Databricks Certified Data Engineer - Associate

Get started today

Ultimate access to all questions.

The data engineering team has been tasked with configuring connections to an external database that does not have a supported native connector with Databricks. The external database already has data security configured by group membership. These groups map directly to user groups already created in Databricks that represent various teams within the company.

A new login credential has been created for each group in the external database. The Databricks Utilities Secrets module will be used to make these credentials available to Databricks users.

Assuming that all the credentials are configured correctly on the external database and group membership is properly configured on Databricks, which statement describes how teams can be granted the minimum necessary access to using these credentials?

Real Exam

Community

KKeng

Last updated: January 13, 2026 at 09:03

"Manage" permissions should be set on a secret key mapped to those credentials that will be used by a given team.

"Read" permissions should be set on a secret key mapped to those credentials that will be used by a given team.

"Read" permissions should be set on a secret scope containing only those credentials that will be used by a given team.

"Manage" permissions should be set on a secret scope containing only those credentials that will be used by a given team. No additional configuration is necessary as long as all users are configured as administrators in the workspace where secrets have been added.

Explanation:

Explanation

Correct Answer: C - "Read" permissions should be set on a secret scope containing only those credentials that will be used by a given team.

Why this is correct:

Principle of Least Privilege: Teams should only have access to the credentials they need, not all credentials. By creating separate secret scopes for each team's credentials, you can isolate access appropriately.
Secret Scope vs Secret Key Permissions:
- Secret Scope level: Controls who can read secrets within that scope
- Secret Key level: Controls who can read individual secrets within a scope
Since each team needs access to their specific credentials only, creating separate scopes with "Read" permissions for each team is the most secure approach.
Why not "Manage" permissions: "Manage" permissions allow users to modify or delete secrets, which is unnecessary for simply using credentials to connect to an external database. Teams only need "Read" access to retrieve the credentials.
Why not secret key-level permissions: While you could set permissions at the secret key level within a shared scope, this is less secure because:
- Users could potentially see what other secrets exist in the scope (even if they can't read them)
- Scope-level isolation provides better security boundaries
- It's easier to manage and audit when each team has its own scope
Why not the last option: The statement "No additional configuration is necessary as long as all users are configured as administrators" is incorrect because:
- Making all users administrators violates the principle of least privilege
- Administrators have broad access to all workspace resources, which is unnecessary and insecure
- It doesn't provide the minimum necessary access required

Best Practice Implementation:

Create separate secret scopes for each team (e.g., team-a-credentials, team-b-credentials)
Store each team's database credentials in their respective scope
Grant "Read" permissions on each scope to the corresponding Databricks group
Teams can then use dbutils.secrets.get() to retrieve their credentials when connecting to the external database

This approach ensures each team has access only to their own credentials while maintaining security and auditability.

Powered ByGPT-5.2

Comments

Loading comments...