SNOWPRO-CORE-C03 Practice Questions: Account Management and Data Governance Domain

Correct answer (B): Snowflake database replication copies selected database objects and data but does not replicate users, roles, or all account-level settings. As a result, analysts in the secondary account lack the necessary roles and grants even though the data is present. You must create equivalent roles and grant appropriate privileges in the secondary account to enable access.

Why the other options are wrong:
- Option A: While warehouses are required to run queries, the question does not indicate warehouses are missing, and simply creating them would not resolve missing grants. The key issue is security configuration, not compute.
- Option C: Replication does not place tables into Fail-safe in a way that blocks normal querying. Fail-safe is only relevant for recovering dropped data, not for replicated, active tables.
- Option D: Time Travel is about historical data access and UNDROP capabilities, not about basic SELECT on current data. Disabling Time Travel would not prevent analysts from querying replicated tables.

Correct answer (A): Tagging PII columns provides centralized classification, and column-level masking policies can be attached to those columns to enforce dynamic masking based on session context (such as the current role). As new columns are tagged as PII, applying the masking policy to them ensures consistent protection, while privileged roles can be allowed to see unmasked values.

Why the other options are wrong:
- Option B: Secure views can hide or transform columns, but managing a separate view for every table and updating them for every new PII column is not scalable. Additionally, this approach does not inherently provide dynamic unmasking for privileged roles without complex view logic.
- Option C: Row access policies filter rows, not individual column values, and do not inherently target "PII" columns across schemas. Hiding entire rows with any PII is overly restrictive and not aligned with the requirement to mask only specific columns.
- Option D: Tags alone provide metadata and classification but do not enforce security. Without masking policies or other enforcement, PII would still appear in clear text in query results.

Correct answer (B): Row access policies are designed to filter which rows are returned (e.g., by REGION), while masking policies operate at the column level and can conditionally mask CUSTOMER_EMAIL based on the user’s role. Tags provide governance metadata like PII classification. Using a row access policy plus a masking policy and a PII tag meets all three requirements precisely.

Why the other options are wrong:
- Option A: Masking policies cannot filter rows; they only transform column values. Row-level filtering must be handled by a row access policy or equivalent logic, not by masking alone.
- Option C: Tags do not enforce access control or masking on their own. They are metadata only and cannot implement row filtering or column masking without additional policies or processes.
- Option D: A secure view can mask CUSTOMER_EMAIL but does not inherently provide row-level filtering by REGION without additional logic. Tags also do not enforce row filtering. This option does not fully address the region-based row restriction requirement.

Correct answer (A): Zero-copy cloning creates a logical copy of the database at a point in time without immediate full data duplication. The QA team gets an isolated environment that can be altered independently, and additional storage is only consumed as data diverges between the original and the clone, making it ideal for destructive testing on a production snapshot.

Why the other options are wrong:
- Option B: Time Travel allows querying historical data but does not provide an isolated, writable copy for destructive tests. Running tests directly on production tables is risky and does not meet the requirement.
- Option C: Fail-safe is a last-resort recovery mechanism controlled by Snowflake and not intended for routine environment creation or QA use. It cannot be used on demand for this purpose.
- Option D: Replication is used for cross-account or cross-region business continuity and creates physical copies of data, which is more complex and typically doubles storage. It is not the simplest or most cost-effective way to create frequent QA snapshots.

Correct answer (A): Future grants only apply to objects created after the future grant is defined and do not retroactively change privileges on existing objects. To give BI_ROLE access to existing tables, the administrator must grant SELECT on all current tables explicitly, and keep the existing future grant so that new tables remain automatically accessible.

Why the other options are wrong:
- Option B: Re-running the future grant does not affect existing tables; future grants only apply to objects created after the grant is defined.
- Option C: Time Travel controls access to historical versions of data, not current privileges. It does not change which roles can access present-day tables.
- Option D: Transferring OWNERSHIP would give BI_ROLE full control over the schema, violating least-privilege and governance practices. It is not required just to provide read access.

Correct answer (B): Zero-copy cloning creates a logical copy that initially shares physical storage with the source, incurring minimal extra storage. The TEST clone can then diverge via DML without impacting PROD, all within the same account and region.

Why the other options are wrong:
- Option A: Restoring PROD via Time Travel would affect the production database itself rather than creating an independent TEST environment, and is not intended for creating long-lived test copies.
- Option C: Replication is primarily for cross-region or cross-account DR and creates read-only replicas until failover. It adds unnecessary complexity and does not directly support independent DML in the same account and region.
- Option D: Secure views queried from TEST would still access PROD data directly and not allow independent DML in TEST. This does not create a separate environment with its own data lifecycle.

Correct answer (B): In Snowflake, only the owning role (or a sufficiently privileged role like ACCOUNTADMIN) can transfer object ownership. Having ALL privileges via GRANT does not confer ownership. The table must first be owned by ANALYTICS_ADMIN before it can transfer ownership to BI_OWNER.

Why the other options are wrong:
- Option A: Schema-level privileges such as ALL on the schema still do not change table ownership. Ownership is distinct from privileges and controls who can transfer ownership.
- Option C: Granting ACCOUNTADMIN is unnecessarily powerful and violates least-privilege principles. It is not required if the current owner (ETL_OWNER) or ACCOUNTADMIN simply adjusts ownership appropriately.
- Option D: Tags are metadata and do not affect object ownership or the ability to transfer ownership.

Correct answer (B): Tags are metadata and do not enforce security by themselves. The scalable pattern is to define masking policies that inspect context (for example, role) and, optionally, tag metadata and apply these policies to PII-tagged columns so data is dynamically masked for non-privileged roles.

Why the other options are wrong:
- Option A: Tags alone do not enforce access control or masking; they must be combined with policies or processes. Leaving only tags in place will not change query results.
- Option C: Row access policies control which rows are visible, not column masking. They do not directly leverage column tags for masking PII within returned rows.
- Option D: Replication is used for cross-region or cross-account copies and disaster recovery, not primarily to implement column-level masking. It adds complexity and cost without solving the column-level masking requirement in the primary account.

Correct answer (A): Network policies in Snowflake define allowed and blocked IP address ranges and can be applied at the account and user level. They affect all access methods, including UI and drivers, making them the correct mechanism to restrict access to the corporate VPN IP ranges.

Why the other options are wrong:
- Option B: USAGE grants on warehouses control which roles can use a warehouse, not from where they can connect. They cannot enforce IP-based restrictions.
- Option C: Row access policies control row visibility in query results; they do not block connections or restrict IP-based access.
- Option D: Masking policies obfuscate column values for certain users or roles, but they do not enforce network-level access restrictions.

Correct answer (A): In Snowflake, tags are key–value metadata used for classification and governance. Applying a tag does not change access control or automatically mask data. Enforcement must be implemented via masking policies, row access policies, views, or external processes that interpret tags.

Why the other options are wrong:
- Option B: Time Travel retention is configured at the object level and is unrelated to tags. Tags do not affect how dropped data is retained or recovered.
- Option C: Tags do not transform objects into secure views or change how data is presented. Secure views must be explicitly created and managed.
- Option D: Tags do not override grants or restrict access to only ACCOUNTADMIN. Existing RBAC grants continue to control who can see data.