1. A Fabric administrator at Southridge Video is implementing security for a warehouse. The requirement is that members of the 'Finance' role should not be able to see the 'SalaryAmount' and 'BonusAmount' columns in the 'EmployeeCompensation' table, but should be able to query all other columns in that table. Which security mechanism should be implemented directly on the Fabric Warehouse to satisfy this requirement?
- A. Row-level security (RLS) with a DAX filter that excludes salary rows
- B. Column-level security (CLS) using T-SQL GRANT and DENY permissions on the specific columns✓ Correct
- C. Object-level security (OLS) configured on the semantic model built on top of the warehouse
- D. A workspace role assignment that restricts Viewer access to the Finance group
Explanation
Column-level security on a Fabric Warehouse is implemented using T-SQL GRANT/DENY statements on specific columns (e.g., DENY SELECT ON EmployeeCompensation (SalaryAmount, BonusAmount) TO [FinanceRole]). This restricts column access at the warehouse engine level. Row-level security (Option A) restricts which rows are visible based on a predicate, not which columns — it does not address column visibility. Object-level security (Option C) is a semantic model–layer feature that hides tables or columns from the model perspective; it does not enforce security at the warehouse storage/query engine level, so users with direct warehouse access would bypass it. Workspace role assignment (Option D) controls whether users can access the workspace and its items, but does not restrict specific columns within a table.