Question 20

A `customers` table in Unity Catalog contains an `email` column. Compliance requires that only members of the account-level group `auditors` can see the full email address; all other users must see only the email domain (for example, `contoso.com`). You must implement this with a single Unity Catalog mechanism that returns the masked value at query time and works for SQL warehouse queries. You are deciding between a dynamic view and a table-level column mask. The team chooses a **column mask** so the protection follows the base table and does not require analysts to query a different object name. Which implementation correctly applies column-level masking? ```sql -- Candidate implementation CREATE FUNCTION email_mask(email STRING) RETURN CASE WHEN is_account_group_member('auditors') THEN email ELSE regexp_extract(email, '^.*@(.*)$', 1) END; ALTER TABLE customers ALTER COLUMN email SET MASK email_mask; ```

• ACreate a SQL UDF that returns the masked value using `is_account_group_member('auditors')`, then bind it to the column with `ALTER TABLE customers ALTER COLUMN email SET MASK email_mask`.
• BRun `GRANT SELECT (email) ON TABLE customers TO auditors` to restrict the column to auditors, since Unity Catalog supports per-column `GRANT`.
• CEncrypt the `email` column at rest with `aes_encrypt` and grant the decryption key only to `auditors`; column masks are not supported in Unity Catalog.
• DCreate a row filter function and apply it with `ALTER TABLE customers SET ROW FILTER email_mask ON (email)`, which hides the value for non-auditors.