Examice

Exam SC-300 All QuestionsBrowse all questions from this exam

Go to Exam

Question 282

DRAG DROP

You have an Azure subscription that contains the resources shown in the following table.

The subscription uses Privileged Identity Management (PIM).

You need to configure the following access controls by using PIM:

• Ensure that User1 can read and update Secret1.

• Ensure that User2 can read the contents of the secrets stored in Vault2.

The solution must follow the principle of least privilege.

Which authorization method should you use for each user? To answer, drag the appropriate authorization methods to the correct users. Each authorization method may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Correct Answer:

Discussion

penatuna

Questions says: ”You need to configure the following access controls by using PIM”. So, with PIM, you’ll need a (RBAC) role, so you cannot use Access Policy permissions. For User1, the least privileged role is Key Vault Secrets Officer. Key Vault Secrets Officer can perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. For User2, the least privileged role is Key Vault Secrets User. Key Vault Secrets User can read secret contents including secret portion of a certificate with private key. Only works for key vaults that use the 'Azure role-based access control' permission model. NOTE! In reality, the better way would be to use custom role for more fine-grained permissions. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration

Sneekygeek

Secrets officer to read and update secrets, Secrets user to only read secrets https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

Ody__

I think this is an old question and the access policy (legacy) answers are correct. The given answers are not based on the principal of least administrative control. For User1, they give much more access than just to Secret1. User1 should have SET User2 should have List https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys-details

klayytech

If you use the SET, it will reflect in ALL key vault secrets. The only way to access for one secret is to use (RBAC) role

thetootall

On exam 7/18/24 For User1, the least privileged role is Key Vault Secrets Officer. For User2, the least privileged role is Key Vault Secrets User.

klayytech

For User1, the least privileged role is Key Vault Secrets Officer. Key Vault Secrets Officer can perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. For User2, the least privileged role is Key Vault Secrets User. Key Vault Secrets User can read secret contents including secret portion of a certificate with private key. Only works for key vaults that use the 'Azure role-based access control' permission model.