BenchMark Quizzes by MDFT Pro

Isolate PII Data With Workspace Separation

You work as a Security Architect for Mark at MDFT Pro, a well-known training agency. MDFT Pro operates a Fabric workspace named Workspace1 that contains a lakehouse named Lakehouse1. This lakehouse stores three critical tables: Orders, Customer, and Employee. The Employee table contains Personally Identifiable Information (PII) including social security numbers, home addresses, and salary information that must be protected according to data privacy regulations. Claire, a data engineer at MDFT Pro, is building a workflow that requires writing enrollment updates to the Customer table. However, company security policy strictly prohibits Claire from having access to view the contents of the Employee table due to the sensitive PII it contains. Mark has asked you to implement a security solution that allows Claire to write data to the Customer table while ensuring she cannot read any data from the Employee table.

Which three actions should you perform?

Choose all correct answers from the options below.

Explanations for each answer:

Share Lakehouse1 with the data engineer is incorrect. Sharing Lakehouse1 would grant access to all tables including the Employee table with PII, which violates the security requirement that the data engineer should not be able to view the Employee table contents.
Assign the data engineer the Contributor role for Workspace2 is incorrect. While the Contributor role is appropriate for write access, without creating Workspace2 and migrating the Employee table first, this action alone doesn't solve the isolation problem.
Assign the data engineer the Viewer role for Workspace2 is incorrect. The Viewer role only provides read-only access and would not allow the data engineer to write data to the Customer table as required.
Assign the data engineer the Contributor role for Workspace1 is correct. The Contributor role in Workspace1 allows the data engineer to work with tables in Lakehouse1 after the Employee table has been moved to a separate workspace, providing necessary write permissions to the Customer table.
Migrate the Employee table from Lakehouse1 to Lakehouse2 is correct. Moving the Employee table containing PII to a separate lakehouse (Lakehouse2) physically isolates the sensitive data, ensuring the data engineer cannot access it while working in Lakehouse1.
Create a new workspace named Workspace2 that contains a new lakehouse named Lakehouse2 is correct. Creating a separate workspace and lakehouse provides the infrastructure needed to isolate the PII data. The Employee table can be migrated here, and access can be restricted independently from Workspace1.
Assign the data engineer the Viewer role for Workspace1 is incorrect. The Viewer role only grants read permissions and would not allow the data engineer to write data to the Customer table as required by the workflow.

Learn more about Fabric workspace and lakehouse security:

Workspace And Lakehouse Security

Practice Exam

Isolate PII Data With Workspace Separation

Discuss this question on social media: