GCP Professional Cloud Security Engineer Practice Question
Your organization stores employee records in a BigQuery table. All staff must be able to run existing queries on the table, but only members of the "hr-analysts" group should see the SSN and Salary columns. Other users must receive NULLs for those two columns without modifying any queries or creating additional views. Which approach meets the requirement while following Google-recommended practices for column-level security?
Apply a row-level security policy that filters out SSN and Salary for non-HR users.
Encrypt the SSN and Salary columns with a dedicated CMEK key and grant Cloud KMS access only to the hr-analysts group.
Create a Data Catalog taxonomy, assign policy tags to the SSN and Salary columns, and grant roles/datacatalog.categoryFineGrainedReader on those policy tags to the hr-analysts group only.
Build an authorized view that omits SSN and Salary, share that view with all users, and revoke access to the underlying table.
BigQuery column-level security relies on Data Catalog policy tags. By creating a taxonomy, tagging the SSN and Salary columns, and granting the hr-analysts group the Data Catalog fine-grained reader role (roles/datacatalog.categoryFineGrainedReader) on those tags, only that group can read the tagged columns. Everyone else retains their existing table access but receives NULLs for the restricted columns. Authorized views, row-level security, or CMEK key permissions do not provide transparent, policy-based column masking for this scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Data Catalog taxonomies and policy tags?
Open an interactive chat with Bash
How does roles/datacatalog.categoryFineGrainedReader enable column-level security?
Open an interactive chat with Bash
Why are authorized views or row-level security policies insufficient for this use case?
Open an interactive chat with Bash
What are Data Catalog policy tags?
Open an interactive chat with Bash
What is the role of roles/datacatalog.categoryFineGrainedReader?
Open an interactive chat with Bash
Why is column-level security preferred over authorized views or encryption in this case?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .