Question 28

Your organization is standardizing data protection across hundreds of tables in a catalog named `finance`. Today, every table that contains a Social Security Number has a separate, manually applied column mask, and new tables are frequently created without one. You want a single, centrally managed mechanism that automatically masks any column classified as an SSN — including columns in tables created in the future — without editing each table. A governance admin defines the following: ```sql -- A governed tag taxonomy is defined at the account level: pii = { ssn, email, phone_number } -- A data steward tags SSN columns with the governed tag value pii = ssn CREATE OR REPLACE FUNCTION finance.security.redact_ssn(ssn STRING) RETURNS STRING RETURN '***-**-****'; CREATE POLICY redact_ssn_policy ON SCHEMA finance.customers COLUMN MASK finance.security.redact_ssn TO `account users` FOR TABLES MATCH COLUMNS has_tag_value('pii', 'ssn') AS ssn_col ON COLUMN ssn_col; ``` Which statement best describes how this attribute-based access control (ABAC) approach behaves?

• AThe policy applies only to tables that exist at the moment it is created; tables added later must be re-tagged and the policy must be recreated to cover them.
• BThe policy is evaluated dynamically: any current or future table in the `finance.customers` schema whose column carries the governed tag value `pii = ssn` is automatically masked by `redact_ssn`, with no per-table configuration.
• CABAC policies require ungoverned (workspace-scoped) tags; the account-level governed tag will be ignored and the policy will mask nothing.
• DBecause the policy is attached at the schema level, it overrides and disables any table-level column masks, but it cannot itself mask columns based on tags.