AZ-500 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-500 Exam - Question 410

HOTSPOT

-

You have an Azure subscription that contains two users named User1 and User2 and the blob containers shown in the following table.

Policy1 is configured as shown in the following exhibit.

You assign the roles for storage1 as shown in the following table.

The storage1 account has the following shared access signature (SAS) named SAS1:

• Allowed services: Blob

• Allowed resource types: Container

• Allowed permissions: Read, Write, List, Add, Create

• Blob versioning permissions: enables deletion of versions

• Allowed blob index permissions: Read/Write

• Starr and expiry date/time:

o Start: 12/1/2021

o End: 12/31/2021

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Answer
Correct Answer:

Discussion

17 comments
Sign in to comment
tutonata
Mar 7, 2023

Y: container 2 doesn't have policy applied to SAS is in full effect N: policy is applied to container 1 and limits permissions to READ N: SAS has expired on Dec 31/2021 so it's invalid. RBAC roles are irrelevant here since statements say WHEN USING SAS1. Using has SAS in a URL has nothing to do with user RBAC assignments.

adminpack
Oct 2, 2023

CGPT: So, when there's a conflict, the more restrictive setting usually wins. If a SAS associated with a container's Access Policy tries to perform an action the Access Policy doesn't allow, the action will be denied. Conversely, if the SAS itself has more restrictive permissions than the Access Policy it's associated with, then the SAS's restrictions apply.

hfk2020
Oct 20, 2023

Tested in Lab SAS token permissions superceded the read only access policy, if SAS token has allowed write permissions then you can write to the container

heatfan900
Sep 13, 2023

Y, Y, N User 1 can write to container 2 because the SAS TOKEN allows it at the STORAGE ACCT level between 12/1-12/31, therefore, you the user will have the access outlined in the token against any container hosted in the SA. User 2 can write to container 1 for same reasons as User 1 can for container 2. User 1 cannot read from container two based on the SAS TOKEN on 1/10/22 because it expired on 12/31. A SAS TOKEN is collection of permissions issued against, in this case, an SA which bypasses any policy or RBAC assignments within Azure. It operates based on its own configuration. This is why anyone, whether part of the Azure Tenant or not, can use the SAS TOKEN to access files. Think of it as a link sent to a friend to share a file hosted in Dropbox.

Pamban
May 14, 2024

agreed with the answer. SAS token permission is in effect over the read only access policy. so answer is YYN

AzureJobsTillRetire
Jan 16, 2023

The given answers look correct to me. The shared access signature (SAS) does not have the access policy applied to it, so only the SAS applies, and both policy and RBAC do not apply. "a service SAS can reference a stored access policy that provides another level of control over a set of signatures." https://learn.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature

AzureJobsTillRetire
Jan 27, 2023

I meant that in this particular question both access policy and RBAC do not apply, and we have to only look at the SAS to answer the question items.

zellck
Apr 29, 2023

YNN is the answer. https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy A stored access policy provides an additional level of control over service-level shared access signatures (SASs) on the server side. Establishing a stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a signature. You can also use a stored access policy to revoke a signature after it has been issued.

majstor86
Mar 4, 2023

YES YES NO

danco104
Mar 16, 2023

User1 has Storage Blob Date Reader role on Storage1. Does it not mean limitation? Not sure but in that case question 1 should be NO. Am I right or not?

[Removed]
Aug 17, 2023

NNN N.User1 does not have write role permission N: policy is applied to container 1 and limits permissions to READ N: SAS has expired on Dec 31/2021 so it's invalid.

Mnguyen0503
Jan 13, 2024

Wrong. SAS1 gives User1 Write permission. RBAC is not applied here when SAS is in use.

xxavimr
Nov 25, 2023

The second is NO. According to documentation, A stored access policy provides an additional level of control over service-level shared access signatures (SASs) on the server side https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy They are compatible as it is a service SAS

Nick66
Jan 31, 2023

For me the second answer should be NO because a stored access policy restricts the permissions configured at the SAS: Shared access signatures (SAS) enable restricted access to entities within a storage account. A stored access policy provides additional control over service-level SAS on the server side. Establishing a stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it after it has been issued.

sapthami
Apr 13, 2023

1. No - Because User1 has Storage Blob Data reader role assigned.

sapthami
Apr 13, 2023

2. Yes 3. No - Because User1 can read from Container2

ETV
Apr 23, 2023

correct

TheProfessor
Oct 8, 2023

Answer is correct. SAS1 is applied at the STORAGE LEVEL.

PapaLion
Apr 19, 2023

Service SAS with stored access policy. A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. The stored access policy can be used to manage constraints for one or more service shared access signatures. When you associate a service SAS with a stored access policy, the SAS inherits the constraints—the start time, expiry time, and permissions—defined for the stored access policy.

PapaLion
Apr 19, 2023

BOX 1 : YES because SAS WIN no policy are applied. BOX 2 : NO because Policy Wins on SAS Token. BOX 3 : YES because Policy is Expired and SAS Win. This is my honest opinion.

zellck
Apr 29, 2023

For 3, SAS1 has also expired.

sigvast
Jul 15, 2023

Given answers are correct. A stored access policy by itself does nothing if not link to a SAS. So in this question, RBAC and policies are irrelevant and you only have to look at the SAS settings.

ServerBrain
Aug 5, 2023

BOX 1, User1 has Storage Blob Data Reader role assigned, so cannot write top container1..

epomatti
Jan 4, 2024

Nowhere in the question it states that the SAS was generated with the Stored Policy.

bxlin
May 20, 2024

1-Y SAS applies 2-N Stored access policy wins 3-N SAS expired