Study Databricks DE-PRO ACLs and Least Privilege: key concepts, common traps, and exam decision cues.
Security questions usually become easy once you identify whether the problem is object access, record visibility, or value protection.
| Requirement | Better first instinct |
|---|---|
| restrict who can access an object or action | ACL or permission control |
| let users see only certain records | row filter |
| hide or transform sensitive field values | column mask |
| avoid over-granting access | least-privilege design |
| Concern | Stronger first control |
|---|---|
| who can touch the object | ACLs and permissions |
| which records a user can see | row filter |
| what values a user can see | column mask |
| how much access to grant overall | least privilege |
Once this split is clear, most distractors become much easier to reject.
| If the stem says… | Strong reading |
|---|---|
| “secure workspace objects” | think permissions and ACLs |
| “filter sensitive table data by rows” | row filters |
| “mask sensitive table data by columns” | column masks |
| “least privilege” | the narrowest sufficient permission boundary wins |
DE-PRO is usually not looking for the easiest way to make the error disappear. It is looking for the narrowest control surface that solves the requirement without exposing more data or capability than necessary.
| Trap | Better rule |
|---|---|
| using row filters to solve a value-redaction question | row filters affect visibility, not value masking |
| using column masks when the real question is row access | masks do not decide which rows are visible |
| solving every problem with broad permissions | DE-PRO rewards narrower control surfaces |
| Scenario clue | Stronger answer shape |
|---|---|
| “access denied to object or action” | ACL or permission lane |
| “user should see only their region’s rows” | row filter |
| “user may access the table but not raw sensitive values” | column mask |
| “grant only what is necessary” | least-privilege design |
Security questions here usually depend on whether you are restricting rows, masking values, or shrinking access scope. If users should only see rows they own, think row filters. If they can access the table but not full sensitive values, think column masks. If the issue is role sprawl, think least privilege. DE-PRO usually rewards the control that matches the exact visibility boundary.