Answer-first summary for fast verification
Answer: REFERENCES
## Detailed Explanation To enable members of Group1 to read CSV files from storage1 using the OPENROWSET function while following the principle of least privilege, the **REFERENCES** permission on credential1 is the correct choice. ### Why REFERENCES is the Optimal Choice: 1. **Credential Usage Requirement**: When using OPENROWSET with external storage, users must have REFERENCES permission on the credential to utilize it for authentication. This permission allows the credential to be referenced in the OPENROWSET statement without granting broader administrative control. 2. **Principle of Least Privilege**: REFERENCES provides the minimal permission needed specifically for credential usage. It doesn't grant the ability to modify, delete, or manage the credential—only to reference it during data access operations. 3. **Authentication Flow**: The credential serves as an authentication mechanism between Azure Synapse Analytics and the storage account. REFERENCES permission enables Group1 members to leverage this pre-configured authentication without requiring storage-level permissions. ### Why Other Options Are Less Suitable: - **EXECUTE (A)**: This permission is typically used for stored procedures or functions, not for credential usage in OPENROWSET operations. It provides unnecessary privileges that violate the least privilege principle. - **CONTROL (B)**: This is an administrative-level permission that grants full control over the credential, including modification and deletion capabilities. This significantly exceeds the required permission level and violates the least privilege requirement. - **SELECT (D)**: While SELECT is needed to actually query data through OPENROWSET, it doesn't address the credential usage requirement. The question specifically focuses on enabling credential usage, not data access permissions. ### Implementation Consideration: In practice, you would grant REFERENCES permission using T-SQL: ```sql GRANT REFERENCES ON DATABASE SCOPED CREDENTIAL::credential1 TO [Group1]; ``` This approach ensures Group1 can authenticate to storage1 using credential1 while maintaining strict security boundaries.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You have an Azure AD tenant that is part of Microsoft Entra. The tenant contains a group named Group1.
You have an Azure subscription containing the following resources:
//IMG//
You need to ensure that members of Group1 can read CSV files from storage1 using the OPENROWSET function. The solution must meet the following requirements:
Which permission should you grant to Group1?
A
EXECUTE
B
CONTROL
C
REFERENCES
D
SELECT
No comments yet.