BenchMark Quizzes by MDFT Pro

Grant Write Access Without PII Exposure

You work as a Data Privacy Officer for Mark at MDFT Pro, a well-known training agency. MDFT Pro operates a Fabric workspace named Workspace1 that contains a lakehouse named Lakehouse1. This lakehouse stores three critical tables: Orders, Customer, and Employee. The Employee table contains Personally Identifiable Information (PII) that must be protected according to data privacy regulations. Claire, a data engineer at MDFT Pro, is building a workflow that requires writing data to the Customer table to update student enrollment information. However, company policy dictates that Claire should not have access to view the contents of the Employee table due to the sensitive PII it contains.

What three actions should you perform to ensure Claire can write data to the Customer table without being able to read data from the Employee table?

Choose all correct answers from the options below.

Explanations for each answer:

Share Lakehouse1 with the data engineer is correct. Sharing the lakehouse with the data engineer provides them with access to the lakehouse while allowing you to control permissions at the table level through additional configurations.
Assign the data engineer the Contributor role for Workspace2 is correct. The Contributor role in Workspace2 allows the data engineer to work with resources in that workspace, which is necessary after migrating the Employee table to separate the PII data.
Assign the data engineer the Viewer role for Workspace2 is incorrect. The Viewer role only provides read access and would not allow the data engineer to perform write operations on tables in Workspace2.
Assign the data engineer the Contributor role for Workspace1 is incorrect. The Contributor role for Workspace1 would grant too much access, potentially allowing the data engineer to read from the Employee table which contains PII that they should not access.
Migrate the Employee table from Lakehouse1 to Lakehouse2 is correct. Moving the Employee table to a separate lakehouse isolates the PII data, ensuring the data engineer cannot access it while still being able to work with the Customer and Orders tables in Lakehouse1.
Create a new workspace named Workspace2 that contains a new lakehouse named Lakehouse2 is incorrect. While creating a new workspace and lakehouse is part of the isolation strategy, this alone doesn't solve the access control problem without migrating the Employee table and assigning appropriate roles.
Assign the data engineer the Viewer role for Workspace1 is incorrect. The Viewer role only grants read permissions and would not allow the data engineer to write data to the Customer table as required.

Learn more about Fabric lakehouse sharing and security:

Lakehouse Sharing And Security

Practice Exam

Grant Write Access Without PII Exposure

Discuss this question on social media: