A company is designing a data lake on Azure Data Lake Storage Gen2. They need to enforce row-level security on the data for different departments. Which approach should they use?
Serverless SQL can query ADLS and apply RLS via views.
Why this answer
Azure Synapse Serverless SQL supports row-level security (RLS) through the creation of views that use the `SECURITY_POLICY` and `FILTER_PREDICATE` functions. This allows you to filter rows based on the user's identity (e.g., department membership) without duplicating data or managing separate files. It is the only native Azure service that provides declarative row-level filtering directly on data stored in Azure Data Lake Storage Gen2.
Exam trap
The trap here is that candidates confuse Azure RBAC or ACLs (which control access to storage objects) with row-level security (which controls access to rows within a data set), leading them to choose a storage-level permission model instead of a query-level filtering mechanism.
How to eliminate wrong answers
Option B is wrong because Azure RBAC roles operate at the storage account, container, or blob level, not at the row level; they cannot filter individual rows within a file. Option C is wrong because Azure Purview data policies currently support column-level sensitivity classification and access control, but do not enforce row-level security predicates on data in ADLS Gen2. Option D is wrong because ADLS Gen2 ACLs control access at the file or directory level (POSIX-style permissions), not at the row level within a file.