Data Engineer Associate · 9% of the exam

Data governance: free practice questions

5 sample questions from our 23-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Databricks exam.

1. A data engineer needs to audit which users accessed a specific Unity Catalog table over the past 7 days. They want to query this information programmatically using SQL inside a Databricks notebook. Which is the correct approach?

  • A. Query the `system.access.audit` table in the Unity Catalog system schema, filtering by event_type and table name.✓ Correct
  • B. Run DESCRIBE HISTORY on the target table — it contains user access records in addition to write operations.
  • C. Use the Databricks REST API endpoint /api/2.0/unity-catalog/audit-logs to retrieve access events.
  • D. Enable Spark event logging on the cluster and parse the Spark UI event log files stored in DBFS.
Explanation

Unity Catalog exposes audit log data through the system schema — specifically the `system.access.audit` table — which can be queried with SQL to see who accessed which objects and when. This is the correct, SQL-native approach for programmatic audit querying inside a notebook. Option B is incorrect: DESCRIBE HISTORY on a Delta table shows DML/DDL operation history (writes, schema changes, etc.) and does not record read access events. Option C references a REST API endpoint that does not exist in the Databricks API surface for Unity Catalog audit data. Option D describes cluster-level Spark event logs, which capture Spark job execution details — not Unity Catalog table-level access auditing.

2. A data platform team has the following Unity Catalog privilege grants in place: - `analysts` group: USE CATALOG on `prod`, USE SCHEMA on `prod.sales`, SELECT on `prod.sales.orders` - `junior_analyst` user (member of `analysts`): REVOKE SELECT ON TABLE prod.sales.orders A junior_analyst runs: SELECT * FROM prod.sales.orders What is the result?

  • A. The query succeeds because group-level grants take precedence over user-level revokes in Unity Catalog.
  • B. The query fails because the REVOKE removes the SELECT privilege for junior_analyst, and Unity Catalog privilege evaluation is deny-wins when an explicit REVOKE exists for the user.✓ Correct
  • C. The query fails because revoking SELECT also implicitly revokes USE SCHEMA for the user.
  • D. The query succeeds because REVOKE on a table only affects future sessions, not the current one.
Explanation

In Unity Catalog, an explicit REVOKE on a specific user overrides privileges inherited from group membership. Unity Catalog uses a deny-wins model when an explicit privilege is revoked at the user level — the junior_analyst cannot use the SELECT privilege even though their group `analysts` has it. Option A is incorrect: group grants do NOT override explicit user-level revokes in Unity Catalog. Option C is incorrect: revoking SELECT on a table does not cascade to revoke USE SCHEMA — those are separate, independently managed privileges. Option D is incorrect: privilege changes in Unity Catalog take effect immediately for new queries; there is no session-persistence grace period for explicit revokes.

3. A data engineer owns the schema `silver.cleaned` and wants another engineer to be able to grant privileges on tables within that schema to other users, without making them the schema owner. Which privilege should be granted?

  • A. GRANT MANAGE ON SCHEMA silver.cleaned TO `senior_engineer`✓ Correct
  • B. GRANT ALL PRIVILEGES ON SCHEMA silver.cleaned TO `senior_engineer`
  • C. GRANT MODIFY ON SCHEMA silver.cleaned TO `senior_engineer`
  • D. GRANT DELEGATE ON SCHEMA silver.cleaned TO `senior_engineer`
Explanation

The MANAGE privilege in Unity Catalog allows a principal to grant and revoke privileges on a securable object without needing to be the owner. This is the correct privilege for delegating grant authority. Option B (ALL PRIVILEGES) grants all data-access privileges like SELECT, MODIFY, CREATE TABLE, etc., but does NOT include the ability to manage grants — that still requires MANAGE or ownership. Option C (MODIFY) only allows inserting, updating, and deleting data — it has nothing to do with granting privileges. Option D (DELEGATE) is not a valid Unity Catalog privilege.

4. Which of the following statements about Unity Catalog managed tables and external tables are correct? (Select TWO)

  • A. For a managed table, Databricks controls the full lifecycle of the data files, including deletion when the table is dropped.✓ Correct
  • B. External tables can be created pointing to any cloud storage path without registering an external location, as long as the cluster has the correct IAM role.
  • C. Both managed and external tables support ACID transactions via the Delta Lake format by default in Unity Catalog.
  • D. Managed tables store data in the metastore's root storage location or the catalog/schema's default storage location.✓ Correct
  • E. When an external table is dropped, the associated external location credential is also automatically deleted.
Explanation

Option A is correct: Unity Catalog fully manages the lifecycle of data files for managed tables — dropping the table deletes the underlying data. Option D is correct: managed table data is stored in the metastore root storage (or catalog/schema-level storage if configured), which is managed by Databricks. Option B is incorrect: Unity Catalog requires an external location (backed by a storage credential) to be registered before an external table can point to that path — raw IAM role access on the cluster alone is not sufficient with Unity Catalog's governance model. Option C is partially misleading: while Unity Catalog tables are Delta by default, external tables can technically reference non-Delta formats; the statement that both 'support ACID by default' is overstated for external tables. Option E is incorrect: dropping an external table removes only the metadata entry in the metastore; the storage credential and external location registration are completely unaffected.

5. A Unity Catalog table is created with the following statement: CREATE TABLE main.finance.budgets (dept STRING, amount DOUBLE) LOCATION 'abfss://container@storage.dfs.core.windows.net/budgets'; A data engineer later runs DROP TABLE main.finance.budgets. What happens?

  • A. The table metadata is removed from the metastore, and the data files at the specified LOCATION are also deleted.
  • B. The table metadata is removed from the metastore, but the data files at the specified LOCATION remain intact.✓ Correct
  • C. The DROP TABLE command fails because tables with an explicit LOCATION cannot be dropped without CASCADE.
  • D. The table is moved to a 'trash' location and can be restored with UNDROP TABLE within 30 days.
Explanation

Because the CREATE TABLE statement specifies an explicit LOCATION, this table is an external table in Unity Catalog. When an external table is dropped, Unity Catalog removes only the metadata from the metastore; it does NOT delete the underlying data files at the external location. This is in contrast to managed tables, where both metadata and data files are deleted on DROP. Option A describes the behavior for managed tables, not external tables. Option C is incorrect — no CASCADE is required to drop an external table. Option D describes a recycle-bin feature that does not exist for standard external table drops in Unity Catalog.

18 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free