Microsoft Azure Data Engineer Associate - DP-203

Get started today

Ultimate access to all questions.

Explanation:

Detailed Explanation

Requirements Analysis

The question requires granting permissions to a specific application for a limited time period in Azure Data Lake Storage Gen2. This scenario demands a solution that provides:

Time-bound access control
Application-specific permissions
Secure authentication mechanism

Option Analysis

B. Shared Access Signatures (SAS) - CORRECT

Time-bound access: SAS tokens can be configured with specific start and expiry times, perfectly matching the "limited duration" requirement
Granular permissions: SAS tokens can grant specific permissions (read, write, delete, list) to specific resources
Application integration: SAS tokens can be generated and used by applications programmatically
Security: SAS tokens provide secure, delegated access without exposing account credentials
Best practice: SAS is the recommended approach for providing time-limited access to Azure Storage resources

A. Role assignments - INCORRECT

Role assignments in Azure RBAC are typically persistent and not designed for time-limited access
While time-bound role assignments exist, they are complex to implement and not the optimal solution for application-specific, temporary access

C. Azure Active Directory (Azure AD) identities - INCORRECT

Azure AD identities provide persistent authentication and are not inherently time-bound
While conditional access policies can add time restrictions, this approach is more complex and less direct than SAS for temporary application access

D. Account keys - INCORRECT

Account keys provide full administrative access to the entire storage account
They are persistent and not time-limited
Using account keys violates security best practices as they grant excessive permissions and cannot be restricted to specific time periods

Why SAS is Optimal

Shared Access Signatures are specifically designed for scenarios requiring:

Temporary access delegation
Fine-grained permissions
Secure token-based authentication
Easy integration with applications

The SAS token can be generated with precise start and expiry times, specific permissions, and restricted to particular containers or files, making it the ideal solution for granting time-limited application access to Azure Data Lake Storage Gen2.

Explanation:

Detailed Explanation

Requirements Analysis

The question requires granting permissions to a specific application for a limited time period in Azure Data Lake Storage Gen2. This scenario demands a solution that provides:

Time-bound access control
Application-specific permissions
Secure authentication mechanism

Option Analysis

B. Shared Access Signatures (SAS) - CORRECT

Time-bound access: SAS tokens can be configured with specific start and expiry times, perfectly matching the "limited duration" requirement
Granular permissions: SAS tokens can grant specific permissions (read, write, delete, list) to specific resources
Application integration: SAS tokens can be generated and used by applications programmatically
Security: SAS tokens provide secure, delegated access without exposing account credentials
Best practice: SAS is the recommended approach for providing time-limited access to Azure Storage resources

A. Role assignments - INCORRECT

Role assignments in Azure RBAC are typically persistent and not designed for time-limited access
While time-bound role assignments exist, they are complex to implement and not the optimal solution for application-specific, temporary access

C. Azure Active Directory (Azure AD) identities - INCORRECT

Azure AD identities provide persistent authentication and are not inherently time-bound
While conditional access policies can add time restrictions, this approach is more complex and less direct than SAS for temporary application access

D. Account keys - INCORRECT

Account keys provide full administrative access to the entire storage account
They are persistent and not time-limited
Using account keys violates security best practices as they grant excessive permissions and cannot be restricted to specific time periods

Why SAS is Optimal

Shared Access Signatures are specifically designed for scenarios requiring:

Temporary access delegation
Fine-grained permissions
Secure token-based authentication
Easy integration with applications

Comments (0)

No comments yet.

You are designing an application that uses Azure Data Lake Storage Gen2. You need to recommend a solution to provide a specific application with permissions that are valid only for a limited duration. What should you recommend?

Exam-Like

role assignments

shared access signatures (SAS)

Azure Active Directory (Azure AD) identities

account keys