Data Engineering with Azure Databricks · 17% of the exam

Secure and govern Unity Catalog objects: free practice questions

5 sample questions from our 43-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Microsoft exam.

1. A company uses Unity Catalog and wants to share a managed Delta table `analytics.monthly_revenue` with a partner organization that uses a non-Databricks query engine. The partner should receive near-real-time updates but must NOT be able to access the underlying cloud storage directly. Which Delta Sharing configuration satisfies these requirements?

  • A. Create a Delta Sharing share, add the table with `history_sharing_enabled = true`, and distribute a recipient token to the partner
  • B. Create a Delta Sharing share, add the table without enabling CDF/history sharing, create a recipient using the open sharing protocol, and share the activation link✓ Correct
  • C. Grant the partner's service principal direct SELECT privilege on `analytics.monthly_revenue` via Unity Catalog
  • D. Export the table as a Parquet snapshot to Azure Blob Storage and provide the partner with a SAS token
Explanation

The open Delta Sharing protocol allows non-Databricks consumers to access shared data without any access to the underlying cloud storage — all data access goes through the Databricks sharing server, which enforces access control. Creating a recipient via open sharing and distributing an activation link (bearer token credential file) is the correct approach. Option A describes Databricks-to-Databricks sharing with history enabled, and while valid, history sharing is not required for near-real-time updates and is more permissive than needed. Option C would require the partner to authenticate to the Databricks workspace directly, which is not suited for a non-Databricks consumer. Option D exposes the underlying storage directly to the partner via a SAS token, violating the requirement.

2. An organization wants to enforce column-level access control on a Unity Catalog table `customer_data.profiles`. Analysts in the `marketing` group should be able to query all columns EXCEPT `ssn` and `date_of_birth`. What is the recommended Unity Catalog approach?

  • A. Create a view over `customer_data.profiles` that excludes `ssn` and `date_of_birth`, grant SELECT on the view to `marketing`, and revoke SELECT on the base table
  • B. Apply column masks using a masking policy function on `ssn` and `date_of_birth` that returns NULL for principals in the `marketing` group✓ Correct
  • C. Use DENY SELECT on `ssn` and `date_of_birth` at the column level for the `marketing` group
  • D. Partition the table by sensitive columns and restrict partition-level access for the `marketing` group
Explanation

Unity Catalog supports native column masks via masking policy functions. A masking function can evaluate the current user's group membership and return NULL (or a redacted value) for members of `marketing`, while returning the real value for privileged users — this is the recommended, scalable approach. Option A (view-based approach) is a valid workaround but is not the recommended Unity Catalog-native method and becomes brittle as the number of consumer groups grows. Option C is incorrect because Unity Catalog does not support DENY commands; it uses a grant-only model. Option D (partition-based restriction) is not a supported access control mechanism in Unity Catalog.

3. An organization tags all Unity Catalog tables containing PII data with the tag `sensitivity = 'PII'`. A policy is then created so that only members of the `pii_approved` group can query tables bearing this tag. This is an example of which access control paradigm?

  • A. Role-Based Access Control (RBAC)
  • B. Discretionary Access Control (DAC)
  • C. Attribute-Based Access Control (ABAC)✓ Correct
  • D. Mandatory Access Control (MAC)
Explanation

Attribute-Based Access Control (ABAC) grants or denies access based on attributes (tags) attached to resources (tables), subjects (users/groups), or the environment. In this scenario, the tag `sensitivity = 'PII'` is the attribute driving the access decision, which is the defining characteristic of ABAC. Option A (RBAC) bases access decisions solely on role membership without consideration of resource attributes. Option B (DAC) allows object owners to grant access at their discretion. Option D (MAC) is a stricter model using security labels enforced by a central authority, commonly used in government/military systems, and is not how Unity Catalog tag-based policies work.

4. An organization uses Azure Databricks with Unity Catalog. A new ETL pipeline requires a service principal to read from an external Azure Data Lake Storage Gen2 (ADLS Gen2) container and write results to a managed Unity Catalog table. The security team mandates that no static credentials (client secrets or SAS tokens) should be used. Which authentication approach should be configured?

  • A. Store the storage account access key in a Databricks secret scope and reference it in a Spark configuration on the cluster
  • B. Assign a managed identity to the Databricks access connector, grant the managed identity Storage Blob Data Contributor on the ADLS Gen2 container, and reference the access connector in a Unity Catalog external location or storage credential✓ Correct
  • C. Use the service principal's client ID and client secret stored as environment variables on the cluster to authenticate to ADLS Gen2
  • D. Configure the Databricks workspace with a shared access signature (SAS) token stored in an Azure Key Vault-backed secret scope
Explanation

Azure Databricks access connectors support managed identity authentication, which eliminates the need for any static credentials. By assigning a managed identity to the access connector and granting it the appropriate RBAC role on the ADLS Gen2 container, then referencing the access connector in a Unity Catalog storage credential or external location, the pipeline authenticates using Azure's identity platform with no secrets involved. Storing a storage account access key in a secret scope uses a static credential (the access key), which violates the no-static-credentials mandate. Using a client secret as an environment variable is both a static credential and an insecure practice, as environment variables can be read by cluster users. A SAS token is a static credential with a time-bounded signature; even stored in Key Vault, it is still a static secret and violates the mandate.

5. A security team discovers that a Unity Catalog external table `raw.sensor_data` was dropped two weeks ago, but they need to investigate who dropped it. Audit logging was enabled at the time. Where should they look, and what `action_name` value should they filter on?

  • A. Query `system.access.audit` and filter for `action_name = 'dropTable'`✓ Correct
  • B. Query `system.access.audit` and filter for `action_name = 'deleteTable'`
  • C. Check the Azure Monitor Activity Log in the Azure portal and filter for 'Delete' operations on the Databricks resource
  • D. Query `information_schema.table_history` in the catalog for the drop event
Explanation

The Unity Catalog system table `system.access.audit` logs metastore operations. The `action_name` value for dropping a table is `dropTable`. This is the correct Unity Catalog-native approach to audit who performed a DDL operation. Option B uses `deleteTable` which is not the correct action name in Unity Catalog audit logs. Option C (Azure Monitor Activity Log) captures Azure resource-level operations on the Databricks workspace resource itself, not Unity Catalog metastore DDL events. Option D is incorrect — `information_schema.table_history` does not exist as a Unity Catalog system view; Delta table history (`DESCRIBE HISTORY`) tracks DML but does not capture who dropped the table after the fact.

38 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free