Your organization stores transaction data in BigQuery. The cc_number column holds 16-digit credit-card numbers. Analysts build Looker Studio dashboards that only need the last four digits, while internal auditors must see the complete value. Analysts should automatically receive a masked value such as --****-1234, and auditors should see the unmasked value without changing their SQL or reports. Enforcement must occur at query time with minimal ongoing maintenance. Which approach best meets these requirements?
Create an authorized view that uses REGEXP_REPLACE to redact the first 12 digits and give analysts access to the view while auditors query the base table directly.
Run a recurring Dataflow job that copies the table to a separate masked dataset for analysts and keep auditors pointed to the original dataset.
Attach a data masking policy tag that reveals only the last four digits to the cc_number column, grant analysts roles/bigquery.maskedReader on that tag, and grant auditors roles/bigquery.unmaskedReader (or higher) so they bypass the mask.
Enable column-level access control on cc_number and grant auditors the policy tag user role while denying analysts any policy-tag roles.
Dynamic data masking lets BigQuery rewrite queries at execution time and apply a masking rule defined in a policy tag that is attached to a sensitive column. Granting analysts the roles/bigquery.maskedReader role on that tag causes their queries- including those issued by Looker Studio through the BigQuery API- to return masked results. Auditors who have a role with bigquery.tables.getData (for example, roles/bigquery.dataViewer) and also hold roles/bigquery.unmaskedReader on the same tag bypass the mask and see raw data. Because the masking rule resides in the policy tag, no additional views, pipelines, or SQL changes are required, and enforcement remains centralized with minimal maintenance. The other options rely on manual views, data duplication, or access denial rather than policy-based masking.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is dynamic data masking in BigQuery?
Open an interactive chat with Bash
How do policy tags work in BigQuery?
Open an interactive chat with Bash
What is the difference between roles/bigquery.maskedReader and roles/bigquery.unmaskedReader?
Open an interactive chat with Bash
What is a BigQuery data masking policy tag?
Open an interactive chat with Bash
How does Looker Studio integrate with BigQuery for dynamic data masking?
Open an interactive chat with Bash
Why is minimal ongoing maintenance important for data masking in BigQuery?
Open an interactive chat with Bash
GCP Professional Data Engineer
Preparing and using data for analysis
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .