Exam DP-203 All QuestionsBrowse all questions from this exam
Go to Exam
Question 256

HOTSPOT -

You are designing an Azure Synapse Analytics dedicated SQL pool.

Groups will have access to sensitive data in the pool as shown in the following table.

You have policies for the sensitive data. The policies vary be region as shown in the following table.

You have a table of patients for each region. The tables contain the following potentially sensitive columns.

You are designing dynamic data masking to maintain compliance.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Reference:

    https://docs.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview

Discussion
[Removed]

The Answer should be No, No, No. Analysts have access to in-region sensitive data, so the first one should be No. Engineers have access to all numeric sensitive data, Height is patient’s height in CM, so the second and third one should also No.

Slena

I think you are right because question is about masking rule required, and masking rule is to mask data. In all 3 questions, the data that is mentioned should be visible to the group of users that is mentioned so therefore a masking rule is not required.

anto69

Agree with you and I've to say that this question very bad formulated

Aditya0891

No it is not. It's a proper question and very neatly formulated. This is to test if you know how the masking rules are applied

dsp17

100 % Agreed.

Dusica

Either that or the question is poorly formulated. It may be that those roles require access to tables containing those columns but should not see the columns in which case the answers are correct

Dusica

actually then it would be all Y, because engineers have access to all regions to numeric data (hight)

HaBroNounen

the solution is correct: Yes, no, yes. Just because somebody has access, doesnt mean that they dont need any dynamic masking. It just means that they have access and a policy is required. If they had no access, then obviously no data masking is required. Statement 1: Analysts in Region A have access to (all) the following sensitive data in region A: CardOnFile, Heigth and ContactEmail. Since financial (CardOnFike) and PII (ContactEmail) are considered sensitive data you need dynamic data masking: so Yes. Statement 2 & 3: Engineers have access to all numeric sensitive data (which means in every region). So they have access to height. Height is medical and therefore only sensitive in Region B according to the second table, but not in Region A. So Statement 2 is “No” and Statement 3 is “Yes”

Julius7000

I think You are correct

noranathalie

I would go for this answer as well.. otherwise the double question 2 and 3 would be useless..

YLiu

But for statement 1, [height] is not considered sensitive data for Region A, so it should not require data mask on [height]. -> A is NO Also I am confused about whether we should apply the policy of sensitive data based on the region of data or the region of the requester (eg engineer from region C requesting data of region A)?

learnwell

This explanation is nice

Dhaval_Azure

after reading discussion very confused. What could be the answer.

rcpaudel

Correct answer is YES, NO & YES, look at the explanation from essade underneath. The fact that the data should be unmasked for certain group, these are masked by some rules. After masking, some are unmasked for required group- this holds for Q1 & Q3. Q2 does not have height on it and hence no rule is needed.

esaade

Analysts in RegionA require dynamic data masking rules for [Patients RegionA]. Yes. Since analysts in RegionA have access to in-region sensitive data, which includes PII, dynamic data masking rules should be implemented for the [Patients RegionA] table to mask the [ContactEmail] column which contains PII. Engineers in RegionC require a dynamic data masking rule for [Patients RegionA], [Height]. No. Engineers in RegionC have access to all numeric sensitive data, but [Height] is not considered sensitive data in RegionC, only in RegionB. Therefore, there is no need to implement a dynamic data masking rule for [Height] in RegionC. Engineers in RegionB require a dynamic data masking rule for [Patients RegionB], [Height]. Yes. Engineers in RegionB have access to sensitive data, including medical data, which includes the [Height] column in the [Patients RegionB] table. Therefore, dynamic data masking should be implemented for the [Height] column in the [Patients RegionB] table.

Alongi

I found this question on my exam 30/04/2024, and I put Yes/no/Yes. I passed the exam with a high score, but I'm not sure if the answer is correct.

auwia

First: NO, because there a no medical data in the region A. Second and Third, NO, because data engineers can see numeric data in all regions (heigth is number).

dakku987

You have a table of patients for each region. The tables contain the following potentially sensitive columns. they have specify that each region have patient table

evangelist

the answer is : No, No,NO

jjay86

This is the worst question I have come across.

Alongi

What the hell? It's a very confusing question!

Mausar

The question is poorly written. The problem is that you define dynamic data masking directly on the column and its enabled for every one (except admins, db_owner and etc...) Then you GRANT UNMASK permission for those that needed access to the original content. If you look that way (who needs grant unmask) the provided answers are correctly. If you think of enable or not enable masking its No, No and No. (but for me doesn´t make sense)

kkk5566

in oder, y,n,y

janaki

Answer should be NO, NO, NO. Analyst have access to in-region sensitive data, Engineers have access to all numeric sensitive data.

g2000

last one is yes... in region b, financial, pii and medical are sensitive data. but engineers have access to all numeric sensitive data. pii is sensitive data.

chryckie

Q1: Yes, these users need to see past any default masking. Analysts have access to in-region sensitive data. So, since they're in RegionA looking at RegionA data, the default masking should be dynamically removed for them. Q2: No, these users should see data with default masking. You have to assume that Enhanced Access only apply to users when they are in their own region. Since the Engineers are outside of the region, they are treated as regular users, with default masking. Perhaps there's some documentation in Azure that says you can't enhance access for users outside of a given region, but I'm not aware of any. Personally, I feel the wording of the Enhanced Access makes me assume it's "region agnostic". However, the given answer (of No) seems to imply otherwise. Q3: Yes, these users need to see past SOME default masking. There's a lot to consider, but I assume because the Engineers need to see numeric data, and both Financial and Medical data is numeric, they need to SOME data unmasked.

chryckie

This is a poorly worded question, in my opinion. I eventually came to accept the given answer of Yes, No, Yes. However, my gut would have had me say No (no masking), Yes (mask e-mail), Yes (mask e-mail). These were the questions I had when trying to sort through this one. 1. Is Enhanced Access truly defined as only applicable should the user be in the same region as the data? (I didn't want to.) 2. Should we only be considering the Height field for Q2, Q3? (Hard to say, with that comma....) 3. If we're meant to consider the full table, then (a) is it a "Yes" if ANY data needs to be unmasked, or (b) is it only a "Yes" if ALL data needs to be unmasked? (I'd assume A.) 4. Does the region of the Engineer matter at all? (I doubt it.) Not fun to sort through before committing to an answer. (I spent way too long typing this up too.)

chryckie

Answer: Yes, No, Yes. This is a poorly worded question, in my opinion. I eventually came to accept the given answer of Yes, No, Yes. However, my gut would have had me say No (no masking), Yes (mask e-mail), Yes (mask e-mail). I initially assumed that "Yes" meant the user should have the data masked/treated for them. Based on the given answers (of Yes, No, Yes) it seems like it's the opposite

chryckie

Answer: Yes, No, Yes. This is a poorly worded question, in my opinion. I eventually came to accept the given answer of Yes, No, Yes. However, my gut would have had me say No (no masking), Yes (mask e-mail), Yes (mask e-mail).

chryckie

Sorry for the spam. The site was throwing an error when I would try to submit my full comment....

Billybob0604

This answer is clearly NO, NO, NO

XiltroX

The answer is No for all questions. Engineers have full access to all data so no need for data masking. Analysts have access to in region data already.