Examice

Exam DP-203 All QuestionsBrowse all questions from this exam

Question 272

You have an Azure subscription linked to an Azure Active Directory (Azure AD) tenant that contains a service principal named ServicePrincipal1. The subscription contains an Azure Data Lake Storage account named adls1. Adls1 contains a folder named Folder2 that has a URI of https://adls1.dfs.core.windows.net/ container1/Folder1/Folder2/.

ServicePrincipal1 has the access control list (ACL) permissions shown in the following table.

You need to ensure that ServicePrincipal1 can perform the following actions:

✑ Traverse child items that are created in Folder2.

✑ Read files that are created in Folder2.

The solution must use the principle of least privilege.

Which two permissions should you grant to ServicePrincipal1 for Folder2? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Access ג€" Read

Access ג€" Write

Access ג€" Execute

Default ג€" Read

Default ג€" Write

Default ג€" Execute

Correct Answer: A, F

To ensure that ServicePrincipal1 can traverse child items and read files created in Folder2 while adhering to the principle of least privilege, you need to grant the following permissions: 'Access - Read' and 'Default - Execute'. 'Access - Read' allows ServicePrincipal1 to read files in Folder2, and 'Default - Execute' ensures that ServicePrincipal1 can traverse any new child items (like subfolders) created inside Folder2.

Discussion

kl8585Options: CD

Phrased different, the question for me says: if you create "Folder3" inside Folder2, you should be able to read files created in Folder3. This means that you for sure need Executive and Read premissions to Folder2 (Executive to traverse child folder, read to read the files). Now, starting from the least privilege, suppose you give "Access" permission both for read and execute. In this case, you can't read files created in Folder3. This is a requirement ("child items that are created in Folder2"), so you need Default Read access. You don't need Default Execute, otherwise you would have access to a Folder created in Folder3 (say Folder 4) and this is not required so for the least privilege you must give Access Execute and not Defualt Execute.

yogiazaad

Requirement 1 says Traverse child items that are created in Folder2. Means that you need to be able to travers the subFolders under Folder2. So Defaut:Execute is a required permission.

Sr18

Given Answers (D&F) are correct....Reason is basic difference between Access and Default ACLs Access ACL: is for existing items. Default ACL: is template ACL for new Items to be created. Here question says traverse and read child items that created in folder2. So Access ACLs will fail to provide access to new files so we need to add Default ACL's for new files

bokLuciOptions: CD

C - You need to traverse the FOlder2 only and no potential children folders - Principals of least privelage. D- You need to pass on the READ access to the files in Folder2. Default ACLs are not passed to files but we are not setting the permission on a file level, we are setting it on Folder2.

Lewiasskick

cannot agree more, and do not need to over think :)

esaadeOptions: DF

Based on the permissions table provided, the ServicePrincipal1 has "Access - Execute" permission on container1, "Access - Execute" permission on Folder1, and "Access - Read" permission on Folder2. To allow ServicePrincipal1 to traverse child items that are created in Folder2 and read files created in Folder2, you should grant the "Default - Read" and "Default - Execute" permissions on Folder2. The "Default - Read" permission allows ServicePrincipal1 to read files created in Folder2, and the "Default - Execute" permission allows ServicePrincipal1 to traverse child items that are created in Folder2. Therefore, the correct answer is: D. Default - Read F. Default - Execute

AzureJobsTillRetireOptions: DF

Default Read and Execute are required. The reason is as below. In the POSIX-style model that's used by Data Lake Storage Gen2, permissions for an item are stored on the item itself. In other words, permissions for an item cannot be inherited from the parent items if the permissions are set after the child item has already been created. Permissions are only inherited if default permissions have been set on the parent items before the child items have been created. Reference: https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control

MarkJohOptions: AF

I'm going with AF and here is why. The requirement "Traverse child items that are created in Folder2" -> This requires default execute so that if any child folders under folder2 get created, the user can list those folders and files. Now, because of principle of least privilege, it does NOT say that if a file is created under a subfolder (like folder2/folder2/file1.json) that they need access to it. So, it should be Access Read on folder2 so that the users only get read access to the files in folder2 and not in /folder2/folder3/*.json, for instance.

Ram9198Options: DF

Default Execute is mandatory to traverse child items through cascade.. Default Read by process of elimination

auwiaOptions: AF

✑ Traverse child items that are created in Folder2. => DEFAULT EXECUTE ✑ Read files that are created in Folder2. => ACCESS READ (that was already given).

yogiazaadOptions: CF

Traverse child items that are created in Folder2. This needs Default:Execute Because user needs to traverse any child Items(Sub Folders) created under under Folder2. Read files that are created in Folder2. Since the The Access:read ACL is already set on Folder2.Any files that are created under Folder2 can be access by User. But to see (or list) the items/files under Folder2 we need Access:Execute . SO the answer is Access: Execute and Default: Execute

Deeksha1234Options: DF

so the answer is correct

Gman1986Options: AF

Traverse child items that are created in Folder2 --> Default Execute Read files that are created in Folder2 --> Access Read

kkk5566Options: DF

"Default - Read" and "Default - Execute"

learnwellOptions: DF

The link https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control explains that "Default ACLs are templates of ACLs associated with a directory that determine the access ACLs for any child items that are created under that directory. Files do not have default ACLs." Now the requirement here is to 1) Traverse the child items that will be created within folder2 2) Read the files that will be created within folder2. The question states that the child items(both folders and files) within the folder2 will get created i.e, IT IS NOT YET CREATED and WILL GET CREATED IN THE FUTURE which means the access has to be at the root directory level which is folder2 here. And as per the Microsoft documentation, only Default ACLs will work because Access ACLs control access to an object(file or directory). Choosing Access ACL would mean each time a new child item getting created with folder2, the Access ACL has to explicitly set for that child item at that time.

Souvik_79

Same problem. Everyone has different answers. No one knows which answer is correct. Worst part is even Gemini disagrees with ChatGPT :(

DusicaOptions: AF

A and F

AlongiOptions: DF

Access ACLs control access to an object. Files and directories both have access ACLs. Default ACLs are templates of ACLs associated with a directory that determine the access ACLs for any child items that are created under that directory. Files do not have default ACLs.

[Removed]Options: DF

Default Execute and Default Read as you don´t know in advance the files/folder to be created, and you need to access to all of them.

Ram9198Options: CD

Traverse require access execute, file reads need default read