Your company operates a healthcare data marketplace built on BigQuery Analytics Hub. You must publish a daily Cloud Storage CSV containing admissions data to an external research partner. Compliance requires that the partner:
never receives direct access to the Cloud Storage objects,
can query the table only for rows where hospital_region = "EMEA",
cannot see the columns patient_ssn and patient_email. Which approach best meets all requirements while minimizing operational overhead?
Copy the CSV into a separate project, partition the table by region, delete non-EMEA partitions, and send the partner a signed URL to the sanitized dataset each day.
Publish the Cloud Storage bucket as an object listing in Analytics Hub and rely on dynamic data masking policies to hide the PII columns at query time; grant the partner storage.objectViewer on the bucket and analyticshub.subscriber.
Create a BigLake external table on the CSV, attach a row-level security policy restricting hospital_region = "EMEA", apply policy tags to mask patient_ssn and patient_email, and publish the table in an Analytics Hub listing; grant the partner the analyticshub.subscriber role only.
Load the CSV into a native BigQuery table, create an authorized view that filters the EMEA rows, exclude the PII columns from the view, and share that view in an Analytics Hub listing; grant the partner bigquery.dataViewer on the dataset.
Publishing the external table as a BigLake table through Analytics Hub keeps the data in Cloud Storage but lets subscribers query it through BigQuery. Row-level security policies can filter the dataset for the EMEA region, and policy-tag-based column-level security masks the PII columns. Granting the partner the analyticshub.subscriber role on the data exchange lets them subscribe, while they still lack IAM permission on the Cloud Storage bucket. Authorized views or data copies would satisfy some but not all constraints and introduce extra maintenance, and dynamic data masking alone does not stop full table scans or hide the storage objects.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a BigLake table in GCP?
Open an interactive chat with Bash
How do row-level security policies work in BigQuery?
Open an interactive chat with Bash
What are policy tags in BigQuery and how are they used for column-level security?
Open an interactive chat with Bash
What is a BigLake external table?
Open an interactive chat with Bash
How do row-level security policies work in BigQuery?
Open an interactive chat with Bash
What are policy tags and how do they mask columns in BigQuery?
Open an interactive chat with Bash
GCP Professional Data Engineer
Preparing and using data for analysis
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .