Your company stores PII-bearing CSV files in dozens of Cloud Storage buckets owned by different business units and streams transactional data into several BigQuery datasets located in separate projects. The CISO wants a single control plane that automatically catalogs every asset, classifies sensitive columns, and lets the security team enforce tag-based column-level access without moving or copying the underlying data. At the same time, each business unit must continue owning its own data products. Which architecture best satisfies these requirements?
Enable Cloud Asset Inventory feeds and trigger Cloud Functions that add IAM conditions on every bucket and dataset containing PII, letting the security team manage separate policies in each project.
Copy all PII files into a single Cloud Storage bucket protected by CMEK, convert them into BigQuery managed tables, apply BigQuery column-level security there, and decommission the source buckets afterward.
Create a Dataplex lake spanning the existing projects and onboard each bucket and BigQuery dataset with automatic metadata discovery. Grant the security team the Lake Admin role plus Data Catalog TagTemplate Admin (or Taxonomy Admin) so they can centrally create and apply policy tags to PII columns, while each business unit retains Asset Owner permissions on its buckets and datasets.
Expose each bucket through BigLake external tables and rely on per-project BigQuery row-level security combined with VPC Service Controls to restrict PII access.
Dataplex can onboard existing Cloud Storage buckets and BigQuery datasets as assets without relocating data. After onboarding, Dataplex automatically discovers and publishes metadata to Data Catalog. A central security team that holds both the Dataplex Lake Admin role (for managing the lake and its assets) and a Data Catalog TagTemplate Admin/Taxonomy Admin role (for creating and assigning policy tags) can apply tag-based column-level controls that BigQuery enforces. Business units keep Owner roles on their own buckets and datasets, preserving local stewardship while governance is centralized. The other options either require custom scripting, force data consolidation, or lack integrated tag-based column security, so they do not meet all stated requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Dataplex?
Open an interactive chat with Bash
How does tag-based column-level security work with BigQuery?
Open an interactive chat with Bash
What role does Data Catalog play in this architecture?
Open an interactive chat with Bash
What is Dataplex and how does it help with data governance?
Open an interactive chat with Bash
What are policy tags in Google Cloud, and how are they applied to sensitive data?
Open an interactive chat with Bash
What roles are required to centrally manage security policies for data in Dataplex?
Open an interactive chat with Bash
GCP Professional Data Engineer
Storing the data
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .