0
0
Snowflakecloud~20 mins

Column-level security with masking policies in Snowflake - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Masking Policy Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
service_behavior
intermediate
2:00remaining
How does a masking policy affect query results?

Consider a masking policy applied to a column in Snowflake. What happens when a user without the required role queries that column?

AThe user sees the original data without any changes.
BThe user sees masked or obfuscated data as defined by the masking policy.
CThe query fails with an access denied error.
DThe user sees NULL values for that column.
Attempts:
2 left
💡 Hint

Think about what masking means: hiding or changing data for unauthorized users.

Configuration
intermediate
2:00remaining
Identify the correct syntax to create a masking policy

Which of the following SQL statements correctly creates a masking policy in Snowflake that masks a column's value to '****' for unauthorized users?

ACREATE MASKING POLICY mask_ssn AS (val STRING) RETURNS STRING -> CASE WHEN CURRENT_ROLE() IN ('FULL_ACCESS') THEN val ELSE '****' END;
BCREATE MASKING POLICY mask_ssn (val STRING) RETURNS STRING AS CASE WHEN CURRENT_ROLE() = 'FULL_ACCESS' THEN val ELSE '****' END;
C;DNE '****' ESLE lav NEHT )'SSECCA_LLUF'( NI )(ELOR_TNERRUC NEHW ESAC >- GNIRTS SNRUTER )GNIRTS lav( SA nss_ksam YCILOP GNIKSAM ETAERC
DCREATE MASKING POLICY mask_ssn AS (val STRING) RETURNS STRING -> CASE WHEN CURRENT_ROLE() = 'FULL_ACCESS' THEN val ELSE '****' END;
Attempts:
2 left
💡 Hint

Look for correct use of 'IN' operator and arrow '->' syntax.

Architecture
advanced
2:00remaining
Best practice for applying masking policies in multi-role environments

In an environment with multiple user roles, what is the best practice for applying masking policies to protect sensitive columns?

AApply a single masking policy that masks data for all roles except the highest privileged role.
BCreate multiple masking policies for each role and apply them all to the same column.
CApply masking policies only on views, not on base tables.
DAvoid masking policies and rely solely on role-based access control on tables.
Attempts:
2 left
💡 Hint

Think about simplicity and maintainability in role management.

security
advanced
2:00remaining
What happens if a masking policy references a non-existent role?

If a masking policy's CASE expression checks for a role that does not exist in Snowflake, what is the effect when the policy is applied?

AThe masking policy fails to create with an error about the invalid role.
BThe policy causes queries to fail with a runtime error when applied.
CThe policy ignores the invalid role and masks data only for existing roles.
DThe policy works but the role check always evaluates to false, masking data for all users.
Attempts:
2 left
💡 Hint

Consider how role checks are evaluated at runtime.

🧠 Conceptual
expert
2:00remaining
Order of evaluation in masking policies with multiple conditions

Given this masking policy snippet:
CASE WHEN CURRENT_ROLE() IN ('ADMIN') THEN val WHEN CURRENT_ROLE() IN ('AUDITOR') THEN 'REDACTED' ELSE NULL END
What will a user with the 'AUDITOR' role see when querying the masked column?

ANULL value.
BAn error because multiple roles are checked.
CThe string 'REDACTED'.
DThe original value of the column.
Attempts:
2 left
💡 Hint

Think about how CASE statements evaluate conditions in order.