Your analytics team uses Looker Studio to analyze a BigQuery table that includes two PII columns, customer_email and credit_card. Only the Fraud Analysis group may view these columns; all other users must still query the table but never see PII. A Data Catalog taxonomy named PII_Taxonomy with a policy tag called Sensitive_PII already exists, and more PII columns may be added later. With minimal ongoing maintenance and no changes to existing queries or dashboards, how should you enforce this requirement?
Permanently tokenize the PII columns with Cloud Data Loss Prevention before loading the data so all analysts can query the tokenized table safely.
Attach the Sensitive_PII policy tag to the PII columns and grant the Fraud Analysis group the roles/datacatalog.categoryFineGrainedReader role on that policy tag; no other changes are required.
Create an authorized view that excludes the PII columns and direct all non-privileged analysts to query the view instead of the base table.
Enable row-level security on the table and define a filter that removes PII columns for users outside the Fraud Analysis group.
Attach the Sensitive_PII policy tag to the PII columns and grant the Fraud Analysis group the Data Catalog role roles/datacatalog.categoryFineGrainedReader on that policy tag. This role includes the permission that BigQuery checks (datacatalog.policyTagUser), so authorized users see actual values while everyone else receives NULLs, allowing all existing SQL and dashboards to continue functioning. Authorized views would require separate objects to be created and updated for every schema change, row-level security cannot hide individual columns, and irreversible tokenization would prevent even authorized users from seeing real PII.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a policy tag in Data Catalog?
Open an interactive chat with Bash
How does the roles/datacatalog.categoryFineGrainedReader role work?
Open an interactive chat with Bash
What is the advantage of using Data Catalog for column-level access control?
Open an interactive chat with Bash
What is the purpose of a policy tag in Google Data Catalog?
Open an interactive chat with Bash
How does the roles/datacatalog.categoryFineGrainedReader role work in enforcing PII column security?
Open an interactive chat with Bash
Why is attaching a policy tag preferred over options like authorized views or row-level security in this scenario?
Open an interactive chat with Bash
GCP Professional Data Engineer
Preparing and using data for analysis
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .