nerdexam
Snowflake

SOL-C01 · Question #45

A data engineer needs to grant a group of analysts the ability to query data in the 'SALES DB.PUBLIC.ORDERS table, but prevent them from seeing any personally identifiable information (PII) in the 'CU

The correct answer is A. Grant the `SELECT privilege on the 'SALES DB.PUBLIC.ORDERS table to a custom role, then. Note: The answer choices are truncated in your question, so this explanation is based on the Snowflake concepts being tested rather than the full option text. Option A is correct because the proper solution combines three elements: granting SELECT on the table to a custom role (f

Snowflake Account and Security

Question

A data engineer needs to grant a group of analysts the ability to query data in the 'SALES DB.PUBLIC.ORDERS table, but prevent them from seeing any personally identifiable information (PII) in the 'CUSTOMER NAME column. Furthermore, the analysts should be able to create temporary tables based on the data. Which of the following steps would BEST accomplish this?

Options

  • AGrant the `SELECT privilege on the 'SALES DB.PUBLIC.ORDERS table to a custom role, then
  • BGrant the 'SELECT privilege on the 'SALES DB.PUBLIC.ORDERS table and 'CREATE
  • CGrant the `SELECT privilege on the 'SALES DB.PUBLIC.ORDERS table to a custom role, create a
  • DGrant the `SELECT privilege on the 'SALES DB.PUBLIC.ORDERS table to a custom role. Create
  • EGrant the `SELECT privilege on the 'SALES DB.PUBLIC.ORDERS table to a custom role. Create

How the community answered

(31 responses)
  • A
    65% (20)
  • B
    19% (6)
  • C
    3% (1)
  • D
    10% (3)
  • E
    3% (1)

Explanation

Note: The answer choices are truncated in your question, so this explanation is based on the Snowflake concepts being tested rather than the full option text.

Option A is correct because the proper solution combines three elements: granting SELECT on the table to a custom role (following least-privilege RBAC), applying a dynamic data masking policy to the CUSTOMER_NAME column (which hides PII for unauthorized roles without altering the underlying data), and granting CREATE TEMPORARY TABLE on the schema to allow analysts to build temp tables.

The distractors likely fail in one of these ways: B probably grants CREATE TABLE broadly instead of the more restricted CREATE TEMPORARY TABLE, violating least privilege. C may use a view to hide the column - views work but are a heavier solution and don't dynamically adapt per role like masking policies do. D likely applies row access policies instead of column masking - row policies filter rows, not column values. E may grant privileges at the wrong object level (e.g., database instead of schema) or skip the masking policy entirely.

Memory tip: Think "MCT" - Mask the column (dynamic data masking policy), Custom role for access control, Temporary table privilege only. If any of those three pieces is missing or substituted (view instead of mask, broad CREATE TABLE instead of temp), the option is wrong.

Topics

#RBAC#Data Masking#Column-Level Security#Dynamic Masking Policy

Community Discussion

No community discussion yet for this question.

Full SOL-C01 Practice