Data Engineer Professional · 10% of the exam

Security and Governance: free practice questions

5 sample questions from our 25-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Databricks exam.

1. A data governance team wants to classify sensitive columns across all tables in a Unity Catalog metastore by attaching metadata labels such as `PII`, `CONFIDENTIAL`, and `INTERNAL`. Later, they need to programmatically discover all columns tagged `PII`. Which Unity Catalog capability supports this workflow?

  • A. Delta Lake column comments set via `ALTER TABLE ... ALTER COLUMN ... COMMENT`.
  • B. Unity Catalog system table `SYSTEM.INFORMATION_SCHEMA.COLUMNS` filtered on the `COMMENT` field.
  • C. Unity Catalog tags applied via `ALTER TABLE ... ALTER COLUMN ... SET TAGS` and queried through `SYSTEM.INFORMATION_SCHEMA.COLUMN_TAGS`.✓ Correct
  • D. Databricks lakehouse monitoring profiles attached to each table with a sensitivity classification field.
Explanation

Unity Catalog supports **tags** (key-value metadata) on catalog objects including columns. You apply them with `ALTER TABLE <t> ALTER COLUMN <c> SET TAGS ('classification' = 'PII')` and then discover tagged columns by querying `SYSTEM.INFORMATION_SCHEMA.COLUMN_TAGS`. **Option A** (column comments) are free-text annotations with no structured discovery mechanism — you cannot reliably filter or enforce them. **Option B** filtering `COMMENT` fields is fragile, unstructured, and not the intended governance mechanism; comments are not indexed or queryable as tags. **Option D** describes Databricks Lakehouse Monitoring, which produces data quality metrics and statistics — it has no sensitivity classification field and is unrelated to metadata tagging.

2. A data team uses Unity Catalog and wants to implement row-level security on a table `sales.orders` so that each sales representative can only see orders assigned to their own `rep_id`. The `rep_id` of the current user is stored in a mapping table `security.rep_mapping (username STRING, rep_id STRING)`. What is the correct approach to implement this using a row filter?

  • A. Create a row filter function that joins `security.rep_mapping` on `current_user()` and returns TRUE only when the row's `rep_id` matches; apply it with `ALTER TABLE sales.orders SET ROW FILTER`.✓ Correct
  • B. Create a view over `sales.orders` that filters `WHERE rep_id = (SELECT rep_id FROM security.rep_mapping WHERE username = current_user())` and grant SELECT on the view instead of the base table.
  • C. Use Dynamic Views with `current_user()` in the WHERE clause applied directly to the table definition in Unity Catalog's table properties.
  • D. Apply a column mask on the `rep_id` column that returns `NULL` for rows that don't belong to the current user, which will effectively hide those rows.
Explanation

Option A is correct. Unity Catalog's native row filter feature (GA in DBR 12.2+) allows creating a SQL function that returns a BOOLEAN and applying it to a table with `ALTER TABLE ... SET ROW FILTER func ON (column)`. The function can reference other tables (like a mapping table) and use `current_user()` or `IS_ACCOUNT_GROUP_MEMBER()` to make it session-aware. This is the recommended, governed approach for row-level security in Unity Catalog. Option B is incorrect: While a view-based approach is a valid workaround (and was the pre-Unity-Catalog pattern), it is not a row filter. It also requires removing direct table access for users and managing an additional object. The question asks for the correct row filter approach, which is the native Unity Catalog feature. Option C is incorrect: 'Dynamic Views' with WHERE clauses in table properties is not a Unity Catalog feature. Dynamic Views are a Hive metastore pattern. Unity Catalog uses row filter functions applied via DDL. Option D is incorrect: Column masks control the visibility of column values, not entire rows. Masking the `rep_id` to NULL would not hide the row — it would simply display NULL for that column while still showing all rows to all users, which is not the desired behavior.

3. A Databricks workspace is deployed inside a customer-managed VNet (Azure) with no public internet access. Developers report that they cannot connect to the workspace UI or API from the corporate network. A network engineer suggests enabling Azure Private Link. Which TWO statements correctly describe the effect of enabling Private Link for a Databricks workspace?

  • A. Private Link routes workspace UI and REST API traffic from the corporate network through a private endpoint in the customer VNet, eliminating exposure over the public internet.✓ Correct
  • B. Private Link automatically encrypts data at rest in DBFS using customer-managed keys (CMK).
  • C. The back-end (data plane to control plane) connection from cluster nodes can also be routed through a private endpoint, replacing the default public control-plane connection.✓ Correct
  • D. Enabling Private Link removes the need for Network Security Group (NSG) rules because all traffic is inherently private.
  • E. Private Link requires the workspace to be in the Premium tier and uses a dedicated subnet separate from the cluster subnet.
Explanation

**Option A** is correct: the front-end Private Link endpoint exposes the workspace UI and REST API on a private IP within the customer VNet, so traffic never traverses the public internet. **Option C** is correct: Databricks also supports a back-end Private Link endpoint that routes control-plane-to-data-plane (and data-plane-to-control-plane) traffic privately, which is important for environments requiring full network isolation. **Option B** is wrong: Private Link is a network-layer feature; data-at-rest encryption with CMK is a separate, independent capability configured through key vault integration. **Option D** is wrong: NSG rules are still required to control intra-VNet traffic and to restrict outbound access from cluster nodes — Private Link does not replace NSG policy. **Option E** is partially misleading: while Premium tier is required for many security features, Private Link does use a dedicated subnet for its endpoints, but framing it as a single combined requirement in this way conflates distinct configuration steps.

4. A security engineer needs to audit all `SELECT` queries run against a specific Unity Catalog table named `catalog1.finance.transactions` over the past 30 days. Where should the engineer look, and what filter should be applied?

  • A. Query `SYSTEM.ACCESS.AUDIT` filtering on `action_name = 'commandSubmit'` and scanning `request_params` for the table name.✓ Correct
  • B. Query `SYSTEM.ACCESS.AUDIT` filtering on `action_name = 'select'` and `request_params.table_full_name = 'catalog1.finance.transactions'`.
  • C. Query `SYSTEM.ACCESS.AUDIT` filtering on `service_name = 'unityCatalog'` and `action_name = 'generateTemporaryTableCredential'` joined with `request_params.table_id`.
  • D. Query workspace-level audit logs in the storage account directly, filtering JSON records where `serviceName = 'databricks'` and parsing SQL text for the table name.
Explanation

In Databricks audit logging, SQL query execution events are captured under `action_name = 'commandSubmit'` (or `runCommand` for Jobs), and the SQL text (including the queried table) is embedded in `request_params`. Filtering on `commandSubmit` and then inspecting `request_params` for the table name is the correct approach for finding SELECT activity. **Option B** is wrong because `action_name = 'select'` is not a valid Unity Catalog audit event name — Unity Catalog data-access events for credential generation use different action names. **Option C** describes the `generateTemporaryTableCredential` action, which is fired when short-lived credentials are vended for cloud storage access — it reflects credential issuance, not every SELECT query, and joining on `table_id` is complex and incomplete. **Option D** (parsing raw workspace storage logs) is outdated — `SYSTEM.ACCESS.AUDIT` is the governed, SQL-queryable surface for audit data and is preferred over raw JSON log parsing.

5. An organization's security team discovers that a Databricks workspace has IP access lists enabled. A developer reports they can no longer connect to the workspace from a new corporate office with IP range `203.0.113.0/24`. The current IP allowlist contains only `198.51.100.0/24`. The security team wants to add the new range without removing any existing entries and without using the UI. Which REST API call correctly adds the new IP range while preserving the existing allowlist entry?

  • A. Send a `PUT` request to `/api/2.0/ip-access-lists/{list_id}` with a body containing only `{"ip_addresses": ["203.0.113.0/24"]}` — the API merges new entries with existing ones automatically.
  • B. Send a `POST` request to `/api/2.0/ip-access-lists` to create a second ALLOW list containing `203.0.113.0/24`; multiple ALLOW lists are supported and their entries are unioned.
  • C. Send a `PUT` request to `/api/2.0/ip-access-lists/{list_id}` with a body that includes BOTH `198.51.100.0/24` AND `203.0.113.0/24`, because `PUT` replaces the entire list.✓ Correct
  • D. Send a `PATCH` request to `/api/2.0/ip-access-lists/{list_id}` with only `{"ip_addresses": ["203.0.113.0/24"]}` — `PATCH` appends to existing entries without requiring the full list.
Explanation

Option C is correct. The Databricks IP Access Lists API uses `PUT` semantics for updating a list, which means the entire list of IP addresses is replaced with whatever is provided in the request body. To preserve the existing `198.51.100.0/24` entry, the PUT body must include both CIDR ranges. Option A is incorrect: The `PUT` endpoint does not merge — it replaces. Sending only the new range would remove the existing `198.51.100.0/24` entry, potentially locking out users at the original office. Option B is incorrect: While Databricks does support multiple IP access lists, creating a second ALLOW list is an unnecessarily complex approach and could cause management confusion. The standard practice is to update the existing list. More importantly, this option would work functionally but is not the best/correct approach compared to C. Option D is incorrect: The Databricks IP Access Lists API does not expose a `PATCH` method for appending entries. The supported update verb is `PUT`, which always replaces the full list.

20 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free