Databricks Certified Data Engineer - Professional

Get started today

Ultimate access to all questions.

Explanation:

The principle of least privilege is a cornerstone of secure data engineering. In development and testing environments, users often have elevated rights (such as the ability to execute arbitrary code). Granting these users write or admin access to production data creates a high risk of accidental or malicious data modification.

Why Option A is the Best Practice:

Least-Privilege Access: Restricting dev/test environments to read-only access for production data prevents unintended modifications while still allowing for high-fidelity testing.
Environment Isolation: Keeping development, test, and production in separate databases or catalogs ensures that schema experimentation or CI/CD processes in one environment cannot impact another.
Safe Data Provisioning: When 'realistic' data is required, best practices suggest using read-only clones, governed snapshots, or Delta Sharing to provide production-scale data without exposing write paths.

Why other options fail:

Option B: While Delta Lake time travel provides a safety net, it is not a substitute for access control. It adds operational complexity and does not prevent unauthorized data exposure.
Option C: A single workspace merges security boundaries, making it nearly impossible to enforce granular governance and increasing the blast radius of a single error.
Option D: Credential passthrough only enforces storage-level permissions. If a user is an admin in a dev workspace and that workspace is mounted to production storage, they effectively gain admin control over production data.

Explanation:

Why Option A is the Best Practice:

Least-Privilege Access: Restricting dev/test environments to read-only access for production data prevents unintended modifications while still allowing for high-fidelity testing.
Environment Isolation: Keeping development, test, and production in separate databases or catalogs ensures that schema experimentation or CI/CD processes in one environment cannot impact another.
Safe Data Provisioning: When 'realistic' data is required, best practices suggest using read-only clones, governed snapshots, or Delta Sharing to provide production-scale data without exposing write paths.

Why other options fail:

Option B: While Delta Lake time travel provides a safety net, it is not a substitute for access control. It adds operational complexity and does not prevent unauthorized data exposure.
Option C: A single workspace merges security boundaries, making it nearly impossible to enforce granular governance and increasing the blast radius of a single error.
Option D: Credential passthrough only enforces storage-level permissions. If a user is an admin in a dev workspace and that workspace is mounted to production storage, they effectively gain admin control over production data.

Comments (0)

No comments yet.

A data engineering team is establishing development, testing, and production environments for a new pipeline. To ensure high-quality testing of both code and output, they aim to use data that closely mirrors the production environment. A junior engineer suggests mounting production data directly to the development and testing environments, where users currently have administrative privileges. Which statement describes the best practice for managing this scenario?

Real Exam

Last updated: January 6, 2026 at 15:43

In environments where interactive code is executed, production data should be accessible via read-only permissions; isolating databases or catalogs for each environment further mitigates operational risks.

61.1%

Delta Lake’s support for versioning and time travel ensures that production data cannot be permanently lost due to user error, making it generally safe to mount production data in development environments.

16.7%