Index 2

SAP GRC Access Control Interview Questions
Written by Gloria Johnson Thursday, 21 January 2010 18:02 - Last Updated Sunday, 28 March 2010 10:03
1. How many Owners can be assigned to Firefighter ID?
- In 5.2 it is 1:1 and in 5.3 it is 1: Many
2. What is Firefighter Job Name?
- /VIRSAZVFATBAK
3. What T-Code is used for scheduling Jobs?
- SM37
4. What are the types of FF ids?
- User Based and Role Based FF IDs
1 / 32

5. Which type of FF ID is considered as best practice?
- User Based Fire Fighter ID because of User Traceability, Accountability with owner
and controller and also considered as best practice for audit purposes.
6. What will happen if FFIDs is assigned to more than one user?
- FFID will work only one at a time, If other users want to login they need to wait for the User who has already logged in FFID (User Logged with FFID will get message prompt Another User is attempting to login using FFID, Do you want to end session or continue
7. How to schedule job variant in FF?
- schedule the job , fill in all the details as asked in sm37 , then go to menu , save variant as :
Give it name.
Save it.
2 / 32

8. How do you schedule Batch Risk Analysis Jobs in CC?
- Make Org Rule Setting = Yes in Configuration under additional setting and schedule the batch risk analysis jobs again
9. SAP pre-defined rule set in CC?
- Global Rule Set, Also if you need Custom Rule Set it can be created.
10. What job sequence are involved in CC?
- User sync, Role sync, Profile sync
- User level analysis, Role level analysis, Profile level analysis
- Critical actions and management report update.
3 / 32

11. How can we have Custom rule set for Org level along with Global rule set in CC?
- Go to Configuration -> Yes then do mapping along with Global rule set. For eg: If you have company code for India we can do Org level rule set for this scenario.
12. How do I remediate if I have Sales issues in CC?
{pub}Login To see Full Text{/pub} {reg} - Go to mitigation control Sales Check for business process Sales.
13. What if management pie chart is broken in CC?
- You have to check IGS (Internet Graphic Server) is properly set. If not the basis will do IGS setting.
14. Have you ever work with Alerts in CC?
4 / 32

- Critical actions and permission are set in Alerts, So whenever user runs Critical transactions, An alert is sent to user and business owner.
15. What is the process for manually generating Rule Set in CC?
- Tab Rule Architect Function Create Func1 with Tcodes and Func2 with tcodes then save. Put these functions in Business process then do mapping with functions and Risk ID and henceforth Rule is generated.
16. What if auditors are sitting with you and found conflicts in 5 roles in CC?
- Will do simulation and check each role, usually single role simulation will not generate any conflict compare to combining 5 roles simulation.
17. Can one Risk ID have multiple Controls in CC?
- No, Risk ID cannot have multiple controls but it can be vice versa.
5 / 32

18. What could be reason in CC for slowdown performance issue?
- To tune up CC we need to apply 3 notes
- 7239009 Netweaver notes
-1044173 GRC
-1044174 GRC
19. What could be the reason if you cant see authobject in CC and specify solution for this?
- You need to upload the files from two programs in SAP system.
The programs end with Sapobj and Sapobt. (Refer to CC post installation steps for details)
20. How do you integrate CC with AE?
6 / 32

- Using web services we integrate CC with AE.
21. What were the challenges faced in CC in you past experience.
- Configuration challenges.
- User language issue.
- Remediation was challenge
- Assignment of mitigation controls without affecting the business.
- Performance issue
- Management reports
22. How to use RT (Risk Terminator)?
- RT comes along with CC; the config part is done in backend (SAP) level.
7 / 32

23. What are the types of Authentication source in AE?
- SAP, LDAP, UME, Portal, Legacy Systems- (Adapter is must for legacy systems to connect with AE)
24. How is Risk analysis done in AE?
- It is done manually by clicking on Risk Analysis.
25. How do you resolve Multiple initiator default error in AE?
- For this both the initiators value should be unique if not Change values of both initiators.
8 / 32

26. Where do you get Role Data Source from in AE?
- Role Data Source is extracted from RE (Role Expert) or SAP system.
27. What is the reason if emails are not received or sent in AE?
- Server Time is not set properly.
28. How familiar are you with remediation in AE other than CC?
- Go to Risk Analysis Risk MitigateMitigate controlAssign mitigation control.
PS: If you dont do risk analysis in AE and its already done in CC, you will face audit issues as in CC it will show no conflicts but in AE it will show conflicts.
29. What does u mean by guided workflow?
9 / 32

--It is when the web shows what are the steps / stages within the workflow. The entire WF is shown in pictorial guide, where you can see what steps follow your current step.
30.Will you be needing any functional guy to work on GRC ?
--Yes. If we have to customize rules, we need functional people from each functional module like SD, FI, MM to let us know what is critical for their business and what is their process, we can guide them but matter they have to provide.
31. Transaction to execute FF?
32. You should be able to run management reports?
--Auditors
Manager
Security
10 / 32

33. Does 5.2 versions have launchpad?
--NO
34. Key features of 5.3?
--Single Access Control Launch Pad Supporting Single Sign-On
User Access Review (Manager/Role Owner)
SOD Management by Exception (Manager/Risk Owner)
Mitigation Reaffirm
- Cross Platform :
Compliant provisioning for Oracle, PeopleSoft and JD Edwards (Greenlight)
11 / 32

HR triggers for PeopleSoft HR
Password resets for Oracle, PeopleSoft, JD Edwards - New Authorization Concept
SoD risk analysis and compliant provisioning for SAP Enterprise Portal and UME 35. Does RE generate Roles as well in backend?
--Yes. ERM 5.3 does.
36. How to overcome false positives?
--setting up org rules in CC/RAR.
37. What should be the frequency of FF jobs?
--Hourly.
12 / 32

38.Types of FF users ?
--Administrator, Owner and Firefighter, Another type of user is Controller which is assigned owner role.
39 Type of FF reports?
Firefighter ID Log Summary Report
Reason/Activity Report
Transaction Usage Report
Invalid Firefighter IDs/Owners/Cntrl Report
SOD Conflicts reports
40. Should the entire GRC suite be on same server?
13 / 32

-- Usually Yes, but it would work on separate servers as well but recommendation is same java stack for all 4 web products.
41. How would you mitigate risks in CC?
--You can mitigate risk at User level & role level by running risk analysis.
The Tcodes having SOD conflicts can be removed or assign a mitigating controls.
42. Key difference between FF 4.0 and 5.x?
-- 4.0 is ABAP Based and 5.X is java based (only reports)
4.0 assignment, usage, config and reports is in backend
5.X only reports are in front-end.
43. Can you install GRC products as well?
14 / 32

-- Basis guy is required.
44. Software requirements for CC?
--
45. Hardware requirements for entire GRC suite to be installed on same server?
--
46. Transaction for RE 4.0 (ABAP based)?
--
15 / 32

47. Migration from CC 5.2 to 5.3?
--
48. Data Archiving process?
--Archiving is done through Conversion Utility; it converts tables of 5.2 as per schema of 5.3
49. What are 3 roles in AE used to distinguish between users and their job roles?
--AEApprover , AESecurity , AEAdmin
50. What is UME?
-- User Management Engine -With UME you can leverage existing user data repositories in your system infrastructure by connecting to them using configurable persistence adapters. You can read data from and write data to multiple data sources in parallel.
16 / 32

51. Authentication system for CC?
--
52. Can connectors deleted?
-- Yes, with delete scripts but not directly.
53. Background jobs throwing error, logs show JCO error?
-- Check with basis to test JCO connections created in NWA.
54. Where to setup mail server setting for GRC?
17 / 32

--visual admin (Net Weaver Admin job)
55. Which all IDM GRC integrates with?
-- Sun IDM, SAP IDM, Novell, LDAP Active Directory, IBM Tivoli.
56. What is password self service in AE?
--Service which enables AE end users to directly change their password without having to create a request.
57. Explain in brief the process to create WF in AE?
--
58. From where does AE pull manager information?
-- From Data source mentioned in AE Config
18 / 32

59. Does AE integrate with CC?
-- Yes
60. Which all products does CUP integrate within GRC suite?
-- Yes it integrates with all.
61. What is launchpad? Which version is it available in?
-- To login in all GRC products URLs are in single Launchpad and it is available in 5.3
19 / 32

62. SAP logger and Java logger where to setup in CC?
-- Config miscellaneous
63. Alerts settings in CC?
-- Config miscellaneous
64. Steps for Mitigation control creation in CC?
-- Create Name Business ProcessMitigation ApproverRisk IDEmail address of Approver
65. Approvals required for creation of FF ids?
-- Project Manager, Business Process Owner, Security.
20 / 32

66. How to use CC for remediation of risks?
-- Role Modify or Mitigate them.
67. Who should be given access to reports in AE?
--Auditors and AE Admin
68. Which all languages does GRC suite support?
--
69. What is default GRC language?
-- English
21 / 32

70 .How to setup connectors?
--
71. How to activate Bc sets in backend for GRC suite?
-- TCode SCPR1-2-3 for Business Configuration (BC)
72. How to make GRC talk to SAP systems.
-- Install RTAs on backend, Activate BC sets, In front end you need to create connectors.
73. How close GRC helps solve SOD complexities?
--
22 / 32

74. How can organization benefit from GRC?
--
75. Does CC make life of security person easy? HOW?
--
76 Challenges faced in AE implementations?
-- Connectors, Connectors Name, Workflow, Initiators, Role imports, Request Creation, Integration with CC during Risk Analysis
77. Why should I use ERM instead of pfcg?
--ERM is used for Reporting, Audit. It integrates with AE (Role Creation Workflow), Pro-active approach before the roles are created and assigned to check SODs
23 / 32

78. Does RE replace pfcg?
-- NO- We still need PFCG as RE does not generate the role
79. Steps for ERM implementation?
--
80 What are web services required in GRC?
--Refer: Guide
81. Where can you find informer reports in AE?
24 / 32

In Informer Tab1) Analytical report & 2) Chart
82. What is understood by provisioning?
User creation plus role assignment in the SAP system.
83. Types of provisioning?
1) Direct 2) Indirect a) Position b) Job c) Combined
84. Which all SAP systems does GRC support?
It supports all systems but there is no rule set for MDM and BI
85. How does BI talk to GRC?
It is not the part of the software but you have to get externally
25 / 32

86. Steps for end to end provisioning?
87. Remediation and mitigation: are they different?
88. Target audience for GRC validation testing?
-- End-users, Auditors, Security, Business process, Owner and for Basis Installation.
89. Target audience for GRC implementation?
26 / 32

-- For CC you need Security Architect & Business process owner (Finance, Sales).
And for AE you need Production Manager (IT)
90 .Does GRC support legacy systems?
-- Yes it supports legacy system
91. What is understood by cross system analysis?
-- If a user has access to multiple environment for e.g. HR,R3,SRMand have different role for different environment so he wants to analysis on that particular user then it is called cross system analysis ( only for User).
92. Does GRC support portal provisioning?
Yes
27 / 32

93. How would you set up SSO for GRC?
There is a SAP note for that.
94. tcode for recreating RFC ?
SM59
95. What kind of users are used in connectors of GRC suite?
Communication User.
96. What is maximum number of Workflows that AE application can allow you to create
It is always to have minimum number of work flow from 56 but organization can have as many they want.
28 / 32

97. Any basic WF you have made in the past? How did u reach decision of creating that particular WF.
Manager--Role owner-- IT Security.
98. Whom should you involve for WF creation?
99. What is WF blue-printing?
Follow the flow chart and further take the help of the Management.
Documents are kept in blue print.
100. What is auto-provisioning?
--
29 / 32

101: Why do we need CC?
For cleaning the system.
102. We have SAP MDM system, does GRC have rule set for that?
1) Yes. 2) No.
103. Does GRC have rule set for BI?
No.
104. What do you mean by global ruleset?
Default rule set given by which has everything. Almost all Txn & AObject covered.
30 / 32

105. Transaction for CC 4.0?
Virsa/ZVRAT
106. What do you mean when we say we need to upgrade java package?
You need to upgrade the 5x of the web based side and not the RTA.
RTA- Real Time Agent
107. Who is responsible to restart J2EE server?
Netweaver Java basis administrator.
108. Which type of connector is advisable SAP JCO / RFC connection?
31 / 32

JCO connector but for SAP HR you need RFC connection
109. Key configurations for CC?
Connectors, Rule set, mitigation controls, background jobs.{/reg}
32 / 32

Index 2

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Index 2

Enviado por

Direitos autorais:

Formatos disponíveis

SAP GRC Access Control Interview Questions

1. How many Owners can be assigned to Firefighter ID?

- In 5.2 it is 1:1 and in 5.3 it is 1: Many

2. What is Firefighter Job Name?

3. What T-Code is used for scheduling Jobs?

4. What are the types of FF ids?

- User Based and Role Based FF IDs

SAP GRC Access Control Interview Questions

5. Which type of FF ID is considered as best practice?

6. What will happen if FFIDs is assigned to more than one user?

7. How to schedule job variant in FF?

SAP GRC Access Control Interview Questions

8. How do you schedule Batch Risk Analysis Jobs in CC?

9. SAP pre-defined rule set in CC?

10. What job sequence are involved in CC?

- User sync, Role sync, Profile sync

- User level analysis, Role level analysis, Profile level analysis

- Critical actions and management report update.

SAP GRC Access Control Interview Questions

12. How do I remediate if I have Sales issues in CC?

13. What if management pie chart is broken in CC?

14. Have you ever work with Alerts in CC?

SAP GRC Access Control Interview Questions

17. Can one Risk ID have multiple Controls in CC?

SAP GRC Access Control Interview Questions

18. What could be reason in CC for slowdown performance issue?

- To tune up CC we need to apply 3 notes

- 7239009 Netweaver notes

20. How do you integrate CC with AE?

SAP GRC Access Control Interview Questions

- Using web services we integrate CC with AE.

21. What were the challenges faced in CC in you past experience.

- User language issue.

- Remediation was challenge

- Assignment of mitigation controls without affecting the business.

22. How to use RT (Risk Terminator)?

SAP GRC Access Control Interview Questions

23. What are the types of Authentication source in AE?

24. How is Risk analysis done in AE?

- It is done manually by clicking on Risk Analysis.

25. How do you resolve Multiple initiator default error in AE?

SAP GRC Access Control Interview Questions

26. Where do you get Role Data Source from in AE?

- Role Data Source is extracted from RE (Role Expert) or SAP system.

- Server Time is not set properly.

- Go to Risk Analysis Risk MitigateMitigate controlAssign mitigation control.

29. What does u mean by guided workflow?

SAP GRC Access Control Interview Questions

30.Will you be needing any functional guy to work on GRC ?

31. Transaction to execute FF?

32. You should be able to run management reports?

SAP GRC Access Control Interview Questions

33. Does 5.2 versions have launchpad?

34. Key features of 5.3?

--Single Access Control Launch Pad Supporting Single Sign-On

User Access Review (Manager/Role Owner)

SOD Management by Exception (Manager/Risk Owner)

Compliant provisioning for Oracle, PeopleSoft and JD Edwards (Greenlight)

SAP GRC Access Control Interview Questions

HR triggers for PeopleSoft HR

Password resets for Oracle, PeopleSoft, JD Edwards - New Authorization Concept

--Yes. ERM 5.3 does.

36. How to overcome false positives?

--setting up org rules in CC/RAR.