Professional Data Engineer Exam QuestionsBrowse all questions from this exam
Go to Exam

Professional Data Engineer Exam - Question 217

You have a BigQuery table that contains customer data, including sensitive information such as names and addresses. You need to share the customer data with your data analytics and consumer support teams securely. The data analytics team needs to access the data of all the customers, but must not be able to access the sensitive data. The consumer support team needs access to all data columns, but must not be able to access customers that no longer have active contracts. You enforced these requirements by using an authorized dataset and policy tags. After implementing these steps, the data analytics team reports that they still have access to the sensitive columns. You need to ensure that the data analytics team does not have access to restricted data. What should you do? (Choose two.)

Show Answer
Correct Answer: BE

To ensure that the data analytics team does not have access to restricted data, first remove the Data Catalog Fine-Grained Reader role from their permissions. This role allows users to read metadata restricted by policy tags, potentially enabling access to sensitive data. Enforcing access control in the policy tag taxonomy is also necessary to ensure that security policies are properly applied to the data columns, effectively restricting access to sensitive information based on the defined tags.

Discussion

9 comments
Sign in to comment
qq589539483084gfrgrgfrOptions: BE
Jan 8, 2024

Option B & E

datapassionateOption: E
Jan 15, 2024

B& E https://cloud.google.com/bigquery/docs/column-level-security-intro

raaadOption: B
Jan 4, 2024

- The Data Catalog Fine-Grained Reader role allows users to read metadata that is restricted by policy tags. - If members of the data analytics team have this role, they might bypass the restrictions set by policy tags. - Ensuring they do not have this role will help enforce the restrictions intended by the policy tags.

MaxNRGOption: A
Jan 8, 2024

A & B The current setup is not effective because the data analytics team still has access to the sensitive columns despite using an authorized dataset and policy tags. This indicates that the policy tags are not being enforced properly, and the data analytics team members are able to view the tags and gain access to the sensitive data. Separating the data into two distinct authorized datasets is a better approach because it isolates the sensitive data from the non-sensitive data. This prevents the data analytics team from accessing the sensitive columns directly, even if they have access to the authorized dataset for general customer data. Additionally, revoking the Data Catalog Fine-Grained Reader role from the data analytics team members ensures that they cannot view or modify the policy tags. This limits their ability to bypass the access control imposed by the authorized dataset and policy tags.

Matt_108
Jan 13, 2024

Max I feel like it's more B&E. I do agree on the revoking Data Catalog Fine-grained reader role to avoid the data analytics team to read policy tags metadata, but if the tags are setup as stated, it's just missing the enforcement of the policy tags themselves. Creating 2 auth dataset is not efficient on big datasets and Data catalog+ policy tags are built to manage these situations. Don't you agree?

GCP001Option: E
Jan 14, 2024

B & E B - It will ensure they don't have access to secure columns E- It will allow to enforce column level security Ref - https://cloud.google.com/bigquery/docs/column-level-security-intro

e70ea9eOption: B
Dec 30, 2023

Prevents data analytics team members from viewing sensitive data, even if it's tagged. Restricts access to policy tags themselves, ensuring confidentiality of sensitive information.

Matt_108Option: B
Jan 13, 2024

Option B& E to me

imiuOptions: BD
Jan 4, 2024

And the second answer? One is option B and the other is option D maybe?

LenifiaOption: A
Jul 6, 2024

the correct options are: A. Create two separate authorized datasets; one for the data analytics team and another for the consumer support team. C. Replace the authorized dataset with an authorized view. Use row-level security and apply filter_expression to limit data access.

Lenifia
Jul 6, 2024

Explanation of why other options are incorrect: B. Ensure that the data analytics team members do not have the Data Catalog Fine-Grained Reader role for the policy tags: This role relates to viewing data in Data Catalog based on policy tags, not directly controlling access to BigQuery data. D. Remove the bigquery.dataViewer role from the data analytics team on the authorized datasets: Removing this role would block all access to the dataset, which is too restrictive if they still need access to non-sensitive columns. E. Enforce access control in the policy tag taxonomy: While policy tags are used to enforce access controls, simply enforcing controls in the taxonomy does not directly address the issue of sensitive data access in BigQuery.