SnowPro Core · 20% of the exam

Account access and security: free practice questions

5 sample questions from our 50-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Snowflake exam.

1. A developer accidentally drops a schema named RAW_DATA in the INGEST database. The SYSADMIN role owns the schema. Which role can execute UNDROP SCHEMA INGEST.RAW_DATA to restore it?

  • A. Any role that has the USAGE privilege on the INGEST database.
  • B. Only the ACCOUNTADMIN role.
  • C. Any role that currently has ownership of the INGEST database or a role higher in the hierarchy than SYSADMIN.
  • D. The role that owns the schema — SYSADMIN — or any role that inherits SYSADMIN's privileges.✓ Correct
Explanation

UNDROP requires the same privileges as CREATE on the parent object. Since SYSADMIN owns the schema, SYSADMIN (or any role that inherits SYSADMIN, such as ACCOUNTADMIN) can execute UNDROP SCHEMA. Option A is wrong because USAGE on a database does not grant the ability to undrop child schemas. Option B is wrong because ACCOUNTADMIN can do it, but it is not the *only* role — SYSADMIN can as well, so 'only ACCOUNTADMIN' is incorrect. Option C is wrong because ownership of the database is not the key privilege; ownership of or CREATE privilege on the schema's parent is what matters, and inheriting SYSADMIN (not just owning the database) is the relevant path.

2. A row access policy is attached to the ORDERS table. The policy is defined to return only rows where REGION = CURRENT_USER(). A user named 'ALICE' belonging to roles ANALYST and MANAGER runs a query. What determines which rows Alice sees?

  • A. The union of rows accessible by ANALYST role and rows accessible by MANAGER role.
  • B. All rows, because managers are always exempt from row access policies.
  • C. Only rows where the REGION column value equals the string 'ALICE', because the policy uses CURRENT_USER().✓ Correct
  • D. Only rows where the REGION column value equals the role name returned by CURRENT_ROLE().
Explanation

CURRENT_USER() returns the name of the authenticated user — 'ALICE' — regardless of which roles are active. Therefore the policy filters rows to those where REGION = 'ALICE'. Option A is wrong because row access policies do not union results across roles; the policy expression runs once per query using session context functions. Option B is wrong because row access policies apply to all users including those with managerial roles unless the policy expression explicitly exempts them. Option D is wrong because the policy as written uses CURRENT_USER(), not CURRENT_ROLE(); if the policy used CURRENT_ROLE() the answer would differ, but that is not what this policy does.

3. A financial services company must comply with a regulation requiring that no single user can both create data masking policies AND apply those policies to production tables. They want to enforce this separation of duties in Snowflake. Which approach CORRECTLY implements this control? (Select TWO.)

  • A. Create POLICY_ADMIN_ROLE and grant it CREATE MASKING POLICY ON SCHEMA; create POLICY_APPLY_ROLE and grant it APPLY MASKING POLICY ON ACCOUNT. Ensure no user holds both roles simultaneously.✓ Correct
  • B. Grant SECURITYADMIN to the policy creator and SYSADMIN to the policy applier, since these system roles are designed for separation of duties.
  • C. Use a single role to manage both creation and application, but require dual approval in an external ticketing system before any policy is applied.
  • D. Create POLICY_ADMIN_ROLE with CREATE MASKING POLICY privilege and POLICY_APPLY_ROLE with APPLY privilege on specific masking policies. Assign each role to different users/teams.✓ Correct
  • E. Set MASKING_POLICY_SEPARATION = TRUE at the account level to automatically enforce separation of duties for masking policy operations.
  • F. Revoke OWNERSHIP on masking policies from SYSADMIN and grant it only to POLICY_ADMIN_ROLE, then audit ACCOUNT_USAGE.POLICY_REFERENCES to detect violations.
Explanation

Option A is correct: Snowflake's privilege model allows separating the CREATE MASKING POLICY privilege (needed to define policies) from the APPLY MASKING POLICY privilege (needed to attach policies to columns). By assigning these to distinct roles held by distinct users, you enforce separation of duties natively within Snowflake. Option D is correct and is a more granular version of the same principle — creating separate roles with CREATE vs. APPLY privileges and assigning them to different personnel is the recommended Snowflake pattern for this compliance control. Option B is incorrect; SECURITYADMIN and SYSADMIN are powerful system roles that can both create AND apply policies, so assigning them to different users does not cleanly separate these specific duties and introduces other privilege concerns. Option C is incorrect; using an external ticketing system is a compensating control but does not enforce the separation at the Snowflake platform level — a user with both privileges could still bypass it. Option E is incorrect; there is no MASKING_POLICY_SEPARATION account parameter in Snowflake — this is a fabricated setting. Option F is incorrect; revoking SYSADMIN ownership and auditing via ACCOUNT_USAGE is a detective control, not a preventive one, and does not enforce the separation.

4. Which of the following are true about Snowflake's ACCOUNTADMIN system role? (Select TWO)

  • A. ACCOUNTADMIN is the only role that can create other system roles such as SYSADMIN and SECURITYADMIN.
  • B. ACCOUNTADMIN automatically inherits all privileges of SYSADMIN and SECURITYADMIN.✓ Correct
  • C. It is recommended to grant ACCOUNTADMIN to all users who need to create databases.
  • D. ACCOUNTADMIN can view account-level usage and billing information in SNOWFLAKE.ACCOUNT_USAGE.
  • E. A Snowflake account must have at least two users with the ACCOUNTADMIN role as a best practice.✓ Correct
Explanation

ACCOUNTADMIN sits at the top of the system role hierarchy and inherits all privileges from SYSADMIN and SECURITYADMIN, making option B correct. Snowflake recommends having at least two users assigned to ACCOUNTADMIN for emergency access purposes, making option E correct. Option A is wrong because system roles are created by Snowflake at account provisioning — ACCOUNTADMIN cannot create other system roles. Option C is wrong because best practice is to grant ACCOUNTADMIN sparingly and to use SYSADMIN for database creation. Option D is partially true in principle but is a distractor — it is SECURITYADMIN and ACCOUNTADMIN that manage governance, and the SNOWFLAKE database usage views are accessible to ACCOUNTADMIN, but this option is not among the two most accurate and distinguishing facts listed.

5. A company uses Snowflake OAuth with an external OAuth authorization server. A data scientist authenticates through OAuth and receives a token. The token includes the scope 'session:role:DATA_SCIENTIST_ROLE'. What does this scope control?

  • A. It grants the DATA_SCIENTIST_ROLE role to the user permanently in Snowflake.
  • B. It restricts the Snowflake session created with this token to use only the DATA_SCIENTIST_ROLE as the active primary role.✓ Correct
  • C. It allows the user to switch to any role that DATA_SCIENTIST_ROLE inherits within the Snowflake session.
  • D. It enables MFA bypass for the DATA_SCIENTIST_ROLE when authenticating via OAuth.
Explanation

The 'session:role:<role_name>' OAuth scope tells Snowflake to establish the session with the specified role as the primary role. It does not permanently grant the role — it only scopes the token's session. Option A is wrong because OAuth scopes are session-scoped, not permanent role assignments. Option C is partially correct in that a user can use inherited privileges, but the scope itself restricts the *primary* role to DATA_SCIENTIST_ROLE rather than allowing unrestricted role switching. Option D is wrong because OAuth scopes have nothing to do with MFA bypass — MFA and OAuth are separate authentication mechanisms.

45 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free