Exam AZ-500 topic 1 question 12 discussion

Question gives the condition, "The role assigned should not require more privileges than necessary." Therefore, D (Acrpull) is CORRECT because it provides the least number of permissions required for downloading images from a Container Registry. Answer A (Reader): provides at least two (2) permissions, which would be one (1) more than Acrpull allows for. [Ref. https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli]

Answer is Wrong.... Correct answer is D AcrPull

Reference: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles

Answer: D, AcrPull Reason: AcrPull role provides minimum required permissions to pull/download images from Azure Container Registry while following the principle of least privilege. Reader, Contributor, and AcrDelete either provide insufficient or excessive permissions. Reference: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles

Question gives the condition, "The role assigned should not require more privileges than necessary." Therefore, D (Acrpull) is CORRECT because it provides the least number of permissions required for downloading images from a Container Registry. Answer A (Reader): provides at least two (2) permissions, which would be one (1) more than Acrpull allows for. [Ref. https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli]

Therefore, D (Acrpull) is CORRECT because it provides the least number of permissions required for downloading images from a Container Registry. Answer A (Reader): provides at least two (2) permissions, which would be one (1) more than Acrpull allows for. [Ref. https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli]

Question gives the condition, "The role assigned should not require more privileges than necessary." Therefore, D (Acrpull) is CORRECT because it provides the least number of permissions required for downloading images from a Container Registry. Answer A (Reader): provides at least two (2) permissions, which would be one (1) more than Acrpull allows for. [Ref. https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli]

Question gives the condition, "The role assigned should not require more privileges than necessary." Therefore, D (Acrpull) is CORRECT because it provides the least number of permissions required for downloading images from a Container Registry. Answer A (Reader): provides at least two (2) permissions, which would be one (1) more than Acrpull allows for.

The role that should be assigned to allow for the downloading of images from the Azure Container Registry without granting unnecessary privileges is "AcrPull". The AcrPull role provides read-only permissions to pull images from the registry. This role is the minimum required permission to pull an image. It does not allow pushing or modifying images or managing the registry itself. The other options are not the best fit for this scenario: The Reader role provides read-only access to all resources within a resource group, which includes the container registry. However, this role is too broad and provides more access than needed for just pulling images. The Contributor role provides the ability to manage all aspects of a resource, including creating, modifying, and deleting. This role is more permissions than are necessary for just pulling images. The AcrDelete role provides the ability to delete repositories and images from the registry. This role is more permissions than are necessary for just pulling images.

Wrong answer. Correct answer is D - AcrPull. Viewing the available images in the registry is not enough, you actually have to be able to download (pull) them.

The role you should assign is AcrPull because it specifically grants the ability to pull (download) images from the Azure Container Registry, which is the required permission for the user. Assigning the Reader role would provide broader access than necessary, as it includes permissions beyond image pulling. Similarly, assigning the Contributor role would grant excessive privileges, as it includes permissions for creating, deleting, and modifying resources, which are not required for simply downloading images. The AcrDelete role is also not suitable, as it specifically grants permission to delete image data from the registry, which is not needed for the task described. Therefore, AcrPull is the most appropriate role that meets the requirement of allowing image downloading without granting unnecessary privileges. https://learn.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles?tabs=azure-cli

Clearly stated in the reference

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli D. Arc Pull Since Reader has more access than necessary

Following and article from Microsoft, ArcPull role will provide the least privilege access: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli

Answer is ARCPULL Arcpull can only pull and image Reader can access access Resource Manager and PULL Least access is ArcPull case closed!!!

Most certainly agreed with the above statements. Unless proven otherwise, the answer D is correct as pert MS documentation.

D. ArcPull