# DP-750: Unity Catalog Governance Explained and with Real Exam Questions

By 5 min read
# DP-750: Unity Catalog Governance Explained and with Real Exam Questions

When preparing for DP-750: Microsoft Certified: Azure Databricks Data Engineer Associate, Unity Catalog governance is one of the most important areas to understand.

In previous articles, we covered:

  • Unity Catalog object model: catalog, schema, table
  • Unity Catalog permissions: USE CATALOG, USE SCHEMA, SELECT, MODIFY

This article focuses on higher-level governance features:

  • AI/BI Genie Spaces
  • Unity Catalog data lineage
  • attribute-based access control, ABAC
  • governed tags
  • column masks
  • audit logs

The related questions in your DP-750 question bank are Q14, Q17, Q19, Q23, and Q35.

---

1. What does governance mean in Unity Catalog?

In Azure Databricks, governance is not only about granting table permissions.

Governance also includes:

  • controlling access to sensitive data
  • masking columns
  • tracking data lineage
  • auditing data access
  • organizing metadata consistently
  • helping users find and understand governed data
  • applying policies centrally across many objects

Unity Catalog is the central governance layer for data and AI assets in Azure Databricks. It provides a unified model for permissions, lineage, discovery, and policy enforcement across Databricks workspaces.

For DP-750, you need to understand which governance feature solves which problem.

|Requirement|Governance feature| |---|---| |Users ask natural-language questions about data|AI/BI Genie Space| |Business terms should map to the right table|Genie instructions / knowledge store| |Track where table data came from|Data lineage| |Review lineage visually|Catalog Explorer| |Tag data and apply dynamic policies|Governed tags + ABAC| |Hide part of a sensitive column|Column mask| |Capture data access events|Audit logs| |Analyze logs quickly in Azure|Log Analytics|

---

2. AI/BI Genie Space

An AI/BI Genie Space, now also referred to in current documentation as a Genie Agent, allows business users to interact with data by using natural language. Domain experts configure Genie with datasets, sample queries, and text guidelines so that business questions can be translated into analytical queries.

For example, users might ask:

Show me total sales by month.

or:

How many invoices were created last quarter?

Genie then tries to generate a SQL query based on the configured data, metadata, descriptions, and instructions.

For DP-750, the key idea is:

> Genie is scoped to a Genie Space.

If a question says:

> The instruction should affect only Space1 and no other Genie spaces.

then the instruction belongs on Space1, not on the table, schema, catalog, or notebook.

---

3. Genie instructions and business synonyms

A common governance problem is that business users use different terms for the same concept.

For example:

sale
transaction
event
order
invoice

Technically, these words might not all be the same. But in a specific business domain, users may use them to refer to the same sales table.

Genie quality can be improved by adding examples, instructions, and knowledge store snippets. Databricks documentation says you can add example SQL queries, Unity Catalog functions, plain-text instructions, and knowledge store snippets such as table descriptions, join relationships, and SQL expressions for business semantics.

So if users in Space1 use the words:

transaction
event
order
invoice

to refer to a sale, then you should add the instruction to Space1.

Do not add the instruction to:

  • the catalog
  • the schema
  • the notebook
  • all Genie spaces globally

because the requirement says other Genie spaces must remain unaffected.

---

4. Unity Catalog data lineage

Data lineage tracks how data flows through tables, notebooks, jobs, dashboards, and queries.

For example, if a pipeline reads from:

bronze.raw_events

then writes to:

silver.cleaned_events

then writes to:

gold.telemetry_summary

lineage helps you understand that relationship.

Unity Catalog data lineage can be used for impact analysis, root-cause investigation, and tracking sensitive data flows. Databricks documentation says lineage is captured for queries that use Spark DataFrame or Databricks SQL interfaces such as notebooks and SQL query editor, and that tables must be registered in a Unity Catalog metastore.

For DP-750, the key exam pattern is:

> To capture lineage, use Unity Catalog-enabled compute. > To review lineage, use Catalog Explorer.

---

5. Why Catalog Explorer for lineage?

Catalog Explorer is the main UI for browsing Unity Catalog objects such as catalogs, schemas, tables, views, and lineage.

If a DP-750 question asks:

> Where should you review data lineage?

the answer is usually:

Catalog Explorer

not:

Log Analytics
Azure Data Explorer
DAG

A DAG may show job task dependencies, but it is not the Unity Catalog lineage review tool.

Log Analytics is useful for logs, not for browsing table lineage.

---

6. Attribute-based access control, ABAC

Attribute-based access control, or ABAC, controls access based on attributes.

In Unity Catalog, ABAC uses:

  • governed tags
  • access policies
  • user-defined functions, UDFs

Databricks documentation says ABAC in Unity Catalog uses governed tags, policies, and UDFs to enforce dynamic, attribute-based access control.

A simple example:

Table1 is tagged as sensitivity = confidential.
Only users in an approved group can see confidential data.

Instead of manually creating separate views for every access pattern, you can use governed tags and Unity Catalog access policies to apply consistent rules.

For DP-750, the key pattern is:

> ABAC = governed tag + Unity Catalog access policy

---

7. Governed tags

A governed tag is an account-level tag with rules.

Databricks documentation describes governed tags as account-level tags with built-in rules for consistency and control. A tag policy defines how the tag can be used, including allowed values and who can assign them.

Governed tags can be used to classify objects, for example:

sensitivity = public
sensitivity = internal
sensitivity = confidential
sensitivity = restricted

or:

data_domain = finance
data_domain = sales
data_domain = hr

For DP-750, if the question says:

> Access must be controlled by using ABAC.

then the correct object-level input is usually:

A governed tag

not:

A table privilege
A workspace permission

A table privilege such as SELECT controls direct access, but it is not ABAC. A workspace permission controls workspace objects, not dynamic data access rules.

---

8. Unity Catalog access policy

A Unity Catalog access policy defines how access should be enforced based on attributes such as governed tags.

Databricks documentation says ABAC policies can be used for row filtering and column masking and can be created, edited, viewed, and deleted in Catalog Explorer, SQL, or REST APIs.

For DP-750, the pattern is simple:

Apply governed tag to table.
Create Unity Catalog access policy.

This is different from manually granting users SELECT.

SELECT allows users to query data, but it does not define an ABAC rule.

---

9. Column masks

A column mask changes what users see when they query a sensitive column.

For example, a table contains:

email_address
credit_card_number

The business requirement says:

  • analysts can query all rows
  • analysts cannot see the full email address
  • analysts can see only the domain after @
  • analysts can see only the last four digits of the credit card number

This is a column-level data protection problem.

The right solution is:

Grant SELECT on the table.
Apply column masks to sensitive columns.

Databricks documentation describes row filters and column masks as Unity Catalog access controls that restrict the rows and column values a user can see at query time. It also says column masks are used for redacting sensitive column data based on identity.

For DP-750:

|Requirement|Correct feature| |---|---| |Hide rows|Row filter| |Hide or transform values in a column|Column mask| |Hide full email but keep domain|Column mask| |Hide full card number but keep last four digits|Column mask| |Create a separate read-only object|Dynamic view| |Encrypt values so users cannot query normally|Not the best answer here|

---

10. Column masks vs row filters

Column masks and row filters are often tested together.

|Feature|What it controls|Example| |---|---|---| |Row filter|Which rows users can see|Analyst sees only rows for their region| |Column mask|What values users see in a column|Analyst sees only last four digits of card number|

If the requirement says:

Business analysts can query all the rows.

then do not choose row-level filters.

The problem is not which rows they can access. The problem is which column values they can see.

So the correct answer is column masks.

---

11. Dynamic views vs column masks

A dynamic view can also be used to apply filtering or masking logic, but it creates a separate view object.

Databricks documentation explains that dynamic views, row filters, and column masks can all apply filtering or transformation logic at query time, but row filters and column masks apply directly to tables and keep the table name unchanged.

For DP-750, if the question says:

  • analysts must query the table without errors
  • analysts should see all rows
  • only certain column values should be hidden
  • follow least privilege

then the best answer is usually:

Grant SELECT on the table and apply column masks.

not:

Create a dynamic view.

---

12. Audit logs

Audit logs capture important security and access events.

In Azure Databricks, audit logs help answer questions such as:

  • Who accessed this table?
  • Who changed permissions?
  • Which workspace generated this event?
  • Which user ran this command?
  • Which service principal performed this operation?

Databricks documentation provides an audit log reference for services and events, and notes that audit log availability depends on how you access logs.

For DP-750, if the question says:

> Unity Catalog table data access events do not appear in the logs.

then you should think about audit or diagnostic logging for the Azure Databricks workspace.

---

13. Diagnostic log delivery and Log Analytics

Azure Databricks diagnostic log delivery is configured for workspaces through Azure diagnostic settings. Databricks documentation says to open the Azure Databricks service resource in the Azure portal, go to Diagnostic settings, turn on diagnostics, choose the services to log, and save the configuration.

Azure Monitor diagnostic settings can send resource logs to several destinations, including a Log Analytics workspace. Microsoft documentation describes Log Analytics as a destination where you can retrieve data by using log queries and workbooks and use log alerts proactively.

For DP-750, if the requirement says:

The log data must be available for analysis as quickly as possible.

then Log Analytics is usually the best destination.

Storage account is useful for archiving. Event Hubs is useful for streaming to external systems. Azure Monitor metrics is not the same as detailed audit logs.

---

14. DP-750 decision table for governance

|Scenario in the question|Best answer pattern| |---|---| |Business users ask natural-language questions|Genie Space| |Business synonyms should affect only one Genie space|Add instructions to that Genie Space| |Capture table lineage for notebooks and jobs|Unity Catalog-enabled compute| |Review lineage visually|Catalog Explorer| |Control access with ABAC|Governed tag + Unity Catalog access policy| |Mask email and credit card columns|Column masks| |Analysts must query all rows|Do not use row filters| |Data access events missing from logs|Enable workspace audit / diagnostic logging| |Logs must be quickly analyzable|Send to Log Analytics|

---

Real Exam Questions

Question 14

You have an Azure Databricks workspace that contains the objects shown in the following table.

|Name|Type| |---|---| |Catalog 1|Catalog| |Schema 1|Schema| |Sales1|Table| |Notebook1|Notebook| |Space1|AI/BI Genie Space|

Users often use the following words to refer to a sale: transaction, event, order, and invoice.

You need to create a knowledge store. The solution must ensure that when the users use any of the words in Space1, Genie queries the Sales1 table. Any other Genie spaces must remain unaffected.

To which object should you add the instructions?

A. Sales1 B. Schema1 C. Space1 ✅ Correct Answer D. Catalog1 E. Notebook1

---

Question 17

You have an Azure Databricks workspace that is enabled for Unity Catalog.

You need to ensure that data lineage is captured and can be reviewed for tables accessed by Databricks notebooks and jobs. The solution must minimize administrative effort.

Which compute configuration should you use to capture the data lineage and what should you use to review the data lineage?

|Area|Answer| |---|---| |Capture|A Unity Catalog-enabled cluster ✅ Correct Answer| |Review|Catalog Explorer ✅ Correct Answer|

---

Question 19

You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a catalog named Catalog1. Catalog1 contains a schema named Schema1 and a table named Table1.

You need to ensure that access to the data in Table1 is controlled by using attribute-based access control, ABAC.

What should you apply to Table1, and how should you control access for users?

|Area|Answer| |---|---| |Apply to Table1|A governed tag ✅ Correct Answer| |To control user access|Create a Unity Catalog access policy ✅ Correct Answer|

---

Question 23

You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a catalog named Catalog1.

Catalog1 contains a table named Transactions.

Transactions contains the following columns:

  • transaction_id
  • customer_name
  • email_address
  • credit_card_number
  • transaction_amount

You need to ensure that business analysts can query all the rows in the Transactions table. The solution must meet the following requirements:

  1. Prevent the analysts from seeing the full values in the email_address and credit_card_number columns.
  2. Ensure that the analysts can see only the values after the @ character in each email address.
  3. Ensure that the analysts can see only the last four digits of each credit card number.
  4. Enable the analysts to query the table without errors.
  5. Follow the principle of least privilege.

What should you do?

A. Grant the analysts the SELECT permission for the Transactions table and apply column-level encryption. B. Grant the analysts the SELECT permission for columns that do NOT contain sensitive data. C. Grant the analysts the SELECT permission for the Transactions table and implement row-level filters. D. Grant the analysts the SELECT permission for the Transactions table and apply column masks to email_address and credit_card_number. ✅ Correct Answer

---

Question 35

You have an Azure Databricks account that contains a single workspace named Workspace1. Workspace1 is enabled for Unity Catalog.

You discover that data access events for Unity Catalog tables fail to appear in the logs.

You need to ensure that all the data access events are captured centrally for auditing purposes. The log data must be available for analysis as quickly as possible.

What should you do?

|Area|Answer| |---|---| |Enable audit logging for|Workspace1 ✅ Correct Answer| |Send audit logs to|Log Analytics ✅ Correct Answer|

---

Key takeaways

For DP-750, Unity Catalog governance questions usually ask you to choose the correct governance feature, not just the correct SQL privilege.

Remember these patterns:

  • Genie Space is used for natural-language business questions.
  • If synonyms or instructions must affect only one Genie Space, add them to that Genie Space.
  • Unity Catalog lineage can capture lineage for tables used by notebooks and jobs.
  • Catalog Explorer is used to review lineage.
  • ABAC uses governed tags and Unity Catalog access policies.
  • Governed tags classify objects for policy-based access control.
  • Column masks hide or transform sensitive column values.
  • Row filters restrict rows, not column values.
  • Audit logs capture access and security events.
  • Log Analytics is the best option when logs must be available quickly for analysis.

If you can identify whether the requirement is about natural-language semantics, lineage, tag-based policy, column-level masking, or logging, you can usually choose the right DP-750 governance answer quickly.

Add Comments

Comments

Loading comments...