SnowPro Advanced Architect Exam

Exam SnowPro Advanced Architect All QuestionsBrowse all questions from this exam

Question 93

How can the Snowflake context functions be used to help determine whether a user is authorized to see data that has column-level security enforced? (Choose two.)

Set masking policy conditions using CURRENT_ROLE targeting the role in use for the current session.

Set masking policy conditions using IS_ROLE_IN_SESSION targeting the role in use for the current account.

Set masking policy conditions using INVOKER_ROLE targeting the executing role in a SQL statement.

Determine if there are OWNERSHIP privileges on the masking policy that would allow the use of any function.

Assign the ACCOUNTADMIN role to the user who is executing the object.

Correct Answer: A, B

The Snowflake context functions can be used to set conditional masking policies based on the role of the user executing the SQL statement. The CURRENT_ROLE function can specify masking conditions based on the role that is currently active in the session, ensuring that only authorized roles can view sensitive data. The IS_ROLE_IN_SESSION function can be used to check if a specific role is part of the user's active role hierarchy for the session, allowing column-level security enforcement based on the user's assignment to specific roles. These functions help dynamically control access to data depending on the user's authorization level.

Discussion

MSIDDIQUI18Options: AC

The following examples show how to use the INVOKER_ROLE in a masking policy SQL expression. Return NULL for unauthorized users: CREATE OR REPLACE MASKING POLICY mask_string AS (val string) RETURNS string -> CASE WHEN INVOKER_ROLE() IN ('ANALYST') THEN val ELSE NULL END;

MSIDDIQUI18Options: AC

A: The CURRENT_ROLE() context function returns the role currently active for the session. Masking policies can be configured to apply based on the current role, allowing different views of data based on the user's role. C: The INVOKER_ROLE() context function returns the role that invoked the function or SQL statement. This allows masking policies to dynamically apply based on the role executing the query, ensuring data security based on the user's permissions.

67422cbOptions: AC

Which you then use to determine whether the column is visible in a data masking arrangement. Why can't B be used?

Atomic_GeckoOptions: AC

Changing to A & C. Although C isn't recommended, it is the more accurate description. For B the documentation states: Verifies whether the account role is in the user’s active primary or secondary role hierarchy for the session or if the specified column contains a role that is in the user’s active primary or secondary role hierarchy for the session.

Atomic_GeckoOptions: AB

A & B are correct answers