Databricks Certified Data Engineer Professional — Question 113

The data engineering team has been tasked with configuring connections to an external database that does not have a supported native connector with Databricks. The external database already has data security configured by group membership. These groups map directly to user groups already created in Databricks that represent various teams within the company.

A new login credential has been created for each group in the external database. The Databricks Utilities Secrets module will be used to make these credentials available to Databricks users.

Assuming that all the credentials are configured correctly on the external database and group membership is properly configured on Databricks, which statement describes how teams can be granted the minimum necessary access to using these credentials?

Answer options

• A. No additional configuration is necessary as long as all users are configured as administrators in the workspace where secrets have been added.
• B. "Read" permissions should be set on a secret key mapped to those credentials that will be used by a given team.
• C. "Read" permissions should be set on a secret scope containing only those credentials that will be used by a given team.
• D. "Manage" permissions should be set on a secret scope containing only those credentials that will be used by a given team.

Correct answer: C

Explanation

The correct answer is C because setting 'Read' permissions on a secret scope ensures that only the specific credentials needed by a team are accessible, thus granting minimal access. Option A is incorrect as administrator access is too broad and not necessary for granting specific access to credentials. Option B does not provide a sufficient level of granularity as it refers to a secret key instead of a scope. Option D would grant excessive permissions by allowing 'Manage' rights rather than just 'Read' rights.