SOL-C01 · Question #43
You are designing a data warehouse in Snowflake. You need to ensure that users in the 'REPORTING TEAM' can only view data in the 'SALES TABLE table after it has been masked to hide sensitive informati
The correct answer is E. ALTER TABLE SALES_TABLE MODIFY COLUMN email. Option E (combined with D) represents the complete solution because applying a masking policy in Snowflake requires two steps: attaching the policy to the column via ALTER TABLE SALES_TABLE MODIFY COLUMN email SET MASKING POLICY EMAIL_MASK (shown in D), and granting SELECT on the
Question
You are designing a data warehouse in Snowflake. You need to ensure that users in the 'REPORTING TEAM' can only view data in the 'SALES TABLE table after it has been masked to hide sensitive information. You have implemented a masking policy called 'EMAIL MASK' that replaces email addresses with asterisks. How do you apply the masking policy and grant the correct privileges to the 'REPORTING TEAM' role?
Options
- AGRANT APPLY MASKING POLICY ON ACCOUNT TO ROLE REPORTING_TEAM;
- BGRANT UNMASK ON TABLE SALES_TABLE TO ROLE REPORTING_TEAM;
- CCREATE MASKING POLICY EMAIL_MASK
- DALTER TABLE SALES_TABLE MODIFY COLUMN email SET MASKING POLICY EMAIL_MASK;
- EALTER TABLE SALES_TABLE MODIFY COLUMN email
How the community answered
(18 responses)- A6% (1)
- B22% (4)
- D6% (1)
- E67% (12)
Explanation
Option E (combined with D) represents the complete solution because applying a masking policy in Snowflake requires two steps: attaching the policy to the column via ALTER TABLE SALES_TABLE MODIFY COLUMN email SET MASKING POLICY EMAIL_MASK (shown in D), and granting SELECT on the table so the REPORTING_TEAM can actually query the data - the masked result is what they see automatically, no special "view masked data" privilege exists.
Why the distractors are wrong:
- A -
GRANT APPLY MASKING POLICYgives a role the ability to assign policies to columns (an admin privilege), not to view the resulting masked data. - B -
GRANT UNMASKdoes not exist as a Snowflake privilege;UNMASKis a policy exemption mechanism, not a grantable object privilege in this syntax. - C -
CREATE MASKING POLICY EMAIL_MASKcreates the policy definition but does nothing to attach it to a column; the policy is already created in the scenario. - D alone - Attaches the policy correctly but without a
GRANT SELECT,REPORTING_TEAMcannot even query the table.
Memory tip: Think of masking in two separate tracks - bind the policy to the column (ALTER TABLE ... SET MASKING POLICY), then grant access to the table (GRANT SELECT). Users with SELECT see masked output automatically; no extra privilege unlocks the data for them unless you explicitly grant UNMASK via a policy condition.
Topics
Community Discussion
No community discussion yet for this question.