Exam DP-203 topic 3 question 25 discussion

Phrased different, the question for me says: if you create "Folder3" inside Folder2, you should be able to read files created in Folder3. This means that you for sure need Executive and Read premissions to Folder2 (Executive to traverse child folder, read to read the files). Now, starting from the least privilege, suppose you give "Access" permission both for read and execute. In this case, you can't read files created in Folder3. This is a requirement ("child items that are created in Folder2"), so you need Default Read access. You don't need Default Execute, otherwise you would have access to a Folder created in Folder3 (say Folder 4) and this is not required so for the least privilege you must give Access Execute and not Defualt Execute.

C - You need to traverse the FOlder2 only and no potential children folders - Principals of least privelage. D- You need to pass on the READ access to the files in Folder2. Default ACLs are not passed to files but we are not setting the permission on a file level, we are setting it on Folder2.

Answer is DF, recheck the documentation.

The link https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control explains that "Default ACLs are templates of ACLs associated with a directory that determine the access ACLs for any child items that are created under that directory. Files do not have default ACLs." Now the requirement here is to 1) Traverse the child items that will be created within folder2 2) Read the files that will be created within folder2. The question states that the child items(both folders and files) within the folder2 will get created i.e, IT IS NOT YET CREATED and WILL GET CREATED IN THE FUTURE which means the access has to be at the root directory level which is folder2 here. And as per the Microsoft documentation, only Default ACLs will work because Access ACLs control access to an object(file or directory). Choosing Access ACL would mean each time a new child item getting created with folder2, the Access ACL has to explicitly set for that child item at that time.

Same problem. Everyone has different answers. No one knows which answer is correct. Worst part is even Gemini disagrees with ChatGPT :(

A and F

Access ACLs control access to an object. Files and directories both have access ACLs. Default ACLs are templates of ACLs associated with a directory that determine the access ACLs for any child items that are created under that directory. Files do not have default ACLs.

Traverse child items that are created in Folder2 --> Default Execute Read files that are created in Folder2 --> Access Read

I'm going with AF and here is why. The requirement "Traverse child items that are created in Folder2" -> This requires default execute so that if any child folders under folder2 get created, the user can list those folders and files. Now, because of principle of least privilege, it does NOT say that if a file is created under a subfolder (like folder2/folder2/file1.json) that they need access to it. So, it should be Access Read on folder2 so that the users only get read access to the files in folder2 and not in /folder2/folder3/*.json, for instance.

Default Execute and Default Read as you don´t know in advance the files/folder to be created, and you need to access to all of them.

"Default - Read" and "Default - Execute"

Traverse require access execute, file reads need default read

Default Execute is mandatory to traverse child items through cascade.. Default Read by process of elimination

✑ Traverse child items that are created in Folder2. => DEFAULT EXECUTE ✑ Read files that are created in Folder2. => ACCESS READ (that was already given).

Based on the permissions table provided, the ServicePrincipal1 has "Access - Execute" permission on container1, "Access - Execute" permission on Folder1, and "Access - Read" permission on Folder2. To allow ServicePrincipal1 to traverse child items that are created in Folder2 and read files created in Folder2, you should grant the "Default - Read" and "Default - Execute" permissions on Folder2. The "Default - Read" permission allows ServicePrincipal1 to read files created in Folder2, and the "Default - Execute" permission allows ServicePrincipal1 to traverse child items that are created in Folder2. Therefore, the correct answer is: D. Default - Read F. Default - Execute

Traverse child items that are created in Folder2. This needs Default:Execute Because user needs to traverse any child Items(Sub Folders) created under under Folder2. Read files that are created in Folder2. Since the The Access:read ACL is already set on Folder2.Any files that are created under Folder2 can be access by User. But to see (or list) the items/files under Folder2 we need Access:Execute . SO the answer is Access: Execute and Default: Execute

Default Read and Execute are required. The reason is as below. In the POSIX-style model that's used by Data Lake Storage Gen2, permissions for an item are stored on the item itself. In other words, permissions for an item cannot be inherited from the parent items if the permissions are set after the child item has already been created. Permissions are only inherited if default permissions have been set on the parent items before the child items have been created. Reference: https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control