Answer: Grant `READ` permissions on a secret scope containing only the credentials required by that specific team.

To adhere to the principle of least privilege while working with Databricks Secrets, you must understand two key constraints: 1. **ACL Granularity**: Databricks Secret ACLs are applied at the **scope level**, not at the individual secret key level. This makes it impossible to grant permissions to a specific key within a shared scope. 2. **Permission Levels**: * `READ`: Allows users to read the secret using `dbutils.secrets.get()`. This is the minimum required to use the credentials. * `MANAGE`: Includes `READ` but also allows users to change ACLs and add/delete secrets within the scope, which violates the 'minimum necessary' requirement. By placing only a specific team's credentials in a dedicated scope and granting them `READ` access, you provide exactly what they need to fetch their credentials without exposing other secrets or granting administrative control. Assigning workspace administrator status is a security risk and is never considered a 'minimum access' solution.

Author: LeetQuiz Editorial Team