SOL-C01 · Question #58
You are working with a table named 'EMPLOYEES in the 'PUBLIC' schema of the 'COMPANY DATA' database. The table contains sensitive Personally Identifiable Information (PII). You need to implement Dynam
The correct answer is B. Create a masking policy for the `EMAIL' column that uses the 'MASK' function with a condition to D. Create a masking policy for the 'SALARY column that uses the 'MASK function with a condition to. B and D are correct because Snowflake's Dynamic Data Masking requires policies that include a role-based condition (using CURRENT_ROLE() or IS_ROLE_IN_SESSION()) so that privileged roles like DATA_ADMIN receive the actual column value while all others receive a masked or substitu
Question
You are working with a table named 'EMPLOYEES in the 'PUBLIC' schema of the 'COMPANY DATA' database. The table contains sensitive Personally Identifiable Information (PII). You need to implement Dynamic Data Masking to protect the 'EMAIL' and 'SALARY columns, ensuring that only users with the 'DATA ADMIN' role can view the actual values, while others see masked values for 'EMAIL' and a fixed value of '$' for 'SALARY'. Which of the following steps are required to achieve this? (Select all that apply)
Options
- ACreate a masking policy for the 'EMAIL' column that uses the 'MASK function and applies it to the
- BCreate a masking policy for the `EMAIL' column that uses the 'MASK' function with a condition to
- CCreate a masking policy for the `SALARY column that always returns '$' and applies it to the
- DCreate a masking policy for the 'SALARY column that uses the 'MASK function with a condition to
- EGrant the 'APPLY MASKING POLICY privilege to the DATA ADMINS role.
How the community answered
(22 responses)- A5% (1)
- B55% (12)
- C27% (6)
- E14% (3)
Explanation
B and D are correct because Snowflake's Dynamic Data Masking requires policies that include a role-based condition (using CURRENT_ROLE() or IS_ROLE_IN_SESSION()) so that privileged roles like DATA_ADMIN receive the actual column value while all others receive a masked or substitute value - this conditional logic is the entire mechanism that makes DDM work as intended.
A is wrong because it applies masking unconditionally to EMAIL with no role check, meaning even DATA_ADMIN would see masked values - violating the requirement that admins see real data. C is wrong for the same reason applied to SALARY: always returning '$' with no condition means DATA_ADMIN would also be blocked from the real salary. E is wrong because APPLY MASKING POLICY is the privilege needed to attach a policy to a column (a DDL-level operation for whoever manages policies), not a privilege that controls whether a role sees masked or unmasked data - that access is governed entirely by the condition written inside the policy itself.
Memory tip: Think of a masking policy as a conditional expression, not a permission gate. The policy's CASE WHEN CURRENT_ROLE() = 'DATA_ADMIN' THEN actual_value ELSE masked_value END is what grants visibility - no separate GRANT to DATA_ADMIN is needed for viewing. APPLY MASKING POLICY only matters for whoever attaches the policy to the column (the security admin), not for whoever reads through it.
Topics
Community Discussion
No community discussion yet for this question.