Google Cloud Professional Data Engineer — Question 143

You have a BigQuery table that contains customer data, including sensitive information such as names and addresses. You need to share the customer data with your data analytics and consumer support teams securely. The data analytics team needs to access the data of all the customers, but must not be able to access the sensitive data. The consumer support team needs access to all data columns, but must not be able to access customers that no longer have active contracts. You enforced these requirements by using an authorized dataset and policy tags. After implementing these steps, the data analytics team reports that they still have access to the sensitive columns. You need to ensure that the data analytics team does not have access to restricted data. What should you do? (Choose two.)

Answer options

• A. Create two separate authorized datasets; one for the data analytics team and another for the consumer support team.
• B. Ensure that the data analytics team members do not have the Data Catalog Fine-Grained Reader role for the policy tags.
• C. Replace the authorized dataset with an authorized view. Use row-level security and apply filter_expression to limit data access.
• D. Remove the bigquery.dataViewer role from the data analytics team on the authorized datasets.
• E. Enforce access control in the policy tag taxonomy.

Correct answer: B

Explanation

The correct answer is B because ensuring that the data analytics team members do not have the Data Catalog Fine-Grained Reader role for the policy tags will prevent them from accessing sensitive data. Options A and D do not address the issue of sensitive data access directly, and C, while it suggests a method to restrict data access, does not directly solve the problem presented. Option E is not sufficient on its own to ensure the analytics team is restricted from sensitive data.