You need to grant users access according to the following requirements: CORP\Employees should have SELECT access to the Employees table

You administer a Windows Azure SQL Database database named Human_Resources. The database
contains 2 tables named Employees and SalaryDetails.
You add two Windows groups as logins for the server:
CORP\Employees – All company employees

CORP\HRAdmins – HR administrators only
HR Administrators are also company employees.
You need to grant users access according to the following requirements:
CORP\Employees should have SELECT access to the Employees table.
Only users in CORP\HRAdmins should have SELECT access to the SalaryDetails table.
Logins are based only on Windows security groups.
What should you do?

You administer a Windows Azure SQL Database database named Human_Resources. The database
contains 2 tables named Employees and SalaryDetails.
You add two Windows groups as logins for the server:
CORP\Employees – All company employees

CORP\HRAdmins – HR administrators only
HR Administrators are also company employees.
You need to grant users access according to the following requirements:
CORP\Employees should have SELECT access to the Employees table.
Only users in CORP\HRAdmins should have SELECT access to the SalaryDetails table.
Logins are based only on Windows security groups.
What should you do?

A.
Create a database role called Employees.
Add CORP\Employees to the db_datareader role.
Add all company employees except HR administrators to the Employees role.
Deny SELECT access to the SalaryDetails table to the Employees role.

B.
Create a database role called HRAdmins.
Add all company employees except HR administrators to the db_datareader role,
Add all HR administrators to the HRAdmins role.
Grant SELECT access to the SalaryDetails table to the HRAdmins role.
Deny SELECT access to the SalaryDetails table to the db_datareader role.

C.
Create two database roles: Employees and HRAdmins.
Add all company employees to the Employees role.
Add HR administrators to the HRAdmins role.
Grant SELECT access to all tables except SalaryDetails to the Employees role.
Grant SELECT access to the SalaryDetails table to the HRAdmins role.
Deny SELECT access to the SalaryDetails table to the Employees role.

D.
Create a database role called Employees.
Add all HR administrators to the db_datareader role.
Add all company employees to the Employees role.
Grant SELECT access to all tables except the SalaryDetails table to the Employees role.
Deny SELECT access to the SalaryDetails table to the Employees role.



Leave a Reply 10

Your email address will not be published. Required fields are marked *


David

David

Anyway not A, because the employee role had no members.

Eli

Eli

This question still appears flawed, because although (A) is the only working solution (demonstrated by T-SQL in the link provided by Shak above), it also utilises adding individuals – ‘all company employees except HR administrators’.
The question states ‘Logins are based only on Windows security groups’ so when all the individual users are created and assigned to a role at the database level, which logins will they be mapped to?
There seems to be two possibilities:
– The question as we have it here is not an accurate copy
– The question itself is broken

Henry Figgins

Henry Figgins

This is a bad question, but A is clearly the answer. Both employees and HR employees are in the corp/employees login which is in the db_datareader role that lets them read everything. Non HR employees are also in the employee role which is explicitly denied access to salaries. deny is stronger than grant so now they can read everything except salaries.
Also, you only know that HR is in the corp/employees login and the db_datareader role because: HR Administrators are also company employees.
Well of course they are. They aren’t consultants or part timers. The test really meant they are in the corp/employees login in the stupidest manner possible because if the IT people writing this test had real English writing skills they’d be authors or journalists. They certainly aren’t programmers.

kmr

kmr

70-461 question i guess

Greg

Greg

Question is if HR Admins are members of Employees group as well. If so then A will work. IF not than D.