To allow an Azure AD service principal to traverse child items and read files in an Azure Data Lake Storage Gen2 folder while following least privilege, grant Access – Execute and Default – Read ACL permissions on the folder.
Table of Contents
Question
You have an Azure subscription linked to an Azure Active Directory (Azure AD) tenant that contains a service principal named ServicePrincipal1. The subscription contains an Azure Data Lake Storage account named adls1. Adls1 contains a folder named Folder2 that has a URI of https://adls1.dfs.core.windows.net/ container1/Folder1/Folder2/.
ServicePrincipal1 has the access control list (ACL) permissions shown in the following table.
| Resouce | Permission |
|---|---|
| container1 | Access – Execute |
| Folder1 | Access – Execute |
| Folder2 | Access – Read |
You need to ensure that ServicePrincipal1 can perform the following actions:
- Traverse child items that are created in Folder2.
- Read files that are created in Folder2.
The solution must use the principle of least privilege.
Which two permissions should you grant to ServicePrincipal1 for Folder2? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Access – Read
B. Access – Write
C. Access – Execute
D. Default – Read
E. Default – Write
F. Default – Execute
Answer
C. Access – Execute
D. Default – Read
Explanation
To ensure ServicePrincipal1 can traverse child items and read files created in Folder2 while following the principle of least privilege, you should grant the following two permissions to ServicePrincipal1 for Folder2:
C. Access – Execute
This permission allows ServicePrincipal1 to traverse (i.e. list) child items in Folder2. Access permissions apply only to the specific folder or file they are set on.
D. Default – Read
This permission allows ServicePrincipal1 to read files that are newly created or added to Folder2 by inheriting the default ACL permissions. Default permissions are applied to new child items created under a folder.
Granting Access – Read (A) is not necessary since Default – Read (D) covers the requirement to read files in Folder2.
The other permissions like write and execute for files are not needed based on the stated requirements. Following least privilege means granting only the minimal permissions required for the service principal to perform its intended tasks.
In summary, the combination of Access – Execute and Default – Read on Folder2 allows ServicePrincipal1 to traverse folders and read current and future files in Folder2, while adhering to the principle of least privilege. Be sure to apply these permissions at the Folder2 level in the Azure Data Lake Storage Gen2 hierarchical namespace.
Microsoft DP-203 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft DP-203 exam and earn Microsoft DP-203 certification.