Answer-first summary for fast verification
Answer: "Read" permissions should be set on a secret scope containing only those credentials that will be used by a given team.
In Databricks, secret permissions are applied at the scope level, not individual secrets. To grant minimal access, each team's credential should reside in a dedicated secret scope. Assigning **Read** permissions on the scope allows the team to access their specific secret without granting unnecessary privileges (like **Manage**, which permits modifying the scope). Options A and B incorrectly suggest permissions on secret keys, which is not supported. Option D's **Manage** permission is excessive. Option C ensures teams can only read their own credentials in their dedicated scope, aligning with least-privilege principles.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
How can teams be granted the least privileges required to access the external database credentials stored in Databricks Utilities Secrets, given that group memberships are correctly mapped between the external database and Databricks and all credentials are properly configured?
A
"Manage" permissions should be set on a secret key mapped to those credentials that will be used by a given team.
B
"Read" permissions should be set on a secret key mapped to those credentials that will be used by a given team.
C
"Read" permissions should be set on a secret scope containing only those credentials that will be used by a given team.
D
"Manage" permissions should be set on a secret scope containing only those credentials that will be used by a given team. No additional configuration is necessary as long as all users are configured as administrators in the workspace where secrets have been added.