SOL-C01 · Question #44
A company wants to implement row-level security in their Snowflake data warehouse to restrict access to sales data based on the user's region. They have a table 'SALES with a 'REGION' column and want
The correct answer is E. Create a row access policy that references a mapping table or function to determine the user's. Option E is correct because implementing row-level security in Snowflake properly requires both creating a row access policy that references a mapping table or function (to dynamically resolve the current user's assigned region) and attaching that policy to the SALES table - only
Question
A company wants to implement row-level security in their Snowflake data warehouse to restrict access to sales data based on the user's region. They have a table 'SALES with a 'REGION' column and want to ensure that users can only see sales data for their assigned region. They plan to use row access policies for this. Which of the following steps are REQUIRED to implement this row-level security?
Options
- ACreate a row access policy that references a mapping table or function to determine the user's
- BCreate a row access policy that references a mapping table or function to determine the user's
- CCreate a view on top of the 'SALES' table with a 'WHERE clause that filters data based on the
- DCreate a row access policy that directly embeds the region filtering logic, and then apply the policy
- ECreate a row access policy that references a mapping table or function to determine the user's
How the community answered
(31 responses)- A3% (1)
- B6% (2)
- C3% (1)
- D16% (5)
- E71% (22)
Explanation
Option E is correct because implementing row-level security in Snowflake properly requires both creating a row access policy that references a mapping table or function (to dynamically resolve the current user's assigned region) and attaching that policy to the SALES table - only E captures this complete, required two-step implementation.
Options A and B are incomplete versions of the same approach: they describe creating the policy but omit either applying it to the table or correctly wiring the mapping logic, meaning the policy would exist but never enforce anything. Option C is wrong because a view with a WHERE clause is a legacy workaround, not Snowflake's row access policy mechanism - it lacks centralized governance and can be bypassed by querying the base table directly. Option D is wrong because hard-coding region logic directly in the policy body makes it brittle and unmanageable at scale; the recommended pattern externalizes the user-to-region mapping into a dedicated table or secure function.
Memory tip: Think "MAP → POLICY → ATTACH" - you need a mapping source (table/function), a policy that reads it, and the policy must be attached to the column. If any step is missing, security isn't enforced.
Topics
Community Discussion
No community discussion yet for this question.