nerdexam
Snowflake

SOL-C01 · Question #43

You are designing a data warehouse in Snowflake. You need to ensure that users in the 'REPORTING TEAM' can only view data in the 'SALES TABLE table after it has been masked to hide sensitive informati

The correct answer is E. ALTER TABLE SALES_TABLE MODIFY COLUMN email. Option E (combined with D) represents the complete solution because applying a masking policy in Snowflake requires two steps: attaching the policy to the column via ALTER TABLE SALES_TABLE MODIFY COLUMN email SET MASKING POLICY EMAIL_MASK (shown in D), and granting SELECT on the

Snowflake Account and Security

Question

You are designing a data warehouse in Snowflake. You need to ensure that users in the 'REPORTING TEAM' can only view data in the 'SALES TABLE table after it has been masked to hide sensitive information. You have implemented a masking policy called 'EMAIL MASK' that replaces email addresses with asterisks. How do you apply the masking policy and grant the correct privileges to the 'REPORTING TEAM' role?

Options

  • AGRANT APPLY MASKING POLICY ON ACCOUNT TO ROLE REPORTING_TEAM;
  • BGRANT UNMASK ON TABLE SALES_TABLE TO ROLE REPORTING_TEAM;
  • CCREATE MASKING POLICY EMAIL_MASK
  • DALTER TABLE SALES_TABLE MODIFY COLUMN email SET MASKING POLICY EMAIL_MASK;
  • EALTER TABLE SALES_TABLE MODIFY COLUMN email

How the community answered

(18 responses)
  • A
    6% (1)
  • B
    22% (4)
  • D
    6% (1)
  • E
    67% (12)

Explanation

Option E (combined with D) represents the complete solution because applying a masking policy in Snowflake requires two steps: attaching the policy to the column via ALTER TABLE SALES_TABLE MODIFY COLUMN email SET MASKING POLICY EMAIL_MASK (shown in D), and granting SELECT on the table so the REPORTING_TEAM can actually query the data - the masked result is what they see automatically, no special "view masked data" privilege exists.

Why the distractors are wrong:

  • A - GRANT APPLY MASKING POLICY gives a role the ability to assign policies to columns (an admin privilege), not to view the resulting masked data.
  • B - GRANT UNMASK does not exist as a Snowflake privilege; UNMASK is a policy exemption mechanism, not a grantable object privilege in this syntax.
  • C - CREATE MASKING POLICY EMAIL_MASK creates the policy definition but does nothing to attach it to a column; the policy is already created in the scenario.
  • D alone - Attaches the policy correctly but without a GRANT SELECT, REPORTING_TEAM cannot even query the table.

Memory tip: Think of masking in two separate tracks - bind the policy to the column (ALTER TABLE ... SET MASKING POLICY), then grant access to the table (GRANT SELECT). Users with SELECT see masked output automatically; no extra privilege unlocks the data for them unless you explicitly grant UNMASK via a policy condition.

Topics

#Dynamic Data Masking#Column-level Security#RBAC#Privilege Management

Community Discussion

No community discussion yet for this question.

Full SOL-C01 Practice