Explanation:
In Databricks, secret permissions are applied at the scope level, not individual secrets. To grant minimal access, each team's credential should reside in a dedicated secret scope. Assigning Read permissions on the scope allows the team to access their specific secret without granting unnecessary privileges (like Manage, which permits modifying the scope). Options A and B incorrectly suggest permissions on secret keys, which is not supported. Option D's Manage permission is excessive. Option C ensures teams can only read their own credentials in their dedicated scope, aligning with least-privilege principles.
Ultimate access to all questions.
How can teams be granted the least privileges required to access the external database credentials stored in Databricks Utilities Secrets, given that group memberships are correctly mapped between the external database and Databricks and all credentials are properly configured?
A
"Manage" permissions should be set on a secret key mapped to those credentials that will be used by a given team.
B
"Read" permissions should be set on a secret key mapped to those credentials that will be used by a given team.
C
"Read" permissions should be set on a secret scope containing only those credentials that will be used by a given team.
D
"Manage" permissions should be set on a secret scope containing only those credentials that will be used by a given team. No additional configuration is necessary as long as all users are configured as administrators in the workspace where secrets have been added.
No comments yet.