nerdexam
Snowflake

DEA-C02 · Question #128

A Data Engineer needs to create a tag-based masking policy to determine whether data should be masked based on the value of the label string assigned to column salary in table staff. The Engineer crea

The correct answer is A. ALTER TABLE staff MODIFY COLUMN salary SET TAG governance.tags.hr_col_salary = 'masked';. The masking policy logic is: return the real value if the tag equals 'visible' OR the current role is 'payroll_admin'; otherwise return -1. To restrict visibility to only payroll_admin, the tag must NOT be set to 'visible', so the tag-based condition never grants access to regula

Security and Governance

Question

A Data Engineer needs to create a tag-based masking policy to determine whether data should be masked based on the value of the label string assigned to column salary in table staff. The Engineer created the tag and masking policy with these commands:

USE SCHEMA governance.tags; CREATE TAG hr_col_salary; USE ROLE masking_admin; USE SCHEMA governance.masking_policies; CREATE MASKING POLICY salary_mask_tag_policy AS (val number) RETURNS number -> CASE WHEN SYSTEM$GET_TAG_ON_CURRENT_COLUMN('tags.hr_col_salary') = 'visible' or 'payroll_admin' = current_role() THEN val ELSE -1 END; ALTER TAG hr_col_salary SET MASKING POLICY salary_mask_tag_policy; How should the Engineer apply the tag to ensure that only users with the payroll_admin role can access the data? A. B. C. D.

Options

  • AALTER TABLE staff MODIFY COLUMN salary SET TAG governance.tags.hr_col_salary = 'masked';
  • BALTER TABLE staff MODIFY COLUMN salary SET TAG governance.tags.hr_col_salary = 'visible';
  • CALTER TABLE staff MODIFY COLUMN salary SET MASKING POLICY governance.masking_policies.salary_mask_tag_policy;
  • DALTER TABLE staff MODIFY COLUMN salary UNSET MASKING POLICY governance.masking_policies.salary_mask_tag_policy;

How the community answered

(36 responses)
  • A
    69% (25)
  • B
    6% (2)
  • C
    8% (3)
  • D
    17% (6)

Explanation

The masking policy logic is: return the real value if the tag equals 'visible' OR the current role is 'payroll_admin'; otherwise return -1. To restrict visibility to only payroll_admin, the tag must NOT be set to 'visible', so the tag-based condition never grants access to regular users. Setting the tag to 'masked' (A) means SYSTEM$GET_TAG_ON_CURRENT_COLUMN returns 'masked', which does not equal 'visible', so the only path to see real data is being in the payroll_admin role - exactly the requirement. Option B sets the tag to 'visible', which would allow any user to see the salary, defeating the masking. Option C applies the masking policy directly to the column, bypassing the tag-based mechanism entirely and is architecturally incorrect for a tag-based policy. Option D removes the masking policy, leaving data completely unmasked.

Topics

#Tag-based Masking Policies#Data Masking#Column-level Security#Snowflake Tags

Community Discussion

No community discussion yet for this question.

Full DEA-C02 Practice