ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-400 All Questions

View all questions & answers for the AZ-400 exam
Go to Exam

Exam AZ-400 topic 7 question 20 discussion

Actual exam question from Microsoft's AZ-400
Question #: 20
Topic #: 7
[All AZ-400 Questions]

You have a private project in Azure DevOps.
You need to ensure that a project manager can create custom work item queries to report on the project's progress. The solution must use the principle of least privilege.
To which security group should you add the project manager?

  • A. Reader
  • B. Project Collection Administrators
  • C. Project Administrators
  • D. Contributor
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by prgt at Nov. 6, 2020, 1:20 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Windscar
Highly Voted 4 years, 9 months ago
Answer is correct. There is no reference for shared querires. so its Contributor
upvoted 44 times
Akc0
2 years, 3 months ago
Where did it say shared queries? It mentions principle of least privilege, which in this case is Reader. Others have said a Reader can run the queries without issue.
upvoted 1 times
Akc0
2 years, 3 months ago
I take it back, it should be contributor Reader > View and run managed queries, view query charts Contributor > Create and save managed My queries, query charts Question says they should "Create" queries, reader is not valid boys https://learn.microsoft.com/en-us/azure/devops/boards/queries/set-query-permissions?view=azure-devops
upvoted 8 times
...
...
...
prgt
Highly Voted 4 years, 9 months ago
Answer should be A. Reader
upvoted 20 times
sanhoo
4 years ago
igorole has provided the correct explanation.
upvoted 3 times
somenkr
3 years, 3 months ago
Wrong explanation : https://docs.microsoft.com/en-us/azure/devops/boards/queries/set-query-permissions?view=azure-devops
upvoted 2 times
...
...
crutester
4 years, 8 months ago
why???
upvoted 2 times
tom999
4 years, 5 months ago
Because I validated in Azure Boards ;-) Security group Reader is sufficient to create custom queries and save them under "my queries". BTW: For both access levels: basic and stakeholder To save "Shared queries" permission group "Project admins" is required, but this is not required in this question.
upvoted 4 times
...
...
haxaffee
4 years, 3 months ago
Pretty sure this is right. Look at https://docs.microsoft.com/en-us/azure/devops/boards/queries/about-managed-queries?view=azure-devops#get-started-using-queries -> All valid users with standard access can create queries and folders under the My Queries area. To create queries and query folders under Shared Queries, you must have the Contribute permission set. Sharing them is not mentioned in the question.
upvoted 1 times
lugospod
3 years, 6 months ago
"All users, except those users assigned to the Readers group, can create and edit their own queries and save them under My Queries." so the answer must be contributor... https://docs.microsoft.com/en-us/azure/devops/boards/queries/set-query-permissions?view=azure-devops
upvoted 3 times
...
...
igorole
4 years, 1 month ago
It is contributor. See the issue I opened on github: https://github.com/MicrosoftDocs/azure-devops-docs/issues/10963 Reader has no rights to save anything.
upvoted 28 times
somenkr
3 years, 3 months ago
Reader can save queries https://docs.microsoft.com/en-us/azure/devops/boards/queries/set-query-permissions?view=azure-devops
upvoted 3 times
binhdortmund
2 years, 7 months ago
readers can save queries somewhere, but not in azure devops. As it s shown in your link "View and run managed queries, view query charts"
upvoted 1 times
...
warchoon
2 years, 8 months ago
All users, except those users assigned to the Readers group, can create and edit their own queries and save them under My Queries. Only the signed in user can view queries saved under their My Queries space.
upvoted 2 times
...
...
...
...
DevopsRock
Most Recent 11 months ago
Selected Answer: D
Answer should be D
upvoted 1 times
...
UrbanRellik
1 year, 2 months ago
Selected Answer: D
https://learn.microsoft.com/en-us/azure/devops/boards/queries/set-query-permissions?view=azure-devops
upvoted 1 times
...
ozbonny
1 year, 5 months ago
Selected Answer: D
D. Contributor https://learn.microsoft.com/en-us/azure/devops/boards/queries/set-query-permissions?view=azure-devops
upvoted 1 times
...
vsvaid
1 year, 7 months ago
Selected Answer: D
Since the question asks for creating queries, it has to be Contributor. If only running query was needed, then Reader access would have been sufficient.
upvoted 1 times
...
4b31a3a
1 year, 8 months ago
Selected Answer: D
I think report is the keyword. Hard to report on a query that you can't share so it should be contributor.
upvoted 1 times
...
gabo
1 year, 10 months ago
A Reader can save his/her own queries. Since the question doesn't mention the word "Shared". As per least privilege, Reader is the right answer.
upvoted 1 times
gabo
1 year, 10 months ago
Ignore what I said, the correct answer is below : View and run managed queries, view query charts - Reader Create and save managed My queries, query charts - Contributer So, a Reader can run a query but cannot save it. https://learn.microsoft.com/en-us/azure/devops/boards/queries/set-query-permissions?view=azure-devops
upvoted 2 times
...
gabo
1 year, 10 months ago
https://learn.microsoft.com/en-us/azure/devops/boards/queries/about-managed-queries?view=azure-devops All valid users with standard access can create queries and folders under the My Queries area. To create queries and query folders under Shared Queries, you must have the Contribute permission set.
upvoted 1 times
...
...
AymanAkk
1 year, 10 months ago
Selected Answer: D
answer is D
upvoted 2 times
...
yana_b
1 year, 11 months ago
Selected Answer: D
View and run => Reader Create My queries => Contributor Create Shared queries => Project Admin Question does not refer to shared queries => Contributor
upvoted 2 times
yana_b
1 year, 11 months ago
evidence can be found here: https://learn.microsoft.com/en-us/azure/devops/boards/queries/set-query-permissions?view=azure-devops
upvoted 1 times
...
...
fafda
2 years, 1 month ago
Selected Answer: D
"Create" queries - Contributor.. Reader role can not create query
upvoted 1 times
...
RealRaymond
2 years, 3 months ago
D Contributor. https://learn.microsoft.com/en-us/azure/devops/boards/queries/set-query-permissions?view=azure-devops#default-query-permissions
upvoted 1 times
...
Fal991l
2 years, 4 months ago
Selected Answer: C
GTP: To ensure that a project manager can create custom work item queries to report on the project's progress using the principle of least privilege, you should add the project manager to the Project Administrators security group. The Project Administrators group is a built-in group in Azure DevOps that has permissions to perform administrative tasks on a project, such as creating and modifying work item types, managing team members and their permissions, and creating and modifying queries. By adding the project manager to this group, they will have the necessary permissions to create custom work item queries without giving them unnecessary privileges. On the other hand, adding the project manager to the Reader group would not provide them with the necessary permissions to create custom work item queries, while adding them to the Project Collection Administrators group or Contributor group would give them more privileges than necessary, which goes against the principle of least privilege. Therefore, the correct answer is C. Project Administrators.
upvoted 1 times
Fal991l
2 years, 4 months ago
You are correct that adding the project manager to the Contributor security group could also be considered as an option that follows the principle of least privilege. As a member of the Contributor group, the project manager would have the permissions necessary to create custom work item queries, and some additional permissions that may be required to perform other tasks related to the project. However, it's worth noting that the Contributor security group provides more permissions than the Project Administrators group, which is designed specifically for granting administrative permissions within a project. By adding the project manager to the Project Administrators group, you would be granting them only the permissions necessary to perform their duties related to work item queries and not any additional permissions that may not be needed.
upvoted 1 times
Fal991l
2 years, 4 months ago
here are some examples of additional permissions that the Contributor security group provides beyond what is necessary for creating custom work item queries: Ability to add, modify, or delete resources such as pipelines, builds, releases, repositories, and other project artifacts. Ability to modify project-level security settings, such as adding or removing security groups, changing project-level permissions, or changing security settings for individual resources within the project.
upvoted 1 times
Fal991l
2 years, 4 months ago
The Project Administrators group provides administrative permissions within a single project, such as the ability to create and manage work items, queries, boards, backlogs, iterations, and other project-level settings. This group does not have administrative permissions outside of the project.
upvoted 1 times
...
...
...
...
noip
2 years, 6 months ago
A. Reader is Correct. The correct security group to add the project manager to is "Reader". This group provides the minimum necessary permissions for the project manager to create custom work item queries and view project information, while following the principle of least privilege. "Reader" provides the ability to view project information and run saved queries, but does not provide the ability to make changes to the project or its artifacts.
upvoted 1 times
...
chingdm
2 years, 6 months ago
Answer: Contributor "All users, except those users assigned to the Readers group, can create and edit their own queries and save them under My Queries. Only the signed in user can view queries saved under their My Queries space." https://learn.microsoft.com/en-us/azure/devops/boards/queries/set-query-permissions?view=azure-devops
upvoted 1 times
...
Sam90765
2 years, 7 months ago
Selected Answer: C
His role is called project admin guys. Reader will help him create his own queries but not to share it.
upvoted 1 times
...
LGWJ12
2 years, 8 months ago
Selected Answer: D
The answer is D, as a reader, you can only run queries, not create them.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel