Source: https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-format#simple-condition In the light of this, the correct answers are N: the expression evaluates to FALSE N: the expression evaluates to FALSE Y: the action mentioned in the condition does not apply to what the question asks about.

QL112233

Human language, reader role cannot read unless it's blob one, writer role cannot write unless it's blob 2

HoT77777

Based on the documentation is NNY

Lapiduse

This is not an answer

Ycheqri

Totally agree with this answer. Explanation: In a nutshell the two conditions can be read as such: - condition 1: user 1 can read only blobs from container cont1 - condition 2: user 2 can write only to blobs with path matching the pattern *2*. user 1 has azure blob data reader but restricted to read only blobs in container . user 2 has azure blob data owner and doesn't have any read restrictions (the condition is targeting write action). That means He can read all blobs from all containers in storage account. Documetation: https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-format

Ycheqri

Forgot to mention the authorized read container for user 1. user 1 has azure blob data reader but restricted to read only blobs in container Cont1.

Aniruddha_dravyakar

There is OR condition

LovelyGroovey

I say Yes-Yes-No. Here is why I think it's Yes-Yes-No. It says, "Sub1 contains two users named User1 and User2. Both users are assigned the Reader role at the Sub1 scope." User1 and User2 got reader role. So, they both can read. However, conditions: Condition1 and Condition2. If you look at ActionMaches in blue, Condtion1 has blobs/read' and Condition2 has blob/write' Normally Owner can read. But it does not say blob/read' on Condition2 which is linked to User2 (Owner) in this case. So, the User2 (Owner) can not read blob1 this time. Let me know if my logic is wrong.

mojo86

Ans is YYY. User1 and User 2 have read role in sub1 scope. In Azure Policy, scope takes precedence over condition. The policy scope determines which Azure resources the policy applies to. If a policy's scope is defined to apply to a specific resource group, subscription, or management group, then the policy will only affect resources within that scope, regardless of the conditions defined in the policy. Conditions are used to further refine the policy's application within the specified scope, but the scope itself is the primary factor in determining where the policy is enforced.

ITpower

three of them YES YES YES cuz both users have been assigned the reader role on SUB1 so now now conditions are that user2 while he has the reader role on sub1 on the same time he has been assigned the storage blob data owner it means on all data in this storage can be read and be written so the condition added to this user only for the written

Miccc

Answer is NNN The condition has OR check, not AND

robsoneuclides

NNY the image is wrong

roobzn

I thought the answer is YYN. Because isn't the "!" infront of the action standing for "NOT"? So isn't it saying: if the action is everything but NOT reading (in condition a) and NOT writing (in condition b)? Not trying to confuse people, just aking..

Amir1909

No No Yes

adilkhan

N N Y is correct!

Oskarma

I'm sorry guys, but I think the correct answer is N - N - N Because in the learn about the conditions sintaxis: https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-format#:~:text=The%20following%20condition,blobs%2Dexample%2Dcontainer%27%0A%20%20%20%20)%0A) There is an example simmilar to our case and is explained so: The following condition has an action of "Read a blob". The expression checks whether the container name is blobs-example-container. Copy ( ( !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) ) OR ( @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' ) )

belyo

so conditions takes precedence over general role assignment and answer is NO NO YES or everyone misread that Both users are assigned the Reader role at the Sub1 scope and answer is YES YES YES soo confusing...

ximim58473

The answer is NNY

OscarFRItz

Tested: NNY

testtaker09

was in the exam today 17/06/2024

3c5adce

Based on the documentation is NNY

vsvaid

No-N0-Yes